On Ubuntu 16.04.1 (Samba 4.3.11-Ubuntu), all shares ignore the create mask and force create mode for the group writable bit.
When creating a new text file on my home share, or on a global share, it's created with the permissions 0640, where I would have expected it to be 0660. The relevant portions of my smb.conf are below.
[global]
directory mask = 2770
create mask = 0660
map archive = no
[homes]
comment = Home Directory for %U
valid users = %S
read only = no
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
browseable = no
[build]
comment = Build Share
force user = %U
force group = buildshare
path = /mnt/build
read only = no
create mask = 0660
force create mode = 0660
directory mask = 2770
force directory mode = 2770
browseable = yes
If I change create mask to 0777 and force create mode to 0777 then the results are a little different and the permissions created are 755, still the writable bits for group and other are not set when I would expect it to be with the force create mode option.
Setting force create mode in the [global] section doesn't change behaviour.
I'm not observing the same problem with using directory mask and force directory mode and I got that fixed after adding force directory mode = 2770
The Samba server is authenticating against an Active Directory Server (Win2012R2) for single sign on.
According to smb.conf(5), it should work, and I'm baffled.
create mask (S)
The default value of this parameter removes the group and other write and execute bits from the UNIX
modes.
Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of
the force create mode parameter which is set to 000 by default.
Best Answer
The problem was "obey pam restrictions = yes" was set. Change this to "no" and the permissions are now set correctly. This was a comment in the post Set umask, set permissions, and set ACL, but SAMBA isn't using those?