Creating a directory in Samba share from OSX client always has ACL “mask:r-x”

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I've had a few shares configured in Samba 4.9.3 (Arch Linux), everything was fine. Access control was done via unix accounts and groups. Then I decided to change the running system.



I set up a Time Machine backup volume in Samba, introducing the vfs_fruit module. That part seems to have started the problems. Sources said that macOS can be picky and the module chain catia fruit streams_xattr needs to be enabled on all the shares, not just the Time Machine share. So I did that.



(The Time Machine backup went through with those settings. TBH I didn't try restoring yet and I'm a little scared of it.)



However, whenever I create a folder on a normal share (via Finder.app), it now gets unix permissions drwxr-xr-x+ that differ from the directory mask = 2770 that I configured for the share. Apart from that, it has these ACLs set:



> getfacl /mnt/dungeon/tmp/untitled folder
getfacl: Removing leading '/' from absolute path names
# file: mnt/dungeon/tmp/untitled folder
# owner: nobody
# group: smb_tmp
user::rwx
user:nobody:rwx #effective:r-x
group::rwx #effective:r-x
group:smb_tmp:rwx #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:nobody:rwx
default:group::rwx
default:group:smb_tmp:rwx
default:mask::rwx
default:other::---


The mask::r-x part seems to prevent my user (in group smb_tmp) from even renaming the "untitled folder" I created. If I set mask to rwx manually like this, the folder becomes editable:



sudo setfacl -m mask::rwx /mnt/dungeon/tmp/untitled folder


Changing the folder's permissions from Finder.app is not possible, it tells me I don't have the necessary permission.



If I create a folder in the same location from a Windows 8 client, it has the proper unix access rights and no ACLs set.



I also tried modifying my user's umask on the server, but changing that from the default 022 to 027 didn't change anything.



The other Samba options I tried are in the global section of my smb.conf. None of them changed the ACLs of the folders I created.



What do I need to do to have both Time Machine backup and group-owned shares work properly?
I'm not particularly afraid of ACLs, but if I can get by without them that'd be just fine.










share|improve this question

























    up vote
    1
    down vote

    favorite












    I've had a few shares configured in Samba 4.9.3 (Arch Linux), everything was fine. Access control was done via unix accounts and groups. Then I decided to change the running system.



    I set up a Time Machine backup volume in Samba, introducing the vfs_fruit module. That part seems to have started the problems. Sources said that macOS can be picky and the module chain catia fruit streams_xattr needs to be enabled on all the shares, not just the Time Machine share. So I did that.



    (The Time Machine backup went through with those settings. TBH I didn't try restoring yet and I'm a little scared of it.)



    However, whenever I create a folder on a normal share (via Finder.app), it now gets unix permissions drwxr-xr-x+ that differ from the directory mask = 2770 that I configured for the share. Apart from that, it has these ACLs set:



    > getfacl /mnt/dungeon/tmp/untitled folder
    getfacl: Removing leading '/' from absolute path names
    # file: mnt/dungeon/tmp/untitled folder
    # owner: nobody
    # group: smb_tmp
    user::rwx
    user:nobody:rwx #effective:r-x
    group::rwx #effective:r-x
    group:smb_tmp:rwx #effective:r-x
    mask::r-x
    other::r-x
    default:user::rwx
    default:user:nobody:rwx
    default:group::rwx
    default:group:smb_tmp:rwx
    default:mask::rwx
    default:other::---


    The mask::r-x part seems to prevent my user (in group smb_tmp) from even renaming the "untitled folder" I created. If I set mask to rwx manually like this, the folder becomes editable:



    sudo setfacl -m mask::rwx /mnt/dungeon/tmp/untitled folder


    Changing the folder's permissions from Finder.app is not possible, it tells me I don't have the necessary permission.



    If I create a folder in the same location from a Windows 8 client, it has the proper unix access rights and no ACLs set.



    I also tried modifying my user's umask on the server, but changing that from the default 022 to 027 didn't change anything.



    The other Samba options I tried are in the global section of my smb.conf. None of them changed the ACLs of the folders I created.



    What do I need to do to have both Time Machine backup and group-owned shares work properly?
    I'm not particularly afraid of ACLs, but if I can get by without them that'd be just fine.










    share|improve this question























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I've had a few shares configured in Samba 4.9.3 (Arch Linux), everything was fine. Access control was done via unix accounts and groups. Then I decided to change the running system.



      I set up a Time Machine backup volume in Samba, introducing the vfs_fruit module. That part seems to have started the problems. Sources said that macOS can be picky and the module chain catia fruit streams_xattr needs to be enabled on all the shares, not just the Time Machine share. So I did that.



      (The Time Machine backup went through with those settings. TBH I didn't try restoring yet and I'm a little scared of it.)



      However, whenever I create a folder on a normal share (via Finder.app), it now gets unix permissions drwxr-xr-x+ that differ from the directory mask = 2770 that I configured for the share. Apart from that, it has these ACLs set:



      > getfacl /mnt/dungeon/tmp/untitled folder
      getfacl: Removing leading '/' from absolute path names
      # file: mnt/dungeon/tmp/untitled folder
      # owner: nobody
      # group: smb_tmp
      user::rwx
      user:nobody:rwx #effective:r-x
      group::rwx #effective:r-x
      group:smb_tmp:rwx #effective:r-x
      mask::r-x
      other::r-x
      default:user::rwx
      default:user:nobody:rwx
      default:group::rwx
      default:group:smb_tmp:rwx
      default:mask::rwx
      default:other::---


      The mask::r-x part seems to prevent my user (in group smb_tmp) from even renaming the "untitled folder" I created. If I set mask to rwx manually like this, the folder becomes editable:



      sudo setfacl -m mask::rwx /mnt/dungeon/tmp/untitled folder


      Changing the folder's permissions from Finder.app is not possible, it tells me I don't have the necessary permission.



      If I create a folder in the same location from a Windows 8 client, it has the proper unix access rights and no ACLs set.



      I also tried modifying my user's umask on the server, but changing that from the default 022 to 027 didn't change anything.



      The other Samba options I tried are in the global section of my smb.conf. None of them changed the ACLs of the folders I created.



      What do I need to do to have both Time Machine backup and group-owned shares work properly?
      I'm not particularly afraid of ACLs, but if I can get by without them that'd be just fine.










      share|improve this question













      I've had a few shares configured in Samba 4.9.3 (Arch Linux), everything was fine. Access control was done via unix accounts and groups. Then I decided to change the running system.



      I set up a Time Machine backup volume in Samba, introducing the vfs_fruit module. That part seems to have started the problems. Sources said that macOS can be picky and the module chain catia fruit streams_xattr needs to be enabled on all the shares, not just the Time Machine share. So I did that.



      (The Time Machine backup went through with those settings. TBH I didn't try restoring yet and I'm a little scared of it.)



      However, whenever I create a folder on a normal share (via Finder.app), it now gets unix permissions drwxr-xr-x+ that differ from the directory mask = 2770 that I configured for the share. Apart from that, it has these ACLs set:



      > getfacl /mnt/dungeon/tmp/untitled folder
      getfacl: Removing leading '/' from absolute path names
      # file: mnt/dungeon/tmp/untitled folder
      # owner: nobody
      # group: smb_tmp
      user::rwx
      user:nobody:rwx #effective:r-x
      group::rwx #effective:r-x
      group:smb_tmp:rwx #effective:r-x
      mask::r-x
      other::r-x
      default:user::rwx
      default:user:nobody:rwx
      default:group::rwx
      default:group:smb_tmp:rwx
      default:mask::rwx
      default:other::---


      The mask::r-x part seems to prevent my user (in group smb_tmp) from even renaming the "untitled folder" I created. If I set mask to rwx manually like this, the folder becomes editable:



      sudo setfacl -m mask::rwx /mnt/dungeon/tmp/untitled folder


      Changing the folder's permissions from Finder.app is not possible, it tells me I don't have the necessary permission.



      If I create a folder in the same location from a Windows 8 client, it has the proper unix access rights and no ACLs set.



      I also tried modifying my user's umask on the server, but changing that from the default 022 to 027 didn't change anything.



      The other Samba options I tried are in the global section of my smb.conf. None of them changed the ACLs of the folders I created.



      What do I need to do to have both Time Machine backup and group-owned shares work properly?
      I'm not particularly afraid of ACLs, but if I can get by without them that'd be just fine.







      osx samba






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Dec 9 at 11:42









      Tanuva

      82




      82




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote



          accepted










          Try setting the following global option:



          fruit:nfs_aces = no


          From the manpage of vfs_fruit:




          fruit:nfs_aces = yes | no



          A global option whether support for querying and modifying the UNIX mode of directory entries via NFS ACEs is enabled, default yes.







          share|improve this answer






















          • Welcome to U&L! Your answer would be more useful if it included a few details: What does this option do (a short extract from the documentation is enough)? Is that setting all that's required to fix the OP's problem?
            – JigglyNaga
            Dec 10 at 16:39










          • Perfect, thank you! If only I had guessed that "NFS ACEs" could have something to do with ACL issues... :)
            – Tanuva
            Dec 12 at 18:16










          • Depending on what you've been reading up on you might know or you might not. ACE: Access Control Entry, which is part of an ACL: Access Control List . For instance in the manpages of nfs4_setfacl and nfs4_getcfacl the acronym ACL is explained when it's mentioned the first time, but ACE isn't. In the manpage of nfs4_acl both acronyms are explained.
            – bluephant
            Dec 13 at 21:21











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f486919%2fcreating-a-directory-in-samba-share-from-osx-client-always-has-acl-maskr-x%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          0
          down vote



          accepted










          Try setting the following global option:



          fruit:nfs_aces = no


          From the manpage of vfs_fruit:




          fruit:nfs_aces = yes | no



          A global option whether support for querying and modifying the UNIX mode of directory entries via NFS ACEs is enabled, default yes.







          share|improve this answer






















          • Welcome to U&L! Your answer would be more useful if it included a few details: What does this option do (a short extract from the documentation is enough)? Is that setting all that's required to fix the OP's problem?
            – JigglyNaga
            Dec 10 at 16:39










          • Perfect, thank you! If only I had guessed that "NFS ACEs" could have something to do with ACL issues... :)
            – Tanuva
            Dec 12 at 18:16










          • Depending on what you've been reading up on you might know or you might not. ACE: Access Control Entry, which is part of an ACL: Access Control List . For instance in the manpages of nfs4_setfacl and nfs4_getcfacl the acronym ACL is explained when it's mentioned the first time, but ACE isn't. In the manpage of nfs4_acl both acronyms are explained.
            – bluephant
            Dec 13 at 21:21















          up vote
          0
          down vote



          accepted










          Try setting the following global option:



          fruit:nfs_aces = no


          From the manpage of vfs_fruit:




          fruit:nfs_aces = yes | no



          A global option whether support for querying and modifying the UNIX mode of directory entries via NFS ACEs is enabled, default yes.







          share|improve this answer






















          • Welcome to U&L! Your answer would be more useful if it included a few details: What does this option do (a short extract from the documentation is enough)? Is that setting all that's required to fix the OP's problem?
            – JigglyNaga
            Dec 10 at 16:39










          • Perfect, thank you! If only I had guessed that "NFS ACEs" could have something to do with ACL issues... :)
            – Tanuva
            Dec 12 at 18:16










          • Depending on what you've been reading up on you might know or you might not. ACE: Access Control Entry, which is part of an ACL: Access Control List . For instance in the manpages of nfs4_setfacl and nfs4_getcfacl the acronym ACL is explained when it's mentioned the first time, but ACE isn't. In the manpage of nfs4_acl both acronyms are explained.
            – bluephant
            Dec 13 at 21:21













          up vote
          0
          down vote



          accepted







          up vote
          0
          down vote



          accepted






          Try setting the following global option:



          fruit:nfs_aces = no


          From the manpage of vfs_fruit:




          fruit:nfs_aces = yes | no



          A global option whether support for querying and modifying the UNIX mode of directory entries via NFS ACEs is enabled, default yes.







          share|improve this answer














          Try setting the following global option:



          fruit:nfs_aces = no


          From the manpage of vfs_fruit:




          fruit:nfs_aces = yes | no



          A global option whether support for querying and modifying the UNIX mode of directory entries via NFS ACEs is enabled, default yes.








          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Dec 11 at 20:58

























          answered Dec 10 at 11:35









          bluephant

          162




          162











          • Welcome to U&L! Your answer would be more useful if it included a few details: What does this option do (a short extract from the documentation is enough)? Is that setting all that's required to fix the OP's problem?
            – JigglyNaga
            Dec 10 at 16:39










          • Perfect, thank you! If only I had guessed that "NFS ACEs" could have something to do with ACL issues... :)
            – Tanuva
            Dec 12 at 18:16










          • Depending on what you've been reading up on you might know or you might not. ACE: Access Control Entry, which is part of an ACL: Access Control List . For instance in the manpages of nfs4_setfacl and nfs4_getcfacl the acronym ACL is explained when it's mentioned the first time, but ACE isn't. In the manpage of nfs4_acl both acronyms are explained.
            – bluephant
            Dec 13 at 21:21

















          • Welcome to U&L! Your answer would be more useful if it included a few details: What does this option do (a short extract from the documentation is enough)? Is that setting all that's required to fix the OP's problem?
            – JigglyNaga
            Dec 10 at 16:39










          • Perfect, thank you! If only I had guessed that "NFS ACEs" could have something to do with ACL issues... :)
            – Tanuva
            Dec 12 at 18:16










          • Depending on what you've been reading up on you might know or you might not. ACE: Access Control Entry, which is part of an ACL: Access Control List . For instance in the manpages of nfs4_setfacl and nfs4_getcfacl the acronym ACL is explained when it's mentioned the first time, but ACE isn't. In the manpage of nfs4_acl both acronyms are explained.
            – bluephant
            Dec 13 at 21:21
















          Welcome to U&L! Your answer would be more useful if it included a few details: What does this option do (a short extract from the documentation is enough)? Is that setting all that's required to fix the OP's problem?
          – JigglyNaga
          Dec 10 at 16:39




          Welcome to U&L! Your answer would be more useful if it included a few details: What does this option do (a short extract from the documentation is enough)? Is that setting all that's required to fix the OP's problem?
          – JigglyNaga
          Dec 10 at 16:39












          Perfect, thank you! If only I had guessed that "NFS ACEs" could have something to do with ACL issues... :)
          – Tanuva
          Dec 12 at 18:16




          Perfect, thank you! If only I had guessed that "NFS ACEs" could have something to do with ACL issues... :)
          – Tanuva
          Dec 12 at 18:16












          Depending on what you've been reading up on you might know or you might not. ACE: Access Control Entry, which is part of an ACL: Access Control List . For instance in the manpages of nfs4_setfacl and nfs4_getcfacl the acronym ACL is explained when it's mentioned the first time, but ACE isn't. In the manpage of nfs4_acl both acronyms are explained.
          – bluephant
          Dec 13 at 21:21





          Depending on what you've been reading up on you might know or you might not. ACE: Access Control Entry, which is part of an ACL: Access Control List . For instance in the manpages of nfs4_setfacl and nfs4_getcfacl the acronym ACL is explained when it's mentioned the first time, but ACE isn't. In the manpage of nfs4_acl both acronyms are explained.
          – bluephant
          Dec 13 at 21:21


















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f486919%2fcreating-a-directory-in-samba-share-from-osx-client-always-has-acl-maskr-x%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown






          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?