Ed Tapanes's picture

Howdy!  Am new to the Linux world and have been have been fumbling around trying to get a simple file server up an running in my small office.  Real basic needs for now, just sharing files amongst coworkers, but eventually I'm going to need to set up more detailed security privileges (Tom and Dick can read and write to everything, Harry can only read, etc..).  But for now I just want to get the files up on the server and shared.

 

I've created the users in linux and synched them in Samba (via Webmin and then through smbpasswd just to be safe), have poured through hundreds of different sites detailing solutions via permissions, smb.conf changes, etc..  I've tried them all to no avail.

 

My problem is that I'm able to create the shares but they are created with the user ROOT.  Logged in as ROOT and I can do as I please.  Log in as another user and I'm able to see the files but not able to change them or create new ones.  If I change the owner to whatever the user is then that user is able to do as they please, but no one else can (in that directory).  No other user is able to create anything in a share that is not owned by them.  You're all probably pointing at the screen and laughing, but this has me perplexed.

How can I create a share that allows multiple users to copy files to it, modify them, delete them, etc..?  I don't want to strip security away entirely but am willing to try anything at this point.

 

HAALLPP!!

BTW, I am CLI-tarded so if it can't be done in webmin, please explain it slowly and with small words.

 

Here's a copy of my SMB.CONF file:


[global]
log file = /var/log/samba/samba.log
add group script = /usr/sbin/groupadd '%g'
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
socket options = TCP_NODELAY
delete group script = /usr/sbin/groupdel '%g'
obey pam restrictions = yes
admin users = root
add user to group script = /usr/sbin/usermod -G '%g' '%u'
null passwords = yes
public = yes
passwd program = /usr/bin/passwd %u
passdb backend = tdbsam
wins support = true
dns proxy = no
netbios name = MY-FS
server string = Primary File Server
writeable = yes
unix password sync = yes
workgroup = WORKGROUP
os level = 20
add user script = /usr/sbin/useradd -m '%u' -g users -G users
syslog = 0
security = user
panic action = /usr/share/samba/panic-action %d
max log size = 1000
delete user script = /usr/sbin/userdel -r '%u'
pam password change = yes
 
[homes]
comment = Home Directory
path = /home/%u
browseable = no
writeable = yes
 
[cdrom]
    comment = CD-ROM
    read only = yes
    locking = no
    guest ok = yes
    path = /media/cdrom
    preexec = /bin/mount /media/cdrom
    postexec = /bin/umount /media/cdrom
 
[storage]
create mask = 0644
comment = Public Share
directory mask = 0755
writeable = yes
public = yes
path = /srv/storage
 
[data]
path = /srv/storage/data
 
[backup]
comment = Nightly Backup Synch
writeable = yes
public = yes
path = /srv/backup
available = yes
Forum: 
Jeremy Davis's picture

The easiest for general sharing is to set file permissions to 777 (i.e. anyone can read/write/execute):

chmod -R 777 /<path>/<to>/<samba-share>

This should change the permissions for the folder and all subdirectories and contained files (the '-R' switch). And any new files should inherit those same permissions... Note that this is for the Linux users...

Further note that with Samba on Linux (as with Windows) there are 2 levels of permissions. The Samba (or share) level permissions and the filesystem level permissions (the NTFS file/folder permission on Windows). The above command is adjusting the file level permissions, you may also need to tinker with the Samba permissions as well to get your desired results.

Personally I use the Samba permissions to control what is visable or not the the user and the file level permissions to control who has read/write or read only permissions. I don't know if this is the best way but i find it effective. 

See how you go, when the time comes to create a more complex setup, feel free to post back and I'll try to help you out.

Ed Tapanes's picture

Jeremy, I owe you a beer brother.  Worked like a charm.  I had the permissions set to 755 before.

 

I'm going to have to read up on permissions, etc..  Any recommendations for a newbie?

 

Thanks again Jeremy!!

Jeremy Davis's picture

You should only ever allow SMB access over a LAN. The only time you should ever access SMB remotely is through a VPN (i.e. as a member of the LAN). SMB was never intended to be used out in the open...

I'm not sure what protocols Aptava supports but personally a secure one that is safe online such as SFTP would be the way to go. Even if it doesn't support it OOTB I'm sure that there would be a plugin for it.

FWIW TKL already has SFTP configured and enabled; although the setup of a new user who is part of the www-data group would probably be best.

Add new comment