Permissions on Ubuntu Samba serve with ZFS and Windows clients

I’m setting up a small file server for a handful of Windows (10, and maybe 11 at some point) clients. I’m setting up Samba on Ubuntu server 22.04 and using ZFS as the file system.

I’ve created at few users to test and a test share but things got pretty complex pretty fast. Usually I’ve just had single user setups so it’s been pretty straight forward.

The main complications is related to permissions and ACLs. Put simply I don’t care about ACLs (unless I absolutely have to). I just want files created on a given share to belong to whatever user created it (always clean to have a that “metadata”), and a given group such that all other users of that group also have rw access to those files. In plain old unix terms I want all files and folders on the share to have to be enforced with 660 permissions and belong to userX:groupwithaccess.

   comment = testing
   path = /mnt/tank/test
   read only = no
   writable = yes
   browsable = yes
   guest ok = no
   valid users = @groupwithaccess
   create mask = 0660
   directory mask = 2775
   force group = groupwithaccess
   force create mode = 0660
   force directory mode = 2775

This is my current config - and I’ve tried a few variants.

Files created from a Windows client seem to be created with the right user and group but with what I would call 740 permissions. ls -lah on the folders gives a drwxrws--- which probably means I’ve hit some sort of ACL → posix mapping fun times(?)

So in summary: Is there a way to have Samba ignore anything related to ACLs and just map files to plain old unix users, groups and permissions in the simplest way possible? And if so would there be any problems for the Windows clients?

I’m posting this here as ZFS is one more partially confusing piece of the puzzle.

The s in the permissions listing is the setgid bit that’s making it so anything created in the target directory gets the predetermined Unix group. Without that, if I made a new file it would have tvcvt:tvcvt ownership instead of tvcvt:groupwithaccess. In other words, that is plain old Unix permissions.

Does that make sense?

1 Like

All right that makes sense. Would you mind elaborating a bit more? :slight_smile:

I’m used to the good old chmod 660 -R .. So honestly the four digit codes confuse me. Is it the first or the last which designate special bits?

And from what I read it seems like masks are bitwise AND while force create is bitwise OR and I just can’t seem to make it make sense when I have “unknowns” like what is the Windows client even trying to set, what are the Samba defaults and do they interfere if I override the properties in addition to both the mask and create layers affecting my output.

At the end of the day I just want my files and folders to be editable and browsable by everyone in the groupwithaccess group. Which should be 660 for files and 770 for folders if I’m not mistaken?

I think you’ve pretty much met your goal and things are already behaving like you’d hope, but it’s always good to learn more. The very best place to start is the manual. From your Ubuntu terminal, type man chmod and you’ll get a lot of info about how the command works. That man page says “The first digit selects the set user ID (4) and set group ID (2) and restricted deletion or sticky (1) attributes.” In the paragraph just above it explains that s is used to “set user or group ID on execution.”

The other place to check is the Samba manual’s smb.conf section. It sounds like you’ve already found that one, but they give good descriptions of each parameter available.

Between those two, you’ll get a pretty good understanding.

That’s the thing though - I really haven’t. With the settings outlined in my initial post documents created from the Windows client are set to 640 and I cannot for the life of me understand why.

I don’t know why but turns out obey pam restrictions = yes was set instead of what the docs say is the default no. This for some reason overrides something that messes everything up hard. For the record this is a brand spanking new install of Ubuntu server 22.04 that’s been alive for less than a week. I have absolutely not set this myself.

This tipped me off but I have no idea if this is intended or a bug or what this setting actually does at it’s core but if someone reads this and thinks there is something weird going on please point me in the direction for where I should file a bug report either to Ubuntu or upstream to Samba.

Strange, I also run samba on my server running ubuntu 22.04.

I set mine up with ansible so I know for a fact I didn’t touch any other files than the smb.conf in /etc/samba and i did not have to set configuration to false.

My install is perhaps a year old so most likely I have updated the samba package at some point, my version atm is 4.15.13-ubuntu.

The flag you mentioned is also mentioned in a pretty old bug report on samba’s bugzilla page, with no reproduction steps or resolution.
Perhaps you could create a bug there with more information?

I’ve never filed a bug to them so this is just a guess :slight_smile:

If there’s a windows domain controller involved all you need to do is share a zvol formatted with ntfs and let the dc do it’s thing. I’ve tried it, it works (windows server 2012 iirc). I imagine that could be a vm running on ubuntu (?) never tried.
If this can be done without a dc I know not.

Solaris apparently just does it. Conceivably so too do the Illumos variants.

They actually require me to send an email application to be allowed to file / comment on a bug. I get they want to avoid spam but that bar is a bit high for me to be honest :face_with_diagonal_mouth:

One of the main goals of this setup is to retire an old Windows server 2012 to get far away from Windows on anything that is not personal workstations. So while that may very well be a good solution for a Windows shop that wants files on ZFS it’s not for me :smile: