Problems with POSIX ACL masks on Samba?

published May 04, 2022, last modified Jun 17, 2022

Some smb.conf parameters cause default POSIX ACL masks to be incorrectly calculated.

Problems with POSIX ACL masks on Samba?

Summary

You've set your nice POSIX ACLs on your shared directory, complete with a mask, so that members of a group can add files to the share and have those files be writable by other members of the group.

[root@penny Albums]# pwd
/srv/shared/Albums
[root@penny Albums]# getfacl .
# file: .
# owner: rudd-o
# group: photography
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:other::r-x

You've even verified things work correctly on the Linux side:

[rudd-o@penny Albums]$ touch a
[rudd-o@penny Albums]$ getfacl a
# file: a
# owner: rudd-o
# group: photography
user::rw-
group::rw-
other::r--

But when you create the same file from a Windows share, you see this instead:

[rudd-o@penny Albums]$ getfacl a
# file: a
# owner: rudd-o
# group: photography
user::rwx
group::rwx #effective:r--
group:adm:rwx #effective:r--
mask::r--
other::r--

WTF happened here?  See how the mask — incorrectly inherited from the default — got set to read-only, and therefore the group ACL — correctly inherited — does not apply?  The result: now other team members cannot edit files added to the folder.

Fix

For files created on a directory with default ACLs to inherit permissions properly, you paradoxically must set the smb.conf share option inherit acls = no.  You must also set the option inherit permissions = yes on your share.    Then restart your SAMBA server.

When ACL inheritance is on, or permissions inheritance is off, for some reason, SAMBA always forces the mask of the created file's ACL to r--, — irrespective of the default ACL mask you set on the parent directory — effectively trumping whatever permissions you wanted to set on created files via the default ACL mask.

Enabling the VFS module vfs_xattr might itself cause this problem, as it forces ACL inheritance to on.

Testing reveals that the parameter nt acl support has no effect on whether this use case works or not.  I would, however, not count on SAMBA to correctly set or map POSIX ACLs to NT ones.