[Samba] Samba vs Linux file permissions

Robert W. Smith rwsmith at bislink.net
Fri Jun 3 08:15:26 MDT 2011


John,

For the [chemgroup] share try

[chemgroup]
    comment = Chemistry Group Share
    path = /home/chemgroup
    valid users = @chemgroup
    write list = @chemgroup
    browseable = no
;;    writeable = yes
;;    printable = no
    force group = @chemgroup ;; note your post left out the '@'-sign
    create mask = 0660
    directory mask = 0770

and for the [homes] share try

[homes]
    comment = Home Directories
    browseable = no
;;    read only = no
    create mask = 0640
    directory mask = 0750
;;    valid users = %S
    valid users = %U
    write list = %U

I found that using %U works best so long as you don't have older Windows
(e.g. Wfwg). Also specifying write list specifically gives 'username'
write capabilities consistent with your security policy on the
underlying volume.

And, is /lab/chemgroup a local disk volume or a remote NSF volume? Doing
a double mount SMB --> NFS --> Local Vol is not recommended owing to the
way NFS itself handles permissions.

Also I would recommend that you consider upgrading to the latest 3.5.X
branch of Samba and consider enabling ACLs and extended User Attributes
on the underlying volumes. Although adding Posix ACls does add
complexity to the mix in the end you get a more secure environment and
less Windows-to-Linux permission problems and confusion.

Bob
--bs

On Thu, 2011-06-02 at 10:36 -0400, John Maher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello,
> 
> I cannot find anything in the documentation or mailing list that
> addresses this oddity.
> 
> I've installed Samba Version 3.4.7 on Ubuntu Server 10.04, and I'm
> utterly confused by samba's behavior regarding permissions.
> 
> Users on the server have home directories in /home/chemgroup/username.
> (chemgroup is actually a symlink to another volume mounted at
> /labs/chemgroup.) Permissions on /lab/chemgroup are:
> 
>    drwxrwx---    username chemgroup       /labs/chemgroup
> 
> Permissions on /lab/group/username are:
> 
>    drwxr-x---    username chemgroup       /labs/chemgroup/username
> 
> Clearly, username has rights to write to /home/chemgroup/username, and
> can do so just fine via ssh.
> 
> The Samba share is configured as follows:
> 
>    [chemgroup]
>       comment = Chemistry Group Share
>       path = /home/chemgroup
>       valid users = @chemgroup
>       public = no
>       browseable = no
>       writeable = yes
>       printable = no
>       force group = chemgroup
>       create mask = 0660
>       directory mask = 0770
> 
> Note, username is a member of chemgroup.
> 
> username can connect to \\server\chemgroup and can create new files and
> directories there.  And username can navigate to the username folder
> within chemgroup.  BUT, here's where it gets weird . . . username can
> create a new file within the chemgroup\username folder, but they cannot
> even change the name of the file they just created.  And they can't
> delete the file they just created (and couldn't rename).
> 
> This same behavior is even presented with Home directories, with the
> homes section looking like this:
> 
>    [homes]
>       comment = Home Directories
>       browseable = no
>       read only = no
>       create mask = 0640
>       directory mask = 0750
>       valid users = %S
> 
> Thank you for any help or guidance.
> 
> John
> 
> - -- 
> * - - - - * - - - - * - - - - * - - - - * - - - - * - - - - * - - - - *
> John Maher
> Senior Systems and Network Administrator
> Department of Biochemistry & Molecular Biology and
> Department of Chemistry
> University of Massachusetts - Amherst
> voice: 413-577-3120  fax: 413-545-4490
> OpenPGP Key ID: 0x2970A144
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk3nn9kACgkQG+X1pClwoUQ4MwCaA0LA6XGt9mkOtkHwUfOrkrud
> 184AoKf+YL0oNNB3caqtEyvbLFe07i/H
> =Q2wx
> -----END PGP SIGNATURE-----
> 




More information about the samba mailing list