Ed Tapanes's picture

Howdy!  Am new to the Linux world and have been have been fumbling around trying to get a simple file server up an running in my small office.  Real basic needs for now, just sharing files amongst coworkers, but eventually I'm going to need to set up more detailed security privileges (Tom and Dick can read and write to everything, Harry can only read, etc..).  But for now I just want to get the files up on the server and shared.

 

I've created the users in linux and synched them in Samba (via Webmin and then through smbpasswd just to be safe), have poured through hundreds of different sites detailing solutions via permissions, smb.conf changes, etc..  I've tried them all to no avail.

 

My problem is that I'm able to create the shares but they are created with the user ROOT.  Logged in as ROOT and I can do as I please.  Log in as another user and I'm able to see the files but not able to change them or create new ones.  If I change the owner to whatever the user is then that user is able to do as they please, but no one else can (in that directory).  No other user is able to create anything in a share that is not owned by them.  You're all probably pointing at the screen and laughing, but this has me perplexed.

How can I create a share that allows multiple users to copy files to it, modify them, delete them, etc..?  I don't want to strip security away entirely but am willing to try anything at this point.

 

HAALLPP!!

BTW, I am CLI-tarded so if it can't be done in webmin, please explain it slowly and with small words.

 

Here's a copy of my SMB.CONF file:


[global]
log file = /var/log/samba/samba.log
add group script = /usr/sbin/groupadd '%g'
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
socket options = TCP_NODELAY
delete group script = /usr/sbin/groupdel '%g'
obey pam restrictions = yes
admin users = root
add user to group script = /usr/sbin/usermod -G '%g' '%u'
null passwords = yes
public = yes
passwd program = /usr/bin/passwd %u
passdb backend = tdbsam
wins support = true
dns proxy = no
netbios name = MY-FS
server string = Primary File Server
writeable = yes
unix password sync = yes
workgroup = WORKGROUP
os level = 20
add user script = /usr/sbin/useradd -m '%u' -g users -G users
syslog = 0
security = user
panic action = /usr/share/samba/panic-action %d
max log size = 1000
delete user script = /usr/sbin/userdel -r '%u'
pam password change = yes
 
[homes]
comment = Home Directory
path = /home/%u
browseable = no
writeable = yes
 
[cdrom]
    comment = CD-ROM
    read only = yes
    locking = no
    guest ok = yes
    path = /media/cdrom
    preexec = /bin/mount /media/cdrom
    postexec = /bin/umount /media/cdrom
 
[storage]
create mask = 0644
comment = Public Share
directory mask = 0755
writeable = yes
public = yes
path = /srv/storage
 
[data]
path = /srv/storage/data
 
[backup]
comment = Nightly Backup Synch
writeable = yes
public = yes
path = /srv/backup
available = yes
Forum: 
Jeremy Davis's picture

The easiest for general sharing is to set file permissions to 777 (i.e. anyone can read/write/execute):

chmod -R 777 /<path>/<to>/<samba-share>

This should change the permissions for the folder and all subdirectories and contained files (the '-R' switch). And any new files should inherit those same permissions... Note that this is for the Linux users...

Further note that with Samba on Linux (as with Windows) there are 2 levels of permissions. The Samba (or share) level permissions and the filesystem level permissions (the NTFS file/folder permission on Windows). The above command is adjusting the file level permissions, you may also need to tinker with the Samba permissions as well to get your desired results.

Personally I use the Samba permissions to control what is visable or not the the user and the file level permissions to control who has read/write or read only permissions. I don't know if this is the best way but i find it effective. 

See how you go, when the time comes to create a more complex setup, feel free to post back and I'll try to help you out.

Ed Tapanes's picture

Jeremy, I owe you a beer brother.  Worked like a charm.  I had the permissions set to 755 before.

 

I'm going to have to read up on permissions, etc..  Any recommendations for a newbie?

 

Thanks again Jeremy!!

Andy Leeman's picture

I too had this problem. I had added system users and then checked to see that they had been synced as samba users, which they were. Was still not able to write to my share. I had to manually go to groups and add all my usered to the smbusers group. Worked great after that :)

Juergen's picture

[www]
path = /var/www/
public = yes
writable = yes
comment = smb share
printable = no
guest ok = yes
create mode = 0644
directory mode = 0755
force group = www-data
force user = www-data

restart:

# /etc/init.d/samba restart

and to be on the safe side

# chown -R www-data /var/www/

# chgrp -R www-data /var/www/

No you should be able to read, write and create to /var/www/ with owner and groups assigned to www-data with Windows/Samba

 

 

Jay's picture

 

Should definitely NOT allow access to your website contents over smb.  Asking for trouble! To the original poster, you don't have to modify your permissions to fix your issue (and you probably shouldn't).  Just change owner and group to nobody and nogroup.

sudo chown -R nobody:nogroup /mnt/share

Where /mnt/share represents the path to your mounted share. 

jono's picture

Hi there. OK to do samba for only registered samba users?? I.e guest OK = no With a samba login. I'm wanting to use aptava for website admin from anywhere.
Jeremy Davis's picture

You should only ever allow SMB access over a LAN. The only time you should ever access SMB remotely is through a VPN (i.e. as a member of the LAN). SMB was never intended to be used out in the open...

I'm not sure what protocols Aptava supports but personally a secure one that is safe online such as SFTP would be the way to go. Even if it doesn't support it OOTB I'm sure that there would be a plugin for it.

FWIW TKL already has SFTP configured and enabled; although the setup of a new user who is part of the www-data group would probably be best.

John's picture

Hi there,

This is a common problem for many *nix users who aren't familiar with linux permissions. Admittedly, I am also a little fuzzy on this myself.

But here is what I do understand:

As a kind of hack, I would set the share file to chown nobody:nogroup /fileshare While this seems to work for my uses, I am the only user of the *nix box. If I had other system users then this would not suffice.

In order to set this up the *right way*: Your share folder, and all the files under it, need to be set to a group that all your users also belong to. In this way, the users that belong to that group can access files that are also set to that group. Then make sure the file permissions are set to allow group access - chmod 0770 or something like that. Or if you want all users on the system to access the share and you don't care then 0777.

Make sure you restart your Samba service after any modification to the samba config file as well.

This is how I set my shares up, just fyi:


[share]
    comment = JLM File Share
    path = /fileshare
    browsable = yes
    guest ok = yes
    read only = no
    create mask = 0777

Add new comment