[Samba] Optimal File Permissions for Shared Access Between Windows and Linux
Jonathan Szalavecz
john_johnk at hotmail.com
Wed Oct 23 22:08:41 UTC 2024
Hi Rowland,
I've been working with the ACLs, and everything looks good! It seems I
can now proceed with your Samba configuration.
[global]
min protocol = SMB3
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
vfs objects = catia fruit streams_xattr acl_xattr
fruit:delete_empty_adfiles = yes
fruit:metadata = stream
fruit:nfs_aces = no
fruit:veto_appledouble = no
fruit:wipe_intentionally_left_blank_rfork = yes
map acl inherit = Yes
[NAS]
comment = RaspberryPi
path = /mnt/shared
read only = no
[DatabaseShare]
comment = Database File Share
path = /mnt/shared/partage_de_fichiers
read only = no
Here are a few examples of the ACLs:
The directory I need to share with my wife
# file: mnt/shared/partage_de_fichiers
# owner: john_johnk
# group: sharedaccess
# flags: -s-
user::rwx
group::rwx
other::---
An utility directory
file: mnt/shared/Utilitaires PC
# owner: john_johnk
# group: john_johnk
user::rwx
group::---
other::---
A db file
# file: mnt/shared/Database.kdbx
# owner: john_johnk
# group: john_johnk
user::rw-
group::---
other::---
The overall /mnt/shared
# file: mnt/shared
# owner: john_johnk
# group: sharedaccess
user::rwx
user:john_johnk:rwx
group::rwx
mask::rwx
other::---
Let me know if you need any further adjustments!
Best,
John
Le 10/21/2024 à 10:49 AM, Rowland Penny via samba a écrit :
> Sorry about that, I missed that out, try this one:
>
> [global]
> workgroup = WORKGROUP
> vfs objects = catia fruit streams_xattr
> fruit:delete_empty_adfiles = yes
> fruit:metadata = stream
> fruit:nfs_aces = no
> fruit:veto_appledouble = no
> fruit:wipe_intentionally_left_blank_rfork = yes
>
> [NAS]
> comment = RaspberryPi
> path = /mnt/shared
> read only = no
> create mask = 0600
> directory mask = 0700
>
> [DatabaseShare]
> comment = Database File Share
> path = /mnt/shared/partage_de_fichiers
> read only = no
> create mask = 0660
> directory mask = 0770
> force group = sharedaccess
> force create mode = 0660
>
> The major problem people have with Samba is that they say it is hard to configure, all those parameters to set, totally missing that mostly they are setting defaults that do not need to be manually set.
> You also may find it easier if you also install the acl and attr packages (they may be already installed) and use acl_xattr, so that:
>
> vfs objects = catia fruit streams_xattr
>
> Becomes:
>
> vfs objects = catia fruit streams_xattr acl_xattr
> map acl inherit = Yes
>
> Then read up on setfacl and getfacl. These will allow you to set finer control on your directories and files.
> You would then not require the 'create', 'directory' & 'force' lines.
>
> Rowland
More information about the samba
mailing list