[Samba] Optimal File Permissions for Shared Access Between Windows and Linux

Rowland Penny rpenny at samba.org
Mon Oct 21 08:49:59 UTC 2024


On Sun, 20 Oct 2024 00:15:32 +0200
Jonathan Szalavecz <john_johnk at hotmail.com> wrote:

> Hi Rowland,
> 
> Thank you for your feedback, and I apologize for misunderstanding
> your question earlier. Here’s the output of my command:
> 
> ```bash
> |john_johnk at raspberrypi: $ df -T /mnt/shared/ Filesystem Type
> 1K-blocks Used Available Use% Mounted on /dev/sdb1 ext4 1921694992
> 224061888 1599942632 13% /mnt/shared |
> 
> ```
> 
> Regarding your suggested configuration, I'm not entirely sure I 
> understand it. I need access to the entire |/mnt/shared| (NAS), while
> my wife should only have read and write access to 
> |/mnt/shared/partage_de_fichiers|. Shouldn't there be both a 
> |DatabaseShare| and a |NAS| share in the smb.conf? Please let me know
> if I'm missing something.
> 
> Best regards,
> 
> Jonathan
> 

Sorry about that, I missed that out, try this one:

[global]
    workgroup = WORKGROUP
    vfs objects = catia fruit streams_xattr
    fruit:delete_empty_adfiles = yes
    fruit:metadata = stream
    fruit:nfs_aces = no
    fruit:veto_appledouble = no
    fruit:wipe_intentionally_left_blank_rfork = yes

[NAS]
    comment = RaspberryPi
    path = /mnt/shared
    read only = no
    create mask = 0600
    directory mask = 0700

[DatabaseShare]
    comment = Database File Share
    path = /mnt/shared/partage_de_fichiers
    read only = no
    create mask = 0660
    directory mask = 0770
    force group = sharedaccess
    force create mode = 0660

The major problem people have with Samba is that they say it is hard to configure, all those parameters to set, totally missing that mostly they are setting defaults that do not need to be manually set.
You also may find it easier if you also install the acl and attr packages (they may be already installed) and use acl_xattr, so that:

vfs objects = catia fruit streams_xattr

Becomes:

vfs objects = catia fruit streams_xattr acl_xattr
map acl inherit = Yes

Then read up on setfacl and getfacl. These will allow you to set finer control on your directories and files.
You would then not require the 'create', 'directory' & 'force' lines.

Rowland




More information about the samba mailing list