Samba, Windows ACLs and unwanted executable bit

Question

I setup Samba with ACL support on an Ubuntu 18.04 LTS server and I'm facing the following situation.

Here's the smb.conf content:

[global]
   # naming
   workgroup = WORKGROUP
   server string = %h server (Samba, Ubuntu)

   # networking
   disable netbios = yes
   local master = no
   domain master = no
   preferred master = no

   # domain accounts
   security = ADS
   realm = EXAMPLE.COM
   encrypt passwords = yes
   invalid users = root

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000

   template shell = /bin/bash

   winbind nss info = rfc2307
   winbind use default domain = yes
   winbind rpc only = yes
   winbind cache time = 10

   vfs objects = acl_xattr
   map acl inherit = yes
   acl group control = yes
   store dos attributes = no

   # logging
   log file = /var/log/samba/log.%m
   max log size = 1000

   # permissions
   create mode = 0644
   directory mode = 0755
   inherit acls = yes
   map archive = no

   # printers
   load printers = no

   # veto files
   veto files = /._*/.DS_Store/

[All Users]
   comment = All Home Directories
   path = /home/EXAMPLE
   browseable = yes
   read only = no
   valid users = @dl_acc_ro @dl_acc_rw

From macOS Sierra, I connect to a samba share with smb://myserver.com/test. Then I open a terminal and $ cd /Volumes/test and I finally create a file with $ touch xxx.

Here's the output of $ ls -l on my Mac:

$ ls -l
-rwx------  1 gregory  staff  0 Sep 26 20:00 xxx

And now on the server itself:

$ ls -l
-rwxrwxr-x+ 1 gregory utilisa. du domaine 0 Sep 26 18:00 xxx

And ACLs:

$ getfacl /home/EXAMPLE/gregory
getfacl: Removing leading '/' from absolute path names
# file: home/EXAMPLE/gregory
# owner: gregory
# group: utilisa.\040du\040domaine
user::rwx
group::r-x
other::r-x


$ getfacl /home/EXAMPLE/gregory/xxx
getfacl: Removing leading '/' from absolute path names
# file: home/EXAMPLE/gregory/xxx
# owner: gregory
# group: utilisa.\040du\040domaine
user::rwx
user:gregory:rwx
group::r-x
group:utilisa.\040du\040domaine:r-x
mask::rwx
other::r-x

As you can see, the regular file created by touch has the executable bit set. Is there a way I can avoid this behavior? I would like regular files created through Samba to have 0644 permissions.

For the record, I tested from a Linux workstation and it exhibits the same behavior, which makes me believe it's all happening on the Samba server side.

Answer 1

From the Samba manual:

Consequently, there is no use for any of the three Unix executable bits that are present on a file in a Samba disk share. DOS files, however, have their own attributes that need to be preserved when they are stored in a Unix environment: the archive, system, and hidden bits. Samba can preserve these bits by reusing the executable permission bits of the file on the Unix side—if it is instructed to do so. Mapping these bits, however, has an unfortunate side effect: if a Windows user stores a file in a Samba share, and you view it on Unix with the ls -al command, some of the executable bits won't mean what you'd expect them to.

How to disable it? Following from the manual:

Three Samba options decide whether the bits are mapped: map archive, map system , and map hidden. These options map the archive, system, and hidden attributes to the owner, group, and world execute bits of the file, respectively. You can add these options to the [data] share, setting each of their values as follows:

 [data]
    map archive = no
    map system = no
    map hidden = no

You call also disable the executable bit by using the store dos attributes flag.

Answer 2

Have a look at the various mask settings in smb.conf. E.g. create mask, directory mask, ...

Furthere these masks can be influenced by the mount options on the client, which can also be helpful to look at the details.