Samba permissions for copied files

I have Samba running on a plug computer running Debian Squeeze which I'm trying to configure to act as a web-based file server.

The machine runs Lighttpd for the web server, and Samba for the file sharing. The user is able to use Samba to copy files from their local machine onto the plug computer using Samba, and then view them through the web browser (script I wrote).

Lighttpd runs as www-data, Samba runs as root and the user authenticates with Samba through a user account called admin.

The problem is that I'm having permissions difficulties when a user copies files from their machine over Samba. Let's take an example with a file called foo.pdf:-

Example

foo.pdf is stored on a separate NAS drive on the LAN, which the user copies over to their local machine running OS X. The permissions right now are as follows:-

mac:Desktop jon$ ls -l | grep foo.pdf
-rwx------    1 jon  NETWORK\Domain Users     3516266 10 May 10:54 foo.pdf

Everything is fine, because the user has full rights to rwx the file, even though no-one else does -- which isn't a problem. But now, the user decides they want to copy foo.pdf from their local machine onto the plug computer -- and things start to go wrong!

After using Samba to copy the file over, the permissions are now as follows:-

root@plug:/home/admin/content# ls -l | grep foo.pdf
-rwx------ 1 admin    admin    3516266 May 10 09:54 foo.pdf

The problem is that now only admin has the rights to rwx the file. No other users have any rights at all. This means that www-data (which is the web server) has no rights to this file. The result is a 403 - Forbidden if I try to open foo.pdf through a web browser.

My *nix knowledge is fairly limited, but I reckon that what needs to happen to fix this is that Samba needs to relax these permissions when copying over files to allow other users to read the file.

Reading similar questions on SF and other sites indicates that a potential solution may lie in the create mode/mask and force create mode/mask -- however it's not clear whether this only applies to new files, or also to copied files -- because it's not working for me!

As a test, I used those options to force 0777 (obviously unsafe for a production environment, but just wanted to test) and found that it made no change whatsoever to the file permissions of copied over files.

My smb.conf is as follows:-

[global]
        workgroup = WORKGROUP
        server string = %h server
        dns proxy = no
        log file = /var/log/samba/log.%m
        log level = 4
        max log size = 1000
        syslog = 0
        panic action = /usr/share/samba/panic-action %d
        encrypt passwords = true
        passdb backend = tdbsam
        obey pam restrictions = yes
        unix password sync = yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword$
        pam password change = yes
        create mask = 0777
        force create mode = 0777
        directory mask = 0777
        force directory mode = 0777

This doesn't seem to change anything at all, as files still have the -rwx------ 1 admin admin permissions after being copied over.

...any ideas?