[Samba] Group write does not allow delete or rename?

Paul Szabo paul.szabo at sydney.edu.au
Wed May 15 07:27:53 UTC 2024 

Dear Samba list,

I have an issue with what seems to be group permissions, when using a
stand-alone Samba file server.

I have a directory where files are meant to be writable to a group of
users. The permissions on Linux are:

  root# ls -ld /users/misc/teaching /users/misc/teaching/*
  drwxrws--- 2 teaching csos 4096 May 15 08:47 /users/misc/teaching
  -rw-rw---- 1 teaching csos   17 May 15 08:23 /users/misc/teaching/test.txt

so the users in that group:

  root# grep csos /etc/group
  csos:*:113:bruce,mike,psz

can do anything to the files: read, write, delete, or create new files.
(Newly created files would be owned by the creator and might end up with
"wrong" permissions, I have a CRON job to "fix" owner and permissions.)
This scheme works well on Linux.

To make these (and some other) file accessible to Windows users, I run a
stand-alone Samba server, and Windows users (in the group) can read and
write the files (e.g. can edit with notepad); can also create new files.
But, they cannot delete or rename (pre-existing) files!

I wonder whether this oddity is caused by some setting in my smb.conf
(shown below); or there is some bug in Samba; or my expectations are
wrong and this is a "sorry no can't do" issue.


An observation, that seems an oddity. When on Windows and checking
permissions of the file, I see "Unix User\teaching" to have full
control; while "Unix Group\teaching" only has Read&Execute, Read and
Write, and no FullControl or Modify permissions; checking advanced
permissions, the group misses FullControl, Delete, ChangePermissions and
TakeOwnership rights. It seems odd that the Linux "rw-" for the user
translates into full control, while for the group it translates into
just Read and Write, and also Read&Execute.

Thanks in advance for any ideas or help you may provide.

Thanks, Paul



My smb.conf file (comments within deleted for brevity):

[global]
	workgroup = ENNAGROUP
	passdb backend = smbpasswd:/var/lib/samba/private/smbpasswd
	hostname lookups = yes
	invalid users = root
	wide links = yes
	guest account = smbguest
	load printers = no
	utmp = yes
	mangled names = no
	map archive = no
	preexec = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'Connect %S for %u from %m (%M, %I)'
	postexec = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'Disconnect %S for %u from %m (%M, %I)'
	debug pid = yes
	debug uid = yes
	strict locking = no
	unix extensions = no
	dont descend = /proc,/dev
	socket options = TCP_NODELAY
	server min protocol = NT1
	ntlm auth = ntlmv1-permitted
	log file = /var/log/samba/log.%M
	max log size = 1000
	logging = file
	panic action = /usr/share/samba/panic-action %d
	server role = standalone server
	obey pam restrictions = yes
	unix password sync = no
	passwd program = /bin/false
	pam password change = no
	map to guest = never
	client signing = mandatory
	restrict anonymous = 2
	usershare max shares = 0
	usershare allow guests = no
	vfs objects = acl_xattr
	acl_xattr:ignore system acls = yes
	create mask = 0744
	directory mask = 0755

[home]
	path = /users/%g/%u
	create mask = 0700
	directory mask = 0700
	writeable = Yes
	posix locking = No
	veto files = /$RECYCLE.BIN/

[teaching]
	path = /users/misc/teaching
	create mask = 0700
	directory mask = 0700
	writeable = Yes
	posix locking = No


-- 
Paul Szabo       psz at maths.usyd.edu.au       www.maths.usyd.edu.au/u/psz
School of Mathematics and Statistics   University of Sydney    Australia

More information about the samba mailing list