[Samba] Read-only permissions - incorrect user mapping?

Rowland penny rpenny at samba.org
Thu Dec 26 20:31:12 UTC 2019

On 26/12/2019 19:28, Steven Foucault wrote:
> CentOS 8
> Samba 4.9.1
> Client: macOS 10.14
> [global]
>      workgroup = LOCAL
>      log file = /var/log/samba/log.smb
>      max log size = 1000
>      syslog = 0
>      server role = standalone server
>      #unix password sync = no
>      min protocol = SMB2
>      vfs objects = catia fruit streams_xattr
>      fruit:aapl = yes
>      fruit:copyfile = yes
>      spotlight = yes
>      use sendfile = yes
>      delete veto files = true
>      fruit:wipe_intentionally_left_blank_rfork = yes
>      fruit:delete_empty_adfiles = yes
>      disable netbios = yes
>      dns proxy = no
>      smb ports = 445
>>>>>> [share]
>>>      path = /tank
>>>      read only = no
>>>      create mask = 0600
>>>      directory mask = 0700
>>>      public = no
>>>      force user = steven

I have removed all the default settings and commented out one line, more 
on this later.

I think you are misunderstanding Samba and users. You are running Samba 
as a standalone server and you need to create users on each Samba 
machine with 'smbpasswd', this user must already exist as a Unix user. 
At the moment, any user known to Samba can connect to the share, but 
only 'Steven' has the write permission. It looks like you are connecting 
as a different user (yes, this different user can also be called 
'Steven'), are you passing the workgroup as well ?

When you add 'force user', this is only used after authentication and 
ensures that all files will end up belonging to the 'force user' (Steven 
in this case), this can lead to problems. If user 'fred' can connect to 
a share that has 'force user = steven' set and can write to the share, 
with your settings, 'fred' would not be able to read the file he just 

Can I suggest you read 'man smbconf' for more info.

Coming back to the line I commented, as you set it, it a default, but it 
will mean that the Samba users password will not be synced with the Unix 
users password, this can lead to problems if the users actually log into 
the Unix machine Samba is running on.


More information about the samba mailing list