Tried all combinations for create mask and force create mode. Regardless of this, all created files got "rw-r–r–" instead of "rw-rw-???" (I don't care about "others" permissions).
smbd version 4.1.6-ubuntu (latest one from 14.04)
Here's excerpt from smb.conf
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.FQDN
server string = Файловый сервер %h (%i:%a)
security = ADS
allow trusted domains = No
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/%U.%m.log
max log size = 1000
load printers = No
printcap name = /dev/null
disable spoolss = Yes
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
winbind enum users = Yes
winbind enum groups = Yes
winbind refresh tickets = Yes
recycle:keeptree = yes
idmap config * : range = 10000-50000
idmap config * : schema_mode = rid
idmap config MYDOMAIN : default = yes
idmap config MYDOMAIN : cache time = 180
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 100000-500000
idmap config MYDOMAIN : schema_mode = rid
idmap config * : backend = rid
valid users = @MYDOMAIN\\acl_rsk30srv042_valid, @MYDOMAIN\acl_rsk30srv042_sd-rw, MYDOMAIN\svc_scan_330-001, MYDOMAIN\sysop, eao\administrator, MYDOMAIN\svc_sadm_330-02
admin users = MYDOMAIN\svc_scan_330-001, MYDOMAIN\svc_sadm_330-02
create mask = 0775
force create mode = 0770
directory mask = 0775
force directory mode = 0770
map acl inherit = Yes
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = recycle, acl_xattr
[homes]
comment = %S's personal folder
path = /home/%D/%U
valid users = @MYDOMAIN\xall-330
read only = No
create mask = 0700
directory mask = 0700
browseable = No
volume = %U-%S
vfs objects = recycle:keeptree=yes
[IPC$]
path = /etc/samba/fakeIPC
valid users = "@MYDOMAIN\domain users", @MYDOMAIN\xall-330, @MYDOMAIN\acl_share_330-sov2014, nobody
guest ok = Yes
[obmen]
comment = Common file exchange
path = /var/samba/obmen
write list = @MYDOMAIN\acl_rsk30srv042_valid
force group = MYDOMAIN\xall-330
read only = No
force create mode = 0666
force directory mode = 0666
guest ok = Yes
browseable = No
volume = obmen
vfs objects = extd_audit, recycle:keeptree=yes
[secret]
comment = Depts' folders
path = /var/samba/secret
guest ok = Yes
[053]
comment = 053 - IT dept
path = /var/samba/secret/053
valid users = @MYDOMAIN\acl_share_330-053-rw
force group = @MYDOMAIN\acl_share_330-053-rw
read only = No
guest ok = Yes
browseable = No
vfs objects = recycle:keeptree=yes, extd_audit
Folder rights:
drwxrwxr-x 2 root root fakeIPC
drwxrwxrwx 9 nobody MYDOMAIN\xall-330 obmen
dr-xrwxr-x 36 nobody MYDOMAIN\xall-330 secret
drwxrwxrwx 17 nobody MYDOMAIN\acl_share_330-053-rw 053
Tried from win7 box and from Ubuntu 14.04 – same results. Definitely, something wrong with samba4…
Tried to set
create mask = 0666
directory mask = 2775
force create mode = 774
force directory mode = 2774
newly created dir got permissions: drwxrwsr-x
but copied file still got: -rwxr-xr–
Don't know what to do… Boss forces me to move to winserver to avoid such situations…
Best Answer
SOLVED (seems to be)
The problem was in the obey PAM restrictions parameter. By default it is turned off, and I could not remember why I turned it on. The SAMBA config was partially taken from older installation may be I had reasons to be obeyant there :-)
When it is ON, then SAMBA-created files are under UMASK restrictions. I don't know, if it is correctable via login defaults (what is the user?), but umask command gives me "0022" which means "u+a g-w o-w".
Hope, it will help to someone with similar problem.