My problem is that group and user permissions for the group get changed or created wrong when a file is changed or created by some users.
I want a specific group of users to have read/write permissions to every subdirectory and files.
http://linuxcommand.org/man_pages/setfacl1.html
Good examples:
http://www.calculate-linux.org/main/en/setting_filesystem_acl
I did this:
===
On the samba serverm in /etc/Samba/smb.conf just before the share definitions at the end of the file
force group = users
===
sudo gedit /etc/fstab
add acl to list of options on all mounts then remount:
sudo mount -a
*- prepare existing files/folders
sudo chgrp -R users /mnt/Files/a-PI/---.test2 #change group folders and files belong to
sudo chmod -R g+rwX /mnt/Files/a-PI/---.test2 #change the current folders/docs to group read/write, capital X changes only folders and executables to executeable
*- set default for new folders/files
sudo setfacl -R -m "default:group:groupname:rwx" /mnt/Files/a-PI/---.test2 #group rw but not setting default group
sudo chmod -R g+s /mnt/Files/a-PI/---.test2 #set SGID so new items belong to parent group
without comments:
sudo chgrp -R users /mnt/Files
sudo chmod -R g+rwX /mnt/Files
sudo setfacl -R -m "default:group:groupname:rwx" /mnt/Files
sudo chmod -R g+s /mnt/Files
— maybe not so much the below info
Then as root:
su
chgrp users /media/Office-Files && chmod g+s /media/Office-Files
chgrp users -R /media/Closed # not -> && chmod g+s /media/Closed see Note
chgrp users /media/Local-backup && chmod g+s /media/Local-backup
NOTE: setting the sticky bit was an error, it prevents anyone but the user from deleting
to remove the sticky bit
sudo chmod g-s -R /dir
To change group permissions to read, write, execute
chmod -R g+rwx DirectoryName
and this [from here]:
sudo setfacl -Rdm g:groupnamehere:rwx /base/path/members/
sudo setfacl -Rm g:groupnamehere:rwx /base/path/members/
R is recursive, which means everything under that directory will have the rule applied to it.
d is default, which means for all future items created under that directory, have these rules apply by default. m is needed to add/modify rules.
The first command, is for new items (hence the d), the second command, is for old/existing items under the folder. Hope this helps someone out as this stuff is a bit complicated and not very intuitive.
Restart samba server
sudo service smbd restart
log out log in?
Now make sure new user names are in the group ‘users’
These are the possible solutions I considered:
To cause all files henceforth created in /samba/founders to be owned by the “founders” group, do the following.
chgrp founders /samba/founders && chmod g+s /samba/founders
So maybe for me this would be:
chgrp /media/Office-Files users /media/Office-Files && chmod g+s /media/Office-Files
https://www.samba.org/samba/docs/using_samba/ch09.html
However, if you’re creating a shared directory for group access, you need to perform a few more steps. Let’s take a stab at a group share for the accounting department in the smb.conf file:
[accounting]
comment = Accounting Department Directory
writable = yes
valid users = @account
path = /home/samba/accounting
create mode = 0660
directory mode = 0770
The first thing we did differently is to specify @account as the valid user instead of one or more individual usernames. This is shorthand for saying that the valid users are represented by the Unix group account. These users will need to be added to the group entry account in the system group file ( /etc/group or equivalent) to be recognized as part of the group. Once they are, Samba will recognize those users as valid users for the share.
In addition, you need to create a shared directory that the members of the group can access and point to it with the path configuration option. Here are the Unix commands that create the shared directory for the accounting department (assuming /home/samba already exists):
# mkdir /home/samba/accounting
# chgrp account /home/samba/accounting
# chmod 770 /home/samba/accounting
There are two other options in this smb.conf example, both of which we saw in the previous chapter. These options are create mode and directory mode. These options set the maximum file and directory permissions that a new file or directory can have. In this case, we have denied all world access to the contents of this share. (This is reinforced by the chmod command, shown earlier.)
One solution: In
/etc/samba/smb.conf Add these options to the
[global]
section:
force user = rolf force group = coders
Another solution:
you could try adding sticky bit for the group on that folder
chmod 2770 foldername
find foldername -type d -exec chmod g+s {} \;
———–See following post from this web site—————-
I think you need to use the following parameters:
# I changes the permissions to rw-rw-r--
# You should be able to change them to 775 if you need the files to
# be executable
create mask = 664
force create mode = 664
security mask = 664
force security mode = 664
# I set the SGID flag here as I thought this is what you wanted
# You could change to 0775
directory mask = 2775
force directory mode = 2775
directory security mask = 2775
force directory security mode = 2775
I was looking for a nice explanation of how these settings work, but could not find anything better then man smb.conf
———-This one might be the true answer——————-
After a lot of trial and error, this is the correct code to share samba dir using SGID and unix groups. If user connects anonymously he gets r/o, if he logs in and is a member of assigned group he gets r/w.
I have group named ‘admin’ set as primary group to users with write privileges, everyone else gets read only rights.
I force user to nobody, so different people working on same files don’t interfere with each other.
I set chmod 2755 on shared directory, so it inherits created directories with the same group ‘admin’
$ chmod -R 2755 /home/shares/test
Checking if all is good:
$ stat /home/shares/test
Access: (2755/drwxr-sr-x) Uid: (65534/ nobody) Gid: ( 1001/ admin)
Relevant part of /etc/samba/smb.conf:
[test]
comment = test
path = /home/shares/test
force user = nobody
read only = No
create mask = 0664
force create mode = 0664
directory mask = 02775
force directory mode = 02775
This post put me on right track, but testparm revealed 4 incorrect directives, so I’m sharing fixed config here. In samba, the less directives you specify the better it works.
end