I whish to permit all members of the group access to files and directories created by any other group member.
Anybody else shall have no access.
I am not familiar with ACLs and always used to be happy with the POSIX users & groups concept (plus, u&g are easier to manipulate from a php script), so I set the dataset to:
ACL inherit = discard
ACL mode = discard
The CIFS/SMB share has:
browseable = on
guest = off
inherit permissions = on
ZFS ACL = off
inherit ACL = off
NTFS ACLs = off
So, we have users me and notme, both belonging to the group 2B.
On the top level of the "phoenix" dataset there is one directory:
drwxrwx--- 8 me 2B 8 Dec 7 10:00 permissiontest/
Creating a subdirectory via smblient:
Code: Select all
smbclient -U notme%x //<localhost>/phoenix smb: \> mkdir permissiontest/created_by_notme smb: \>exit
drwxrwx--- 2 notme 2B 2 Dec 7 11:08 created_by_notme/
As intended, user "me" can use smbclient to e.g. change the name of that directory:
Code: Select all
smbclient -U me%x //<localhost>/phoenix smb: \> rename permissiontest/created_by_notme premissiontest/edited_by_me smb: \>exit
So far, all rainbows and unicorns.
But then I use SMB from a Mac to create another directory and get this:
drwxr-xr-x 2 me 2B 2 Dec 7 11:16 created_by_me_via_Finder/
Obviously, user notme will be unable to write-access this (yes, I checked).
OK, OSX 10.7.5 is pretty ancient and I experienced such problems before, so I repeated the test with muCommander instead of Finder, to get:
drwxr-xr-x 2 me 2B 2 Dec 7 11:18 created_by_me_via_mucommander/
Same problem, obviously. The set permissions seem to reflect the user's umask, which is 0022.
I set it to 0033 and repeated the procedure (after loggin out and in again from the Mac);
drwxr-xr-x 2 me 2B 2 Dec 7 11:30 created_by_me_via_Finder_0033
drwxr-xr-x 2 me 2B 2 Dec 7 11:31 created_by_me_via_mucommander_0033
The OSX Finder used to be fine for years until it stopped using the right permissions upon file creation.
Same thing with muCommander now: it worked fine until last week.
My Mac is too old for updates and the only Apple client in the network, so this side should be all static.
Very probably I messed up settings on the server side. Ideas, anybody?