Samba Permissions

dreamycrane · 2019-07-29 12:44:48

Dear Community,

I was following the Archwiki page on samba trying to set a group collaboration share in /srv/samba/restricted.
I changed group ownership of this directory to sambashare group.
My user IS a memeber of the sambashare group.
Here is the share stanza from smb.conf:

[restricted]
path = /srv/samba/restricted
valid users = root @sambashare
writable = yes
write list = root @sambashare
   create mask = 664
   force create mode = 664
   directory mask = 2775
   force directory mode = 2775

However when I mount the share with this :

 mount -t cifs -o user=root,password=....  //localhost/restricted /mnt/samba/restricted

....the mounted share gets :

[root@arch ~]# ls -ld /mnt/samba/restricted
drwxr-xr-x 2 root root 0 Jul 29 14:55 /mnt/samba/restricte

Even if i use :

mount -t cifs -o user=root,password=guru,gid=sambashare  //localhost/restricted /mnt/samba/restricted

I get :

[root@arch ~]# ls -ld /mnt/samba/restricted
drwxr-xr-x 2 root sambashare 0 Jul 29 14:55 /mnt/samba/restricted

which although it changes the group ownership to sambashare it used the 755 mask which makes it useless because my user (dharma) who belongs to the sambashare group does NOT have write access to the MOUNTED share and INDEED gets a "permission denied" error when he attempts to write in the samba share.

Here are the original share dir permissions:

[root@arch ~]# ls -ld /srv/samba/restricted
drwxrwsr-x 2 root sambashare 4096 Jul 29 14:55 /srv/samba/restricted

Now either samba is utterly and totally stupidly useless not preserving any permissions etc OR I am doing something wrong...
Kindly point out to me what is going on.....
Thanks a lot
Best Regards

Last edited by dreamycrane (2019-07-29 13:31:20)

WorMzy · 2019-07-29 13:24:51

Please use code tags when posting configs or terminal snippits: https://wiki.archlinux.org/index.php/Co … s_and_code

You haven't configured a group in samba, you've just set it on the local filesystem. I'm not sure how samba handles this, but this is what the man page has to say:

man smb.conf wrote:

       force group (S)

           This specifies a UNIX group name that will be assigned as the default primary group for all users
           connecting to this service. This is useful for sharing files by ensuring that all access to files on
           service will use the named group for their permissions checking. Thus, by assigning permissions for this
           group to the files and directories within this service the Samba administrator can restrict or allow
           sharing of these files.

           In Samba 2.0.5 and above this parameter has extended functionality in the following way. If the group name
           listed here has a '+' character prepended to it then the current user accessing the share only has the
           primary group default assigned to this group if they are already assigned as a member of that group. This
           allows an administrator to decide that only users who are already in a particular group will create files
           with group ownership set to that group. This gives a finer granularity of ownership assignment. For 
           example, the setting force group = +sys means that only users who are already in group sys will have their
           default primary group assigned to sys when accessing this Samba share. All other users will retain their
           ordinary primary group.
           
           If the force user parameter is also set the group specified in force group will override the primary group
           set in force user.
           
           Default: force group =

           Example: force group = agroup

However, I think you're using samba for a task better suited to NFS.

Samba is designed for per-user access to shares (one mount per user).
NFS is designed for per-machine access to shares (one mount per machine).

dreamycrane · 2019-07-29 13:36:15

Thanks a lot
@WorMzy
I rectified my tags mistake by manually entering the tags.
As I didnt see ready made tags in the interface I thought they were unavailable.
On the issue you mentioned:

However, I think you're using samba for a task better suited to NFS.

Samba is designed for per-user access to shares (one mount per user).
NFS is designed for per-machine access to shares (one mount per machine).

This clears EVERYTHING.
Of course NFS is super cool.
The only usage then i see of samba is sharing of home dirs and public shares..
Thanks A lot again

Last edited by dreamycrane (2019-07-29 13:40:33)

dreamycrane · 2019-07-29 14:38:12

HOWEVER,
I did some more testing and it seems that although Samba WILL NOT modify unix permissions it DOES lay its own permissions on top...But they are not visible by an ls -l or ls -ld /mountpoint.
Samba share on Linux level always acquires the permissions of the root:root with a mask of 755 because you have to either mount it as root or sudo mount it as a user.
So it seems that in order to use a samba share FIRST the user has to have sudo privileges because the mounted ownership will be root:root.
SECONDLY if he has sudo , THEN DO THE SAMBA PERMISSIONS BEGIN TO APPLY.
But they are invisible as I mentioned earlier.
So yes if a user has sudo then samba perms will work on top of it.
If not its sticky.......
BUT it seems that file managers like caja nautilus etc can mount samba shares even if the user is not in the sudoers and apparently they dont use cifs:// but smb://.
Is this a polkit thing or an smb:// thing I wonder.......
Any feedback would be very welcome..

Last edited by dreamycrane (2019-07-29 15:03:06)

Arch Linux

#1 2019-07-29 12:44:48

Samba Permissions

#2 2019-07-29 13:24:51

Re: Samba Permissions

#3 2019-07-29 13:36:15

Re: Samba Permissions

#4 2019-07-29 14:38:12

Re: Samba Permissions

Board footer