Linux – How to manage permissions on a Samba mount

file-permissionslinuxnetwork-sharepermissionssamba

I have a Samba server (nas01) which presents a share called downloads. The permissions on that share are as follows:

root@nas01:/mnt/storage/downloads# ls -al drwxrwxr-x+ 9 phil samba-users 4096 Aug 16 00:09 . drwxrwxr-x 3 phil samba-users 4096 Aug 13 22:16 .. drwxrwx---+ 231 phil samba-users 12288 Aug 15 00:56 Movies drwxrwx---+ 42 phil samba-users 4096 Aug 15 23:15 TV

The users used to remotely access the Samba share are local users on the Samba server and are all in the group samba-users. Locally, on the Samba server itself, those users can access the files:

root@nas01:/mnt/storage/downloads# sudo -u plex ls TV | wc -l 40

When the share is mounted on another Linux server (plex01), this is how it appears:

root@plex01:/mnt/downloads# ls -al drwxrwxr-x+ 9 phil 1001 0 Aug 15 23:09 . drwxr-xr-x 3 root root 4096 Aug 18 20:09 .. drwxrwx---+ 231 phil 1001 0 Aug 14 23:56 Movies drwxrwx---+ 42 phil 1001 0 Aug 15 22:15 TV

The local root user can access it:

root@plex01:/mnt/downloads# ls TV | wc -l 40

But the local plex user cannot:

root@plex01:/mnt/downloads# sudo -u plex ls TV ls: cannot open directory TV: Permission denied

If I create a local group with GID 1001 and add the plex user to it… then it can access the files.

root@plex01:/mnt/downloads# ls -al drwxrwxr-x+ 9 phil plexrunner 0 Aug 15 23:09 . drwxr-xr-x 3 root root 4096 Aug 18 20:09 .. drwxrwx---+ 231 phil plexrunner 0 Aug 14 23:56 Movies drwxrwx---+ 42 phil plexrunner 0 Aug 15 22:15 TV

root@plex01:/mnt/downloads# groups plex plex : plex plexrunner

root@plex01:/mnt/downloads# sudo -u plex ls TV | wc -l 40

So, the question is… what is the right way to manage these permissions?

Is there, for example, a way to mount the share such that local user permissions are not observed? This is an LXC container specifically for running Plex, so that is probably ok.
Can local user permissions be applied to the share without them propagating up to the Samba server and affecting all clients?
Am I missing something really obvious here..?

Best Answer

You have to have a way to match IDs (user or group) on server and client. If you're not in an environment using a directory server and such, you can assign ownership through the group. Export the folder with the group set for samba-users. Make sure that the GID for the group is the same on server and client by creating the same group on all the clients and ensuring that the users are members of that group. Set permissions for the folder and all the contents to the group.

Related Solutions

Samba Permissions – I’m going to throw it!

This might help. I do something similar, but only one share is open to the group's users. Other shares are read-only except for a single maintainer user. The [global] section of my smb.conf is almost identical to yours, except I don't use the force create/directory mode directives (in my case, they'd interfere with the other shares).

Here's the share definition:

[shared stuff]
        comment = blah, blah, etc
        path = /path/to/share
        write list = @sambagroup
        force group = +sambagroup
        read only = yes
        directory mask = 0775
        create mask = 0664
        guest ok = yes
        invalid users = root
        case sensitive = True
        default case = lower
        preserve case = yes
        short preserve case = yes

The important stuff here are these:

read only = yes -- by default, read only.
guest ok = yes -- guests can browse.
write list = @sambagroup -- Authenticated members of sambagroup can write.
force group = +sambagroup -- The + means that the force only applies to existing members of sambagroup. They're already the only ones who can write. I think, without the +, guest is given sambagroup credentials, which is not wanted (particularly with the write list directive above).
directory mask = 0775
create mask = 0664

These do exactly what you want yours to do: "drwxrwxr-x" on directories, "rwxrwxr-x" on files, and newly created files are owned by the user and sambagroup. The maintainers of the other shares get the same permissions as everyone else when working in shared stuff, and permissions & groups are normal when they work in the other shares.

My smb.conf has been working with only minor tweaks through several different versions of Samba, and currently is used with Samba 3.2.5. I never had it running on Ubuntu 8.04, but it ran on Ubuntu 7.04 for a long time before getting migrated to a recent Debian Lenny install.

Linux – Samba, Apache and SVN. Getting the permissions right

Have the files and directories owned by a group, which Apache runs as. Make the directories SGID.

chgrp -R group1 /path/to/htdocs
find  /path/to/htdocs -type d -exec chmod 2775 {} \;

Specify this group under the SAMBA share, which can be done with force group=group1.

Make the user you authenticate to SAMBA with a member of this group. Specify this user within valid users and write list within your share in SAMBA. This should also allow you commit to SVN.

Also, specify create mask=0664 and directory mask=2775 within smb.conf, which will set the appropriate permissions upon creation. If the files are owned by the same user as Apache, you can set the final bit to 0 on both settings.

If everything is applied consistently, you should be able to perform all desired actions without negatively impacting any functionality.

Best Answer

Related Solutions

Samba Permissions – I’m going to throw it!

Linux – Samba, Apache and SVN. Getting the permissions right

Related Topic