How to keep group-writeable shares on Samba with OSX clients?



I have a FreeNAS server on a network with OSX and Windows clients. When the OSX clients interact with SMB/CIFS shares on the server, they are causing permission problems for all other clients.

Update: I can no longer verify any answers because we abandoned the project, but feel free to post any help for future visitors.

The details of this behavior seem to also be dependent on the version of OSX the client is running. For this question, let's assume a client running 10.8.2.

When I mount the CIFS share on an OSX client and create a new directory on it, the directory will be created with drwxr-x-rx permissions. This is undesirable because it will not allow anyone but me to write to the directory. There are other users in my group which should have write permissions as well. This behavior happens even though the following settings are present in smb.conf on the server:

create mask= 0666
directory mask= 0777
force directory mode= 0775
force create mode= 0660

I was under the impression that these settings should make sure that directories are at least created with rwxrwxr-x permissions. But, I guess, that doesn't stop the client from changing the permissions after creating the directory.

When I create a folder on the same share from a Windows client, the new folder will have the desired access permissions (rwxrwxrwx), so I'm currently assuming that the problem lies with the OSX client.

I guess this wouldn't be such an issue if you could easily change the permissions of the directories you've created, but you can't. When opening the directory info in Finder, I get the old "You have custom access" notice with no ability to make any changes.

enter image description here

I'm assuming that this is caused because we're using Windows ACLs on the share, but that's just a wild guess.

Changing the write permissions for the group through the terminal works fine, but this is unpractical for the deployment and unreasonable to expect from anyone to do.

This is the complete smb.conf:

    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    read raw = yes
    write raw = yes
    oplocks = yes
    max xmit = 65535
    deadtime = 15
    display charset = LOCALE
    max log size = 10
    syslog only = yes
    syslog = 1
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    smb passwd file = /var/etc/private/smbpasswd
    private dir = /var/etc/private
    getwd cache = yes
    guest account = nobody
    map to guest = Bad Password
    obey pam restrictions = Yes
    # NOTE: read smb.conf.
    directory name cache size = 0
    max protocol = SMB2
    netbios name = freenas
    workgroup = COMPANY
    server string = FreeNAS Server
    store dos attributes = yes
    hostname lookups = yes
    security = user
    passdb backend = ldapsam:ldap://
    ldap admin dn = cn=admin,dc=company,dc=local
    ldap suffix = dc=company,dc=local
    ldap user suffix = ou=Users
    ldap group suffix = ou=Groups
    ldap machine suffix = ou=Computers
    ldap ssl = off
    ldap replication sleep = 1000
    ldap passwd sync = yes
    #ldap debug level = 1
    #ldap debug threshold = 1
    ldapsam:trusted = yes
    idmap uid = 10000-39999
    idmap gid = 10000-39999
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1

    path = /mnt/zfs0
    printable = no
    veto files = /.snap/.windows/.zfs/
    writeable = yes
    browseable = yes
    inherit owner = no
    inherit permissions = no
    vfs objects =  zfsacl
    guest ok = no
    inherit acls = Yes
    map archive = No
    map readonly = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = yes
hide dot files
force directory mode = 0775
force create mode = 0660

Der Hochstapler

Posted 2013-11-14T17:04:02.547

Reputation: 77 228

1The [share] section will take precedence over the [global] section when two options are the same – Canadian Luke – 2013-11-14T17:19:15.957

Can you post the entire smb.conf file? – Canadian Luke – 2013-11-15T00:23:39.457

@CanadianLuke: Done – Der Hochstapler – 2013-11-15T10:54:07.490

Do you have full SSH access to your FreeNAS? Can you set folder permissions on the terminal? – Canadian Luke – 2013-11-15T16:35:35.607

@CanadianLuke: Yes, I have SSH access to the server and setting permissions through the terminal is no problem at all. – Der Hochstapler – 2013-11-15T17:16:04.160



To prevent OS X clients of changing permissions, you need to add

unix extensions = no

to the [Global] section of your smb.conf

And/or add something like

force security mode = 0660
force directory security mode = 02770

to your share definitions to preserve group-write rights.


Posted 2013-11-14T17:04:02.547

Reputation: 2 270

The only one working solution I was able to find. Thanks! – Antonio – 2014-10-16T19:43:34.617

This Solution worked for me too, windows users/group permissions where being created correctly, but when a mac user would create a directory it would not comply to the user share definitions set even though they where forced. Thanks! – trail_runner – 2016-03-15T19:21:28.607


Change your share definitions to contain just the following:

path = /path/to/folder
browseable = yes
writeable = yes
inherit permissions = yes

Now, change the permissions on the folders directly:

# chown user:group -R /path/to/folder
# chmod 2770 -R /path/to/folder (or 2775 for public read only)

The CHMOD command above will have "special" permissions applied, which allow folders dropped in the folder to take on the parent's permissions automatically. For this to take affect:

/etc/init.d/samba reload

The reload switch does not restart samba (kicking off current users), but reloads the configuration file.

As well, documented on the FreeNAS Wiki:

If permissions work for Windows users but not for OS X users, try disabling Unix Extensions and restarting the CIFS service.

Canadian Luke

Posted 2013-11-14T17:04:02.547

Reputation: 22 162


if you are creating those folders inside the maybe setting the system wide umask to 002 (777 - umask = mask for executables and folders 666 - umask = mask for files) instead of 022 is a possibility


Posted 2013-11-14T17:04:02.547

Reputation: 504