[olug] directory creation in samba

Forrest Dickinson fdickinson at morganhunter.com
Thu Mar 15 22:10:30 UTC 2001

I am running Redhat 7.0 server with samba 2.0.7 as a PDC on a 60 user (NT
Workstation and roaming profiles) network (under heavy usage) and I have not
had any trouble.  I started with Samba 2.0.6 and had a lot of trouble, so
that may be part of your problem.  I setup all of my Samba Shares under
/home with a file and directory mode of 770.  I use a "share level" security
scheme.  In addition, I have the "file permissions defaults" set to force
Unix directory mode 770 and force Unix file mode 770.  All the users have
their primary group setup as "users", and I use supplemental groups to
determine permissions over the network.  This so far has worked very well,
but it required a great deal of planning to setup the Accounting department
this way.  Users do not even see what they are not allowed to access this
way over the network, but any user can access anything at the Linux console.
To fix that I set the shell for all users without administrative access to
/bin/false.  Anyway it keeps things pretty secure, but anytime a user
creates a file or directory say in "public" that file or directory is set in
Linux to mode 770 and is owned by the "users" group and is read/write
accessible to all users, but if a accountant updates a spreadsheet in the
Accounting folder it is set to mode 770 but is only accessible to members of
the "accounting" group.  If this is no help then I know that I also had a
lot of trouble running samba on a server with only 128 megs of ram on the
server (each connection spans a child process 2 - 4 megs of ram for each
connection.  I am now running samba 2.0.7 on a server with 512 megs of ram
and have no trouble or complaints and it is noticeably faster than NT 4.0
server on the same hardware.

I hope some of this helps.

Forrest Dickinson
Network Administrator
Morgan Hunter Companies
 (913) 491-3434

-----Original Message-----
From: dbw [mailto:lug at robotz.com]
Sent: Thursday, March 15, 2001 3:33 PM
To: olug at bstc.net
Subject: [olug] directory creation in samba

directory creation in samba

Basically, I am still having one fundamental problem with my office
Samba server acting as an NT domain server and having users with
profiles.  Brian should know the answer to this question, but I will
appreciate help from anyone *thank you*

When the user creates or modifies a file, it seems to do
so with the correct permissions on the file.  The user is any office
user on their NT workstation attached to the network and using the
shared files and folders mapped to the network drives on my Linux
server posing as an NT domain controller thanks to Samba.
I am referring to the permissions that I established for it to set
by the smb.conf file.
  (see below, usage create mask and force create mode)
>        create mask = 0777
>        force create mode = 0777

However, when an office user creates a directory on the share, the
directory does not have the desired permissions.  If the office user
creates a directory called "spreadsheets" then on the Samba share,
it (the directory under the linux file system) shows
the folder with the owner being that office user that created the
directory and the permissions set in such a way that only that person
may write to any files under that directory.

The problem is with the creation of directories, not with the creation
of files.  Apparently, when a directory is created, Samba ignores the
settings of "create mask" and "force create mode".  So is there a
special parameter specifically for directory creation? Maybe there is
something else that I am unaware of and that I need to do.

Thank you!


At Wednesday, 28 February 2001, you wrote:

>I am using roaming profiles.  I am still having problems with file
>permissions.  Here is a snippet of my smb.conf file:
>        comment = Greensheets
>        path = /home/share/G_Greensheets
>        read only = No
>        create mask = 0777
>        force create mode = 0777
>        guest ok = Yes
>Note the create mask value of 0777.  Yet, when an smb user creates
>a file on the G share, it saves with incorrect file permissions.
>The incorrect permissions allows other users to VIEW the file but
>not MODIFY and SAVE the file.
>Office users are members of a group defined as "users" and the group
>permission must be set to allow all members of the "users" group
>to read, modify, and save their work (usually excel spreadsheets).
>Sometimes it works correctly and saves the newly created file as
>it should, such as in this example:
>-rwxrwxrwx    1 shari    users       13824 Feb 28 13:51 test.xls
>And sometimes it does not.  The same user on the same drive at other
>times it will save with incorrect file permissions such as:
>-rwxr-xr-x    1 shari    users       13824 Feb 28 13:51 test.xls
>All directories are set to 0777 and each office user is a member
>of the group "users".
>The odd thing is how it works part of the time, such as today when
>I test it.  However, at other times it does not work (this is when
>they call me at home because they can not save their excel).
>Did I use 'force create mode' correctly?  Is there something else?
>Thank you!
>At Thursday, 8 February 2001, you wrote:
>>Hi Derek,
>>    I guess you havent looked at the samba team membership lately,
>>you'll see my name ;-)  ( Or you have, that's why you are asking
>this in an
>>"around the bush" way :)  In any event, I have setup/used samba
>in 100+ user
>>environments ( yes, as a NT-PDC ) and It work's great, yes there
>are a few
>>pitfalls with the NT-acl issues ( file perm changing etc.. ) these are
>>mostly due to nt-acl not being inline with the posix semantics.
>etc.. etc..
>>etc... ( I could go on for day's )  Anyway's , post your config
>>and we call all take a look at it and go from there. now, I am under
>>impression you are using roaming profiles, as you've stated they get
>>corrupt.. etc... do you have the logon path setup or are the profiles
>>written to the user's home directory? also, you've mentioned you
>where using
>>`create mask 0777` on one of your shares, I have _always_ had issue
>>this in large user environments ( ideally you'd want to use the `force
>>create mode` instead ( remember, `create mask` bit-wise and's the
>>permision's with what the client is requesting to save the file
>as ) the not
>>being able to logon sound like permision issue's as well ( file
>that is )
>>weird thing's happen when window's messes up the profile some way,
>etc... so
>>sure, post the config and we'll go from there.
>>----- Original Message -----
>>From: "dbw" <lug at robotz.com>
>>To: <olug at bstc.net>
>>Sent: Thursday, February 08, 2001 6:12 PM
>>Subject: [olug] Samba rant and request for feedback
>>> Concerning Samba.
>>> I am using Samba as 1)pdc for an NT network -w- all clients being
>>> NT Workstation 4.0 and 2) office file server 3) NT user authentication
>>> to the NT domain (which is Samba).
>>> Both at home and at work I am using a Linux Samba driven network
>>> server in very similar ways.  The primary difference is that the
>>> number of users on my company's home office LAN is greater (10 or
>>> more during a given work day) than the users on my home network (my
>>> wife and I, and sometimes a third computer when we have a guest over
>>> for Quake).
>>> Getting right to the point, I haven't really had any problems on
>>> my home LAN using Samba.  It works great and is a much better value
>>> as compared to buying a licensed copy of NT server for use at my
>>> home.  At home all the client pc's are either Linux or win98 and
>>> I use NT domain authentication.  My wife and I are reasonably
>>> that we always log off properly and the setup-using Samba seems
>>> trouble free.  I have had this arrangement for nearly two years now
>>> using Slackware and Redhat and two different versions of Samba.
>>> The office is an entirely different matter.  Nothing but trouble!
>>> I thought that Samba worked so great on my home LAN that it would
>>> be a blessing at work.  The idea of getting rid of NT server and
>>> working in an environment I enjoyed, ie Linux, would complement that
>>> which I read about Samba being far more stable and easier to manage
>>> compared to an NT domain server.
>>> At least one office user's profile is corrupted a week.  Usually
>>> because that individual did not log off properly or something, but
>>> still it seems quite fragile.
>>> Using 'create mask = 0777' for example, at home, works fine,  On
>>> the office LAN files are created so that the group permission do
>>> now allow write access.  So when one of the office staff tries to
>>> modify a file created on the public drive by another member of the
>>> office staff, they cannot save.  There are no directory redundancies
>>> or syntactical errors to explain this behavior.  All users are
>>> of the 'user' group. Because my configuration at the office so
>>> resembles the configuration at home, there should not be a problem;
>>> given that it has always worked fine at home.
>>> Today for no apparent reason the Samba box will not allow half of
>>> my office users to log in.  Files that appear on the file system
>>> under the Linux server itself are invisible to the network neighborhood
>>> browser on the winNT workstations.  When Shari and Jamie log in all
>>> of their desktop icons are missing and they cannot access msie.
>>> Yet Tanya's login and desktop is fine.  Keeping in mind that no one
>>> touches this server and that it is in a secure area + is not on the
>>> Internet at all to be exploited, I can find no reasonable explanation
>>> for all of these problems that have continuously plagued my office
>>> installation of a Samba file server.  After all, I went with Samba
>>> over NT because I have so little free time to baby-sit these
>>> I wanted something closer to the idealistic "maintenance free"
>>> I'm a big advocate of Samba and I understand quite well the server
>>> message block protocol from my days as a MS NT network admin at
>>> I want to prove to all of my old NT zealot colleagues that Linux
>>> can do the same thing and do it better thanks to free and open
>>> technologies like Samba, but right now I am pulling my hair out and
>>> I have an office full of people that are ready to throw me under
>>> a bus and run over me.
>>> Other than being a rant, I am interested in hearing feedback from
>>> people that ARE using Samba in a WORK / COMMERCIAL environment to
>>> serve office staff of no fewer than 10 people.  Also, it would be
>>> additionally interesting to hear that it is being used as a pdc for
>>> an NT domain and NT network user authentication.  I am interested
>>> in knowing how well it is working for "you" and how many problems
>>> you are having.
>>> My overall analysis will help me to decide if I want to keep going
>>> with Samba or go back to NT server 4.0 sp6a blah blah, which
I really
>>> hate even thinking about. :o) But d at mn I am so frustrated right now,
>>> and the thought of having to go into work tomorrow during this icy
>>> crap when I could have otherwise worked from home further frustrated
>>> me with Samba.
>>> There may be things that I am overlooking or doing incorrectly.
>>> However, and no offence to anyone, they won't be third grade level
>>> - easy to point out mistakes but there might be something concerning
>>> the use of the Samba box as a primary NT domain controller or
>>> that I am.  I know that there are a lot of brilliant individuals
>>> in this group, so I am eager to receive feedback.
>>> Also, I have so little time to continue to baby-sit this project.
>>> Anyone that is thoroughly familiar with Samba and server message
>>> block; if you would please contract me if you are interested
in doing
>>> some contract work in Lincoln. Basically, getting this thing up and
>>> running once and for all and/or pointing out to me what I am missing
>>> I would very much appreciate hearing from you.  I don't simply want
>>> to re-install and start from scratch, I want to learn what I am
>>> doing wrong OR conclude once and for all that *gasp* Samba is too
>>> immature in its development at this time to serve my needs.
>>> My samba is version 2.0.6 : and yes I do plan to upgrade to the
>>> to see if that fixes my problem.  I have no Win2000 pc's on my LAN
>>> at this time nor do I have any plans to in the near future.  Maybe
>>> the upgrade is all I need to do, what do you think?
>>> -end of rant-
>>> -Derek
>>> ps: Adam at AIM who spoke after Jason during the OLUG meeting, I
>>> lost your b-card, could you please email me your name and contact
>>> information.  Thank you!
>>> ______   __   _    ________________________________________
>>> _____   / /  (_)__  __ ____  __                         ___
>>> ____   / /__/ / _ \/ // /\ \/ /   commando at robotz.com   ___
>>> ___   /____/_/_//_/\_,_/ /_/\_\   _________________________
>>> -------------------------------------------------------------
>>> To unsubscribe, e-mail: olug-unsubscribe at bstc.net
>>> For additional commands, e-mail: olug-help at bstc.net
>>To unsubscribe, e-mail: olug-unsubscribe at bstc.net
>>For additional commands, e-mail: olug-help at bstc.net
>To unsubscribe, e-mail: olug-unsubscribe at bstc.net
>For additional commands, e-mail: olug-help at bstc.net

To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net

To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net

More information about the OLUG mailing list