9

I've had a few shares configured in Samba 4.9.3 (Arch Linux), everything was fine. Access control was done via unix accounts and groups. Then I decided to change the running system.

I set up a Time Machine backup volume in Samba, introducing the vfs_fruit module. That part seems to have started the problems. Sources said that macOS can be picky and the module chain catia fruit streams_xattr needs to be enabled on all the shares, not just the Time Machine share. So I did that.

(The Time Machine backup went through with those settings. TBH I didn't try restoring yet and I'm a little scared of it.)

However, whenever I create a folder on a normal share (via Finder.app), it now gets unix permissions drwxr-xr-x+ that differ from the directory mask = 2770 that I configured for the share. Apart from that, it has these ACLs set:

> getfacl /mnt/dungeon/tmp/untitled\ folder getfacl: Removing leading '/' from absolute path names # file: mnt/dungeon/tmp/untitled folder # owner: nobody # group: smb_tmp user::rwx user:nobody:rwx #effective:r-x group::rwx #effective:r-x group:smb_tmp:rwx #effective:r-x mask::r-x other::r-x default:user::rwx default:user:nobody:rwx default:group::rwx default:group:smb_tmp:rwx default:mask::rwx default:other::---

The mask::r-x part seems to prevent my user (in group smb_tmp) from even renaming the "untitled folder" I created. If I set mask to rwx manually like this, the folder becomes editable:

sudo setfacl -m mask::rwx /mnt/dungeon/tmp/untitled\ folder

Changing the folder's permissions from Finder.app is not possible, it tells me I don't have the necessary permission.

If I create a folder in the same location from a Windows 8 client, it has the proper unix access rights and no ACLs set.

I also tried modifying my user's umask on the server, but changing that from the default 022 to 027 didn't change anything.

The other Samba options I tried are in the global section of my smb.conf. None of them changed the ACLs of the folders I created.

What do I need to do to have both Time Machine backup and group-owned shares work properly? I'm not particularly afraid of ACLs, but if I can get by without them that'd be just fine.

Improve this question

1 Answer 1

Reset to default
9

Try setting the following global option:

fruit:nfs_aces = no

From the manpage of vfs_fruit:

fruit:nfs_aces = yes | no

A global option whether support for querying and modifying the UNIX mode of directory entries via NFS ACEs is enabled, default yes.

Improve this answer
3
  • Welcome to U&L! Your answer would be more useful if it included a few details: What does this option do (a short extract from the documentation is enough)? Is that setting all that's required to fix the OP's problem? Commented Dec 10, 2018 at 16:39
  • Perfect, thank you! If only I had guessed that "NFS ACEs" could have something to do with ACL issues... :) Commented Dec 12, 2018 at 18:16
  • Depending on what you've been reading up on you might know or you might not. ACE: Access Control Entry, which is part of an ACL: Access Control List . For instance in the manpages of nfs4_setfacl and nfs4_getcfacl the acronym ACL is explained when it's mentioned the first time, but ACE isn't. In the manpage of nfs4_acl both acronyms are explained. Commented Dec 13, 2018 at 21:21

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.