[Samba] Samba vs Linux file permissions

John Maher john at chem.umass.edu
Fri Jun 3 09:27:26 MDT 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 06/03/2011 10:15 AM, Robert W. Smith wrote:

Thanks for responding.

No luck with these changes.  I just posted in another reply that if I
change permissions of the directory /home/chemgroup/username from this:

   drwxr-x---

to this:

   drwxrwx---

the user username can write just fine via Samba.

Just to verify that file system ACLs are not in play, I show the
following for that directory:

$ getfacl /home/chemgroup/username
getfacl: Removing leading '/' from absolute path names
# file: home/chemgroup/username
# owner: username
# group: chemgroup
user::rwx
group::r-x
other::---

So, nothing odd there.

I welcome any suggestions.

Thanks.

John

> John,
> 
> For the [chemgroup] share try
> 
> [chemgroup]
>     comment = Chemistry Group Share
>     path = /home/chemgroup
>     valid users = @chemgroup
>     write list = @chemgroup
>     browseable = no
> ;;    writeable = yes
> ;;    printable = no
>     force group = @chemgroup ;; note your post left out the '@'-sign
>     create mask = 0660
>     directory mask = 0770
> 
> and for the [homes] share try
> 
> [homes]
>     comment = Home Directories
>     browseable = no
> ;;    read only = no
>     create mask = 0640
>     directory mask = 0750
> ;;    valid users = %S
>     valid users = %U
>     write list = %U
> 
> I found that using %U works best so long as you don't have older Windows
> (e.g. Wfwg). Also specifying write list specifically gives 'username'
> write capabilities consistent with your security policy on the
> underlying volume.
> 
> And, is /lab/chemgroup a local disk volume or a remote NSF volume? Doing
> a double mount SMB --> NFS --> Local Vol is not recommended owing to the
> way NFS itself handles permissions.
> 
> Also I would recommend that you consider upgrading to the latest 3.5.X
> branch of Samba and consider enabling ACLs and extended User Attributes
> on the underlying volumes. Although adding Posix ACls does add
> complexity to the mix in the end you get a more secure environment and
> less Windows-to-Linux permission problems and confusion.
> 
> Bob
> --bs
> 
> On Thu, 2011-06-02 at 10:36 -0400, John Maher wrote:
> Hello,
> 
> I cannot find anything in the documentation or mailing list that
> addresses this oddity.
> 
> I've installed Samba Version 3.4.7 on Ubuntu Server 10.04, and I'm
> utterly confused by samba's behavior regarding permissions.
> 
> Users on the server have home directories in /home/chemgroup/username.
> (chemgroup is actually a symlink to another volume mounted at
> /labs/chemgroup.) Permissions on /lab/chemgroup are:
> 
>    drwxrwx---    username chemgroup       /labs/chemgroup
> 
> Permissions on /lab/group/username are:
> 
>    drwxr-x---    username chemgroup       /labs/chemgroup/username
> 
> Clearly, username has rights to write to /home/chemgroup/username, and
> can do so just fine via ssh.
> 
> The Samba share is configured as follows:
> 
>    [chemgroup]
>       comment = Chemistry Group Share
>       path = /home/chemgroup
>       valid users = @chemgroup
>       public = no
>       browseable = no
>       writeable = yes
>       printable = no
>       force group = chemgroup
>       create mask = 0660
>       directory mask = 0770
> 
> Note, username is a member of chemgroup.
> 
> username can connect to \\server\chemgroup and can create new files and
> directories there.  And username can navigate to the username folder
> within chemgroup.  BUT, here's where it gets weird . . . username can
> create a new file within the chemgroup\username folder, but they cannot
> even change the name of the file they just created.  And they can't
> delete the file they just created (and couldn't rename).
> 
> This same behavior is even presented with Home directories, with the
> homes section looking like this:
> 
>    [homes]
>       comment = Home Directories
>       browseable = no
>       read only = no
>       create mask = 0640
>       directory mask = 0750
>       valid users = %S
> 
> Thank you for any help or guidance.
> 
> John
> 
>>

- -- 
* - - - - * - - - - * - - - - * - - - - * - - - - * - - - - * - - - - *
John Maher
Senior Systems and Network Administrator
Department of Biochemistry & Molecular Biology and
Department of Chemistry
University of Massachusetts - Amherst
voice: 413-577-3120  fax: 413-545-4490
OpenPGP Key ID: 0x2970A144
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3o/V4ACgkQG+X1pClwoURkHQCfdkU+zdRDkUhTDKFu6m2VNkT2
B70AoM6d04axc7JixViRGLv4bMPjeYmK
=q73f
-----END PGP SIGNATURE-----

More information about the samba mailing list