LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Samba share permissions (https://www.linuxquestions.org/questions/linux-newbie-8/samba-share-permissions-892370/)

cbc 07-18-2011 04:54 PM
Samba share permissions
 
Hi,

I am able to access the linux share from windows server. But I am having problem with the permissions. My smb.conf file looks following for the test share:

[test]
path = /export/samba/test
read only = No
guest ok = Yes
create mode = 0755
directory mode = 0755
browseable = yes
Writable = Yes

Even the root user not able to write or modify the files in this share. I am confused what's wrong in my config file.

Please help.

Thanks,

CBC

dannybpng 07-18-2011 07:52 PM
Samba share permissions
 
When dealing with Samba shares you need to remember that underneath the Windows/Samba permission stuff is still the Linux permissions on files and folders. If those permission are "locked down" then Samba will not be able to deal with the files in the way you expect.

When you say the "root" user do you mean the Linux root user or a Samba user with the name "root"?

cbc 07-18-2011 07:54 PM
Hey dannybpng, thanks for ur reply. I mean samba admin user who has root privileges. Still he cant modify the files in share..

Any ideas are appreciated.

Thanks.

frankbell 07-18-2011 08:09 PM
Run the command ls -l on the files in the directory and report back the results. That should reveal permissions and ownership.

If the results are basically all the same, it should not be necessary to report them all back, just enough to give a flavor.

cbc 07-18-2011 08:15 PM
Hi frankbell,

Here are the listings:

share directory permissions :

drwxrwxr-x 6 root root 4096 Jul 18 17:12 .

Files permissions in the share :

rwxrwxrwt 1 root root 18 Jul 8 03:02 a
-rw-r--r-- 1 root root 4 Jul 8 03:02 af
drwxr-xr-x 2 root root 4096 Jul 8 11:26 d
drwxr-xr-x 2 uskump01adm domain users 4096 Jul 11 14:20 hello
drwxr-xr-x 2 uskump01adm domain users 4096 Jul 11 09:51 hi
drwxr-xr-x 2 uskump01adm domain users 4096 Jul 11 09:33 hiii
-rw------- 1 root root 4 Jul 11 09:40 newtest
-rwxr--r-- 1 uskops00 domain users 4 Jul 8 10:58 somefile
-rwxr--r-- 1 uskump01adm domain users 9934 Jul 8 21:01 test.docx

Thanks,

CBC

shuja_khan 07-19-2011 03:27 PM
Below is my general purpose samba server used in QA env, with one condition.

All permissions are controlled via SAMBA, (This means all folders that are shared via samba has a permission mask of "777" on file system level), you should review all options in conf, as some of the options are specifically mentioned for QA requirement, such as recycle & VFS objects etc.

# more /etc/samba/smb.conf

[global]

server string = RS ( QA HUDSON Staging Server )
workgroup = QA
netbios name = RS
security = share
guest only = yes
dns proxy = no
preserve case = yes
short preserve case = yes
default case = lower
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 33
syslog = 0
log level = 0
Dos charset = 850
Unix charset = ISO8859-1
load printers = no
follow symlinks = yes
wide links = yes
disable spoolss = yes
show add printer wizard = no
# security = user
encrypt passwords = yes
level2 oplocks = true
read raw = no
large readwrite = yes
nt pipe support = yes
nt status support = yes
announce as = NT
announce version = 4.9
unix extensions = yes
client signing = auto
hostname lookups = no
wins support = no
veto files = /.recycle/*.bash*/
delete veto files = yes
write cache size = 262144
nt acl support = yes
inherit permissions = yes
vfs objects = vscan-clamav
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf


[staging]
comment = none
path = /opt/staging
browseable = yes
public = yes
guest ok = yes
printable = no
create mask = 0777
directory mask = 0775
write list = @qa @build staging
valid users = @qa @build staging
writeable = no
force user = staging
vfs object = recycle:repository recycle:keeptree recycle:versions recycle:touch recycle:exclude recycle:exclude_dir recycle:maxsize recycle:noversions
vfs object = recycle:repository=".recycle"
recycle:keeptree=True
recycle:repository=./RECYCLED
recycle:keeptree=yes
recycle:versions=yes
recycle:touch=no
recycle:exclude=*.tmp|*.temp|*.obj|~\$*
recycle:exclude_dir=/tmp|/temp|/cache
Trash max size is 100 Gb
recycle:maxsize=107374182400
recycle:noversions=*.mdb


[builds]
comment = BUILDS
path = /home/build
browseable = yes
public = yes
guest ok = yes
printable = no
create mask = 0777
directory mask = 0775
write list = @qa @build
valid users = @qa @build
writeable = Yes
force user = builds
vfs object = recycle:repository=".recycle" recycle:keeptree=True


[rserver]
comment = RSERVER (Angela's Junk left from hourly compile, no data left after compile moved to staging)
path = /home/rserver
browseable = yes
public = yes
guest ok = yes
printable = no
create mask = 0777
directory mask = 0775
write list = @qa @build rserver
valid users = @qa @build rserver
writeable = Yes
force user = rserver
vfs object = recycle:repository=".recycle" recycle:keeptree=True



[sushi]
comment = SUSHI NFS Mount
path = /home/sushi/development
browseable = yes
public = yes
guest ok = yes
printable = no
create mask = 0777
directory mask = 0775
write list = @qa @build sushi
valid users = @qa @build sushi
writeable = no
force user = sushi

[transit]
comment = tEMp fILe eXcHaNgE (QA Only)
path = /home/transit
browseable = yes
public = yes
guest ok = yes
printable = no
create mask = 0777
directory mask = 0775
write list = @qa @build transit
valid users = @qa @build sushi transit
writeable = yes
force user = transit
vfs objects = vscan-clamav
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

[wiki]
comment = Wiki Cash
path = /home/wiki
browseable = yes
public = yes
guest ok = yes
printable = no
create mask = 0777
directory mask = 0775
write list = @qa @build wiki
valid users = @qa @build wiki
writeable = no
force user = wiki
vfs object = recycle:repository=".recycle" recycle:keeptree=True

frankbell 07-19-2011 08:07 PM
Quote:
Originally Posted by cbc;4418590rwxrwxrwt
1 root root 18 Jul 8 03:02 a
-rw-r--r-- 1 root root 4 Jul 8 03:02 af
drwxr-xr-x 2 root root 4096 Jul 8 11:26 d
drwxr-xr-x 2 uskump01adm domain users 4096 Jul 11 14:20 hello
drwxr-xr-x 2 uskump01adm domain users 4096 Jul 11 09:51 hi
drwxr-xr-x 2 uskump01adm domain users 4096 Jul 11 09:33 hiii
-rw------- 1 root root 4 Jul 11 09:40 newtest
-rwxr--r-- 1 uskops00 domain users 4 Jul 8 10:58 somefile
-rwxr--r-- 1 uskump01adm domain users 9934 Jul 8 21:01 test.docx
All I come up with is another question, but I think it's an important one.

What would you like the permissions to be instead of what they are?

cbc 07-19-2011 08:18 PM
Hi Frankbell, I agree with you. But the files created at the linux level are not matching with the files created in the windows server.

shuja_khan 07-20-2011 02:33 AM
Looking at your very 2nd last post, I can see that you are using SAMBA as domain;
You have not specified that if the share is a user home share or a group share or open share; but on very 1st post you are using "guest ok = Yes"

You have to be cleared about few things
Files created inside linux shell/console or any command used at linux OS if that command is not authing it self to a required user auth, but have direct access to share via network e.g. ssh key pairs or any internal process creating files inside that share will have a different ownership, a process that is being "run as" or currently logged-in user.

In your case, referring to your conf;
guest ok = Yes
create mode = 0755
directory mode = 0755

But looking at your above conf, who is owning the files being created & permission mask is default of OS level where 7 is for owner & 55 is for others & group, which will not let you create files from windows side as they are being blocked by 55 permissions, but referring to your 2nd last post out put of LS command;

drwxr-xr-x 2 root root 4096 Jul 8 11:26 d
drwxr-xr-x 2 uskump01adm domain users 4096 Jul 11 14:20 hello
drwxr-xr-x 2 uskump01adm domain users 4096 Jul 11 09:51 hi
drwxr-xr-x 2 uskump01adm domain users 4096 Jul 11 09:33 hiii

Above are the OS level permissions & in your samba conf you have just set the same as samba permissions, they both are different, you have to give the "W" permission on OS level as well & then control the write using samba

referring to my conf file

write list = @qa @build wiki
valid users = @qa @build wiki

"@" symbol denotes that its a group; user you are trying to use from windows side is that user is part of "write" group, as well as a valid as well from windows side.

Conf I have given you above is a QA staging server; we use smbclient from within linux to connect a share where possible even though if that share is located right on localhost, because then we do not have to worry about ownership of files & permission levels.

If we do not have choice of that, such as in our case the very same server is being user by RSERVER which specifically use OS filesystem rather than SMB share we use scripts via cronjob to do that.
e.g.
create mask = 0777
directory mask = 0775

So last question, you have not specified, if you are using your server as domain server or a general purpose server; my conf is a general purpose, its a total different conf for a domain server & permissions setup.

cbc 07-20-2011 12:25 PM
Quote:
Originally Posted by shuja_khan (Post 4419866)
Looking at your very 2nd last post, I can see that you are using SAMBA as domain;
You have not specified that if the share is a user home share or a group share or open share; but on very 1st post you are using "guest ok = Yes"

You have to be cleared about few things
Files created inside linux shell/console or any command used at linux OS if that command is not authing it self to a required user auth, but have direct access to share via network e.g. ssh key pairs or any internal process creating files inside that share will have a different ownership, a process that is being "run as" or currently logged-in user.

In your case, referring to your conf;
guest ok = Yes
create mode = 0755
directory mode = 0755

But looking at your above conf, who is owning the files being created & permission mask is default of OS level where 7 is for owner & 55 is for others & group, which will not let you create files from windows side as they are being blocked by 55 permissions, but referring to your 2nd last post out put of LS command;

drwxr-xr-x 2 root root 4096 Jul 8 11:26 d
drwxr-xr-x 2 uskump01adm domain users 4096 Jul 11 14:20 hello
drwxr-xr-x 2 uskump01adm domain users 4096 Jul 11 09:51 hi
drwxr-xr-x 2 uskump01adm domain users 4096 Jul 11 09:33 hiii

Above are the OS level permissions & in your samba conf you have just set the same as samba permissions, they both are different, you have to give the "W" permission on OS level as well & then control the write using samba

referring to my conf file

write list = @qa @build wiki
valid users = @qa @build wiki

"@" symbol denotes that its a group; user you are trying to use from windows side is that user is part of "write" group, as well as a valid as well from windows side.

Conf I have given you above is a QA staging server; we use smbclient from within linux to connect a share where possible even though if that share is located right on localhost, because then we do not have to worry about ownership of files & permission levels.

If we do not have choice of that, such as in our case the very same server is being user by RSERVER which specifically use OS filesystem rather than SMB share we use scripts via cronjob to do that.
e.g.
create mask = 0777
directory mask = 0775

So last question, you have not specified, if you are using your server as domain server or a general purpose server; my conf is a general purpose, its a total different conf for a domain server & permissions setup.
Hi Shuja Khan, Thanks for your reply.

Do you mean I have give 777 permissions on OS level. IS that means create mode & directory mode = 777 ?

I am using this samba server as a domain member server. And all the domain users should access these shares. Only administrators should have the privileges to write to the share.

Thanks.

CBC


All times are GMT -5. The time now is 06:49 PM.