Debian – Samba force user does’t work

debianmac-osxsamba

I am using Samba 3.6.6 on Debian Wheezy.

I want to be able to change www files on my dev server using my macbook.
So I setup samba and made a share for the /var/www directory.

I added the users bart & root to samba to connect. And connect using command K and then smb://192.168.2.100 (my samba server).

As apache uses www-data as a user and group for the www files I use force user and force group in samba to prevent errors in the rights.

However it does force the group www-data, but doesn't force the user. Every file I create is being owned by root in the group www-data.

To seek for errors I tailed the logs in /var/log/samba and only found an error in the log.smbd when restarting the samba service. See the log here:

smbd version 3.6.6 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2011
[2013/09/23 11:14:22.601031,  0] printing/print_cups.c:110(cups_connect)
  Unable to connect to CUPS server localhost:631 - Connection refused
[2013/09/23 11:14:22.602215,  0] printing/print_cups.c:487(cups_async_callback)
  failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL

And here is my smb.conf:

[global]
    server string = %h server
    map to guest = Bad User
    obey pam restrictions = Yes
    pam password change = Yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    unix password sync = Yes
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    dns proxy = No
    usershare allow guests = Yes
    panic action = /usr/share/samba/panic-action %d
    idmap config * : backend = tdb

[homes]
    comment = Home Directories
    valid users = %S
    create mask = 0700
    directory mask = 0700
    browseable = No

[printers]
    comment = All Printers
    path = /var/spool/samba
    create mask = 0700
    printable = Yes
    print ok = Yes
    browseable = No

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/printers

[www]
    comment = www
    path = /var/www/
    valid users = bart, root
    admin users = bart, root
    write list = bart, root
    force user = www-data
    force group = www-data
    read only = No

I even tried adding www-data to the valid users as well as the admin users and the write list. This of course did not have any effect.

Can you help me out? Thanks in advance!

Best Answer

I think that in this case the option admin users overrides the option force user. So when you connect as the user bart to the share www it will be granted administrative privileges on it and all file operations will be done under super-user root.

Try to remove the user bart from admin users list, reload the service and verify its behavior again.

Finally, it's worth to mention that the user bart has to have write permissions on that directory. You can use ACLs to achieve that or put the user to the www-data group.

Related Solutions

Samba Permissions – I’m going to throw it!

This might help. I do something similar, but only one share is open to the group's users. Other shares are read-only except for a single maintainer user. The [global] section of my smb.conf is almost identical to yours, except I don't use the force create/directory mode directives (in my case, they'd interfere with the other shares).

Here's the share definition:

[shared stuff]
        comment = blah, blah, etc
        path = /path/to/share
        write list = @sambagroup
        force group = +sambagroup
        read only = yes
        directory mask = 0775
        create mask = 0664
        guest ok = yes
        invalid users = root
        case sensitive = True
        default case = lower
        preserve case = yes
        short preserve case = yes

The important stuff here are these:

read only = yes -- by default, read only.
guest ok = yes -- guests can browse.
write list = @sambagroup -- Authenticated members of sambagroup can write.
force group = +sambagroup -- The + means that the force only applies to existing members of sambagroup. They're already the only ones who can write. I think, without the +, guest is given sambagroup credentials, which is not wanted (particularly with the write list directive above).
directory mask = 0775
create mask = 0664

These do exactly what you want yours to do: "drwxrwxr-x" on directories, "rwxrwxr-x" on files, and newly created files are owned by the user and sambagroup. The maintainers of the other shares get the same permissions as everyone else when working in shared stuff, and permissions & groups are normal when they work in the other shares.

My smb.conf has been working with only minor tweaks through several different versions of Samba, and currently is used with Samba 3.2.5. I never had it running on Ubuntu 8.04, but it ran on Ubuntu 7.04 for a long time before getting migrated to a recent Debian Lenny install.

Samba – Copying files from OSX to samba, force create mode not working

This should answer your question: Permission issues with Samba and OS X

Read the comments to the answers as well.

Best Answer

Related Solutions

Samba Permissions – I’m going to throw it!

Samba – Copying files from OSX to samba, force create mode not working

Related Topic