Marked as invalid as i finally found out the problem (first it was assigned to Mono when it should be Samba).
The issue was "obey pam restrictions = yes" when this should be "no". ** Package changed: mono (Ubuntu) => samba (Ubuntu) ** Changed in: samba (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to mono in Ubuntu. https://bugs.launchpad.net/bugs/1668762 Title: Samba file permissions ignored with umask 022 Status in samba package in Ubuntu: Invalid Bug description: Using Samba 4.3.11-Ubuntu on Xenial 16.04.2. See the question at http://askubuntu.com/questions/882352/samba-group-write-file- permissions-not-set. When using a share for multiple users, the permissions are being ignored so that specifically the write bit for the group and other are being removed, as if a umask of 022 was being set somewhere. I'm writing this as a bug, as all documentation I have found has been applied and tested with no avail, and that as in the Ask Ubuntu, that documentation suggests what I'm doing should work. Client: Windows 10 x64 1607, OS Build 14393.693 Client: Ubuntu 16.04.2 LTS as client For a particular share, I'm using the following parameters: create mask = 0660 force create mode = 0660 security mask = 0660 force security mode = 0660 directory mask = 2770 force directory mode = 2770 directory security mask = 2770 force directory security mode = 2770 Note, the directory modes work, the file modes do not work. I've also used "unix extensions = no" to no effect, along with "map {system|hidden|archive} = no" to no effect (but we'd expect that as force ... would override this). The result is the "create mask" with the write bits for group and other removed (effectively 640 on the filesystem, so it's only readable as the group). Logging with a log level of 10 shows that the mode is being used as asked; on Windows within the share, we just create a new Word Document from the Explorer (note, not using MSWord as this makes this more complicated). The same results are also when creating a new text file: log.bugatti.old-[2017/02/28 21:36:11.177664, 10, pid=5992, effective(11105, 10513), real(11105, 0)] ../source3/smbd/files.c:745(file_name_hash) log.bugatti.old: file_name_hash: /mnt/home/julia/tmp/New Microsoft Word Document.docx hash 0xe19f977 log.bugatti.old-[2017/02/28 21:36:11.177670, 5, pid=5992, effective(11105, 10513), real(11105, 0)] ../source3/smbd/dosmode.c:196(unix_mode) log.bugatti.old: unix_mode(julia/tmp/New Microsoft Word Document.docx) returning 0660 log.bugatti.old-[2017/02/28 21:36:11.177675, 10, pid=5992, effective(11105, 10513), real(11105, 0)] ../source3/smbd/open.c:2479(open_file_ntcreate) log.bugatti.old: open_file_ntcreate: fname=julia/tmp/New Microsoft Word Document.docx, dos_attrs=0x80 access_mask=0x16019f share_access=0x0 create_disposition = 0x2 create_options=0x44 unix mode=0660 oplock_request=2 private_flags = 0x0 log.bugatti.old-[2017/02/28 21:36:11.177681, 10, pid=5992, effective(11105, 10513), real(11105, 0)] ../source3/smbd/open.c:2637(open_file_ntcreate) log.bugatti.old: open_file_ntcreate: fname=julia/tmp/New Microsoft Word Document.docx, after mapping access_mask=0x16019f log.bugatti.old-[2017/02/28 21:36:11.177687, 4, pid=5992, effective(11105, 10513), real(11105, 0)] ../source3/smbd/open.c:2727(open_file_ntcreate) log.bugatti.old: calling open_file with flags=0x2 flags2=0xC0 mode=0660, access_mask = 0x16019f, open_access_mask = 0x16019f I also see in the logs no reference of values 022 or 640 which might have been logged. Tested also with pam_umask mask=002 and that had no effect (after restarting with systemctl restart smbd). The machine is running as a samba server for the shares, but the passwords are all derived from a Windows 2012 R2 active directory server. Thus, there are no local passwords. Using pdbedit -Lv shows nothing of interest: Testing on the server itself also shows the same behaviour: $ smbclient //camaro/home WARNING: The "syslog" option is deprecated Enter jcurl's password: Domain=[HOME] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] smb: \> cd julia smb: \julia\> cd tmp smb: \julia\tmp\> put foo.txt putting file foo.txt as \julia\tmp\foo.txt (0.0 kb/s) (average 0.0 kb/s) smb: \julia\tmp\> ls . D 0 Tue Feb 28 22:10:35 2017 .. D 0 Mon May 9 14:48:46 2016 Install.txt N 133 Tue May 10 16:39:12 2016 Favorites D 0 Mon May 9 14:51:46 2016 foo.txt N 0 Tue Feb 28 22:10:35 2017 New Microsoft Word Document.docx N 0 Tue Feb 28 21:36:11 2017 206292664 blocks of size 1024. 130164180 blocks available smb: \julia\tmp\> # ls -l /home/julia/tmp total 8 drwxrws--- 4 julia julia 4096 May 9 2016 Favorites -rw-r----- 1 jcurl julia 0 Feb 28 22:10 foo.txt -rw-rw---- 1 julia julia 133 May 10 2016 Install.txt -rw-r----- 1 jcurl julia 0 Feb 28 21:36 New Microsoft Word Document.docx # pdbedit -Lv INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 10240 doing parameter syslog = 0 WARNING: The "syslog" option is deprecated doing parameter panic action = /usr/share/samba/panic-action %d doing parameter server role = member server doing parameter passdb backend = tdbsam doing parameter obey pam restrictions = yes doing parameter unix password sync = no doing parameter map to guest = bad user doing parameter usershare allow guests = no doing parameter socket options = TCP_NODELAY doing parameter invalid users = root doing parameter strict locking = no doing parameter delete readonly = yes doing parameter idmap config *:backend = tdb doing parameter idmap config *:range = 2000-9999 doing parameter idmap config HOME:backend = rid doing parameter idmap config HOME:schema_mode = rfc2307 doing parameter idmap config HOME:range = 10000-99999 doing parameter idmap config HOME:default = yes doing parameter winbind nss info = rfc2307 doing parameter winbind trusted domains only = no doing parameter winbind use default domain = yes doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter winbind refresh tickets = yes doing parameter winbind normalize names = yes doing parameter winbind offline logon = yes doing parameter name resolve order = bcast host lmhosts wins doing parameter template shell = /bin/bash doing parameter template homedir = /home/%U doing parameter client use spnego = yes doing parameter client ntlmv2 auth = yes doing parameter encrypt passwords = yes doing parameter restrict anonymous = 2 doing parameter hide unreadable = yes doing parameter directory mask = 2770 doing parameter create mask = 0660 doing parameter map archive = no doing parameter map system = no doing parameter map hidden = no doing parameter unix extensions = no pm_process() returned Yes lp_servicenumber: couldn't find homes Netbios name list:- my_netbios_names[0]="CAMARO" Attempting to register passdb backend smbpasswd Successfully added passdb backend 'smbpasswd' Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Attempting to register passdb backend wbc_sam Successfully added passdb backend 'wbc_sam' Attempting to register passdb backend samba_dsdb Successfully added passdb backend 'samba_dsdb' Attempting to register passdb backend samba4 Successfully added passdb backend 'samba4' Attempting to register passdb backend ldapsam Successfully added passdb backend 'ldapsam' Attempting to register passdb backend NDS_ldapsam Successfully added passdb backend 'NDS_ldapsam' Attempting to register passdb backend IPA_ldapsam Successfully added passdb backend 'IPA_ldapsam' Attempting to find a passdb backend to match tdbsam (tdbsam) Found pdb backend tdbsam pdb backend tdbsam has a valid init tdbsam_open: successfully opened /var/lib/samba/private/passdb.tdb The command # testparm -s [global] workgroup = HOME realm = HOME.LAN server string = %h server server role = member server security = ADS map to guest = Bad User obey pam restrictions = Yes restrict anonymous = 2 dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab syslog = 0 log file = /var/log/samba/log.%m max log size = 10240 name resolve order = bcast host lmhosts wins unix extensions = No dns proxy = No panic action = /usr/share/samba/panic-action %d template homedir = /home/%U template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes winbind offline logon = Yes winbind normalize names = Yes idmap config home:default = yes idmap config home:range = 10000-99999 idmap config home:schema_mode = rfc2307 idmap config home:backend = rid idmap config *:range = 2000-9999 idmap config * : backend = tdb invalid users = root create mask = 0660 directory mask = 02770 directory mode = 02770 hide unreadable = Yes map archive = No strict locking = No delete readonly = Yes [homes] comment = Home Directory for %U valid users = %S read only = No force create mode = 0660 force directory mode = 02770 browseable = No [home] comment = Access to home directories for backup purposes path = /home valid users = jcurl force user = %U read only = No force create mode = 0660 force directory mode = 02770 browseable = No Note that the security options are not shown by testparm (likely because they are the same as the default values as per samba docs). The same behaviour is for the users home directory also. I've not shown the other shares as they're not relevant, but also recreatable (I have a share called build that has the same effect). Directories have their setgid bit set so the group is sticky regardless of the group of the user. This problem appears to be present (but not confirmed) since first installing Ubuntu 16.04 LTS. # dpkg -S /usr/sbin/smbd samba: /usr/sbin/smbd # lsb_release -rd Description: Ubuntu 16.04.2 LTS Release: 16.04 # apt-cache policy samba samba: Installed: 2:4.3.11+dfsg-0ubuntu0.16.04.3 Candidate: 2:4.3.11+dfsg-0ubuntu0.16.04.3 Version table: *** 2:4.3.11+dfsg-0ubuntu0.16.04.3 500 500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 2:4.3.8+dfsg-0ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages # dpkg-query -W -f='${Package} ${Version} ${Source} ${Status}\n' | grep samba libnss-winbind 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed libpam-winbind 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed libsmbclient 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed libwbclient0 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed python-samba 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed samba 2:4.3.11+dfsg-0ubuntu0.16.04.3 install ok installed samba-common 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed samba-common-bin 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed samba-dsdb-modules 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed samba-libs 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed samba-vfs-modules 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed smbclient 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed winbind 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed $ ls -l /home/julia/tmp total 8 drwxrws--- 4 julia julia 4096 May 9 2016 Favorites -rw-rw---- 1 julia julia 133 May 10 2016 Install.txt -rw-r----- 1 jcurl julia 0 Feb 28 21:36 New Microsoft Word Document.docx To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1668762/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp