Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: SMB permission propagation?

  1. #1

    SMB permission propagation?

    Hey all. This is a subject that google has been less than helpful on, so I"m hoping someone here has some experience with this.

    I have a share on my server that I want to use to access from both my laptop and my desktop. I want my username (conor) to be able to write to it, and everyone to be able to read from it.

    Right now, everyone has read access to the entire share, and conor can write to the top-level directory. Unfortunately, the write permissions don't seem to propagate to subdirectories. Eg. "touch /storage1/test" works, but "touch/storage1/music/test" gives Permission Denied.

    Anyone know how to propagate permissions to subdirectories?

    current smb.conf:

    # This is the main Samba configuration file. You should read the
    # smb.conf(5) manual page in order to understand the options listed
    # here. Samba has a huge number of configurable options (perhaps too
    # many!) most of which are not shown in this example
    # Any line which starts with a ; (semi-colon) or a # (hash)
    # is a comment and is ignored. In this example we will use a #
    # for commentry and a ; for parts of the config file that you
    # may wish to enable
    # NOTE: Whenever you modify this file you should run the command "testparm"
    # to check that you have not made any basic syntactic errors.
    #======================= Global Settings =====================================
    # workgroup = NT-Domain-Name or Workgroup-Name
       workgroup = WORKGROUP
    # server string is the equivalent of the NT Description field
       server string = Conor-sv
    # This option is important for security. It allows you to restrict
    # connections to machines which are on your local network. The
    # following example restricts access to two C class networks and
    # the "loopback" interface. For more examples of the syntax see
    # the smb.conf man page
       hosts allow = 192.168.1. 127.
    # if you want to automatically load your printer list rather
    # than setting them up individually then you'll need this
    #   printcap name = /etc/printcap
    #   load printers = yes
    # It should not be necessary to spell out the print system type unless
    # yours is non-standard. Currently supported print systems include:
    # bsd, sysv, plp, lprng, aix, hpux, qnx
    ;   printing = bsd
    # Uncomment this if you want a guest account, you must add this to /etc/passwd
    # otherwise the user "nobody" is used
    ;  guest account = pcguest
    # this tells Samba to use a separate log file for each machine
    # that connects
     log file = /var/log/samba/%m.log
    # all log information in one file
    #   log file = /var/log/samba/smbd.log
    # Put a capping on the size of the log files (in Kb).
       max log size = 50
    # Security mode. Most people will want user level security. See
    # security_level.txt for details.
       security = user
    # Use password server option only with security = server
    ;   password server = <NT-Server-Name>
    # Password Level allows matching of _n_ characters of the password for
    # all combinations of upper and lower case.
    ;  password level = 8
    ;  username level = 8
    # You may wish to use password encryption. Please read
    # ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
    # Do not enable this option unless you have read those documents
    ;  encrypt passwords = yes
    ;  smb passwd file = /etc/samba/smbpasswd
    # The following are needed to allow password changing from Windows to
    # update the Linux system password also.
    # NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
    # NOTE2: You do NOT need these to allow workstations to change only
    #        the encrypted SMB passwords. They allow the Unix password
    #        to be kept in sync with the SMB password.
    ;  unix password sync = Yes
    ;  passwd program = /usr/bin/passwd %u
    ;  passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
    # Unix users can map to different SMB User names
      username map = /etc/samba/smbusers
    # Using the following line enables you to customise your configuration
    # on a per machine basis. The %m gets replaced with the netbios name
    # of the machine that is connecting
    ;   include = /etc/samba/smb.conf.%m
    # Most people will find that this option gives better performance.
    # See speed.txt and the manual pages for details
       socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    # Configure Samba to use multiple interfaces
    # If you have multiple network interfaces then you must list them
    # here. See the man page for details.
    ;   interfaces =
    # Configure remote browse list synchronisation here
    #  request announcement to, or browse list sync from:
    #       a specific host or from / to a whole subnet (see below)
    ;   remote browse sync =
    # Cause this host to announce itself to local subnets here
    ;   remote announce =
    # Browser Control Options:
    # set local master to no if you don't want Samba to become a master
    # browser on your network. Otherwise the normal election rules apply
    ;   local master = no
    # OS Level determines the precedence of this server in master browser
    # elections. The default value should be reasonable
    ;   os level = 33
    # Domain Master specifies Samba to be the Domain Master Browser. This
    # allows Samba to collate browse lists between subnets. Don't use this
    # if you already have a Windows NT domain controller doing this job
    ;   domain master = yes
    # Preferred Master causes Samba to force a local browser election on startup
    # and gives it a slightly higher chance of winning the election
    ;   preferred master = yes
    # Enable this if you want Samba to be a domain logon server for
    # Windows95 workstations.
    ;   domain logons = yes
    # if you enable domain logons then you may want a per-machine or
    # per user logon script
    # run a specific logon batch file per workstation (machine)
    ;   logon script = %m.bat
    # run a specific logon batch file per username
    ;   logon script = %U.bat
    # Where to store roving profiles (only for Win95 and WinNT)
    #        %L substitutes for this servers netbios name, %U is username
    #        You must uncomment the [Profiles] share below
    ;   logon path = \\%L\Profiles\%U
    # All NetBIOS names must be resolved to IP Addresses
    # 'Name Resolve Order' allows the named resolution mechanism to be specified
    # the default order is "host lmhosts wins bcast". "host" means use the unix
    # system gethostbyname() function call that will use either /etc/hosts OR
    # DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf
    # and the /etc/resolv.conf file. "host" therefore is system configuration
    # dependant. This parameter is most often of use to prevent DNS lookups
    # in order to resolve NetBIOS names to IP Addresses. Use with care!
    # The example below excludes use of name resolution for machines that are NOT
    # on the local network segment
    # - OR - are not deliberately to be known via lmhosts or via WINS.
    ; name resolve order = wins lmhosts bcast
    # Windows Internet Name Serving Support Section:
    # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
    ;   wins support = yes
    # WINS Server - Tells the NMBD components of Samba to be a WINS Client
    #       Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
    ;   wins server = w.x.y.z
    # WINS Proxy - Tells Samba to answer name resolution queries on
    # behalf of a non WINS capable client, for this to work there must be
    # at least one  WINS Server on the network. The default is NO.
    ;   wins proxy = yes
    # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
    # via DNS nslookups. The built-in default for versions 1.9.17 is yes,
    # this has been changed in version 1.9.18 to no.
       dns proxy = no
    # Case Preservation can be handy - system default is _no_
    # NOTE: These can be set on a per share basis
    ;  preserve case = no
    ;  short preserve case = no
    # Default case is normally upper case for all DOS files
    ;  default case = lower
    # Be very careful with case sensitivity - it can break things!
    ;  case sensitive = no
    #============================ Share Definitions ==============================
       idmap uid = 16777216-33554431
       idmap gid = 16777216-33554431
       template shell = /bin/false
       winbind use default domain = no
     #  comment = Home Directories
     #  browseable = no
     #  writable = yes
    # Un-comment the following and create the netlogon directory for Domain Logons
    ; [netlogon]
    ;   comment = Network Logon Service
    ;   path = /home/netlogon
    ;   guest ok = yes
    ;   writable = no
    ;   share modes = no
            comment = File Server
            path = /storage1/
            browseable = yes
            directory mask = 0755
            create mask = 0755
            inherit permissions = yes
            public = yes
            read only = no
            write list = conor

  2. #2
    Good Guru
    Compunuts's Avatar
    Join Date
    May 2001

    Re:SMB permission propagation?

    just a thought ...

    What if you change of storage1 dir to conor?

  3. #3

    Re:SMB permission propagation?

    I ahev the exact opposite isue:

    my account has rights to the dubfolders, but not to the root of the folders ???

  4. #4

    Re:SMB permission propagation?

    [quote author=Compunuts link=board=4;threadid=9924;start=0#msg89945 date=1098773406]
    just a thought ...

    What if you change of storage1 dir to conor?

    Unfortunately it already is. If I ssh into my server, conor can write to all subdirectories of /storage1. /etc/smbusers contains conor = conor, so this should work in theory

  5. #5

    Re:SMB permission propagation?

    [quote author=trickster link=board=4;threadid=9924;start=0#msg89950 date=1098792068]
    I ahev the exact opposite isue:

    my account has rights to the dubfolders, but not to the root of the folders ???

    Trickster would you mind posting the part of your smb.conf that describes your share? Maybe I can throw something together based on both yours and mine

  6. #6

    Re:SMB permission propagation?

    Sure. I will as soon as I get home.

  7. #7

    Re:SMB permission propagation?

    While you do inherit permissions, you do not inherit ownership !
    So subdirectories are 755 as you wanted, but owned by whoever is the default in your distro (samba.sabma, maybe ?). connor is not the owner in subdirs created by samba, therefore with mask 755 he cannot write.

    Try "force user = connor".

    Alternatively you could create a group, say, sambawriters, add the user connor to it, and set "force group = sambawriters", "create mask = 0x775".


  8. #8

    Re:SMB permission propagation?

    Ok I've simplified things to try to track down what's happening. The directory is no longer public...I'll work on that later. For right now this is a completely private directory. I can accept not being able to write to subdirectories that are already there as long as I can write to directories I create over an smb connection (I could just copy the files over and problem would be solved). However, I still cannot write to existing subdirectories, and as soon as I create a new directory on the top-level, it becomes read-only.

    Here's my only share:

            comment = File Server
            path = /storage1
            valid users = conor
            public = no
            writable = yes
            printable = no
            force group = sambawriters
            create mask = 0x0775
            inherit permissions = yes
    user conor is part of the sambawriters group on the server, and /etc/samba/smbusers on the server contains both sambawriters = sambawriters and conor = conor.

    If I create an empty dir in nautilus and then ssh into the server and issue an ls -l /storage1, it shows the following:

    drwxr-xr-x 2 conor sambawriters 1024 Oct 30 14:54 untitled folder

    Interesting...shouldn't a mask of 0x0775 make the folder writable by the sambawriters group? Either way, when I mount the share on my desktop machine (user=conor), I can create empty dirs this way but I can't write to them...right-clicking and looking at permissions in nautilus, nautilus tells me I can't change permissions because I'm not the owner.

    Can anyone help me in either getting existing subdirectories writable, or creating new writable subdirectories?

  9. #9

    Re:SMB permission propagation?


    Your actual permissions are 755 ! This is wrong (in this setup, at least).

    Your samba share is perfect.

    - edit /etc/group and add connor to the sambawriters group
    - run (as root) the following 2 commands:

    #chmod -R 775 /storage1
    #chown -R connor.sambawriters /storage1

    This is to fix permissions and ownership of anything that already is in that directory, and of the directory itself.

    ... and you should be up'n'running.

    From now, Every directory that you create using samba within this share will correctly be owned by connor.sambawriters and have permissions set to 775 (will be group-writeable by sambawriters).


  10. #10

    Re:SMB permission propagation?

    I tried changing the owner/group and permissions of /storage1 and /storage1/test to see if I could write to the directory. Note that /storage1/test is a directory that I just created over smb from my desktop.

    From the server:
    chmod 775 /storage1
    chown conor.sambawriters /storage1

    chmod 775 /storage1/test
    chown conor.sambawriters /storage1/test

    I remount my smb share, but still no deal. I can't write to /storage1/test when I mount my share with username=conor. /etc/groups has this entry: sambawriters:x:503:conor .

Similar Threads

  1. NFS permission problem:
    By ritesh in forum Linux - General Topics
    Replies: 1
    Last Post: 08-15-2005, 09:39 PM
  2. NFS permission problem:
    By ritesh in forum Linux - General Topics
    Replies: 1
    Last Post: 08-15-2005, 09:38 PM
  3. permission errors
    By Dswissmiss in forum Linux - Software, Applications & Programming
    Replies: 2
    Last Post: 07-29-2004, 06:33 PM
  4. permission denied
    By rwtoften in forum Linux - General Topics
    Replies: 4
    Last Post: 06-10-2002, 02:57 AM
  5. permission denied, wtf?
    By boblucci in forum Linux - General Topics
    Replies: 20
    Last Post: 11-30-2001, 12:19 PM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts