{"id":1522,"date":"2015-12-17T13:28:21","date_gmt":"2015-12-17T21:28:21","guid":{"rendered":"http:\/\/systemsolver.com\/StatlerBlog\/?p=1522"},"modified":"2015-12-17T13:28:21","modified_gmt":"2015-12-17T21:28:21","slug":"linux-samba-fix-usersgroupspermissions","status":"publish","type":"post","link":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/2015\/12\/17\/linux-samba-fix-usersgroupspermissions\/","title":{"rendered":"LInux Samba fix users\/groups\/permissions"},"content":{"rendered":"

My problem is that group and user permissions for the group get changed or created wrong when a file is changed or created by some users.<\/p>\n

I want a specific group of users to have read\/write permissions to every subdirectory and files.<\/p>\n

http:\/\/linuxcommand.org\/man_pages\/setfacl1.html<\/a><\/p>\n

Good examples:<\/p>\n

http:\/\/www.calculate-linux.org\/main\/en\/setting_filesystem_acl<\/a><\/p>\n

I did this:<\/h2>\n

===<\/p>\n

On the samba serverm in \/etc\/Samba\/smb.conf\u00a0 just before the share definitions at the end of the file
\nforce group = users<\/code><\/p>\n

===<\/p>\n

sudo gedit \/etc\/fstab<\/code><\/p>\n

add acl to list of options on all mounts then remount:<\/p>\n

sudo mount -a<\/code><\/p>\n

*- prepare existing files\/folders
\nsudo chgrp -R users \/mnt\/Files\/a-PI\/---.test2 #change group folders and files belong to
\nsudo chmod -R g+rwX \/mnt\/Files\/a-PI\/---.test2 #change the current folders\/docs to group read\/write, capital X changes only folders and executables to executeable<\/code><\/p>\n

*- set default for new folders\/files
\nsudo setfacl -R -m \"default:group:groupname:rwx\" \/mnt\/Files\/a-PI\/---.test2 #group rw but not setting default group
\nsudo chmod -R g+s \/mnt\/Files\/a-PI\/---.test2 #set SGID so new items belong to parent group<\/code><\/p>\n

without comments:<\/p>\n

 <\/p>\n

sudo chgrp -R users \/mnt\/Files <\/code><\/p>\n

sudo chmod -R g+rwX \/mnt\/Files <\/code><\/p>\n

sudo setfacl -R -m \"default:group:groupname:rwx\" \/mnt\/Files <\/code><\/p>\n

sudo chmod -R g+s \/mnt\/Files<\/code><\/p>\n

 <\/p>\n

— maybe not so much the below info<\/p>\n

Then as root:
\nsu
\nchgrp users \/media\/Office-Files && chmod g+s \/media\/Office-Files
\nchgrp users -R \/media\/Closed # not -> && chmod g+s \/media\/Closed see Note
\nchgrp users \/media\/Local-backup && chmod g+s \/media\/Local-backup<\/p>\n

NOTE: setting the sticky bit was an error, it prevents anyone but the user from deleting<\/p>\n

to remove the sticky bit<\/p>\n

sudo chmod g-s -R \/dir<\/pre>\n
To change group permissions to read, write, execute<\/p>\n
chmod -R g+rwx DirectoryName<\/code><\/p>\n
and this [from here<\/a>]:<\/p>\n
sudo setfacl -Rdm g:groupnamehere:rwx \/base\/path\/members\/\nsudo setfacl -Rm g:groupnamehere:rwx \/base\/path\/members\/\n<\/code><\/pre>\n
R<\/b> is recursive, which means everything under that directory will have the rule applied to it. 
 d<\/b> is default, which means for all future items created under that directory, have these rules apply by default. m<\/b> is needed to add\/modify rules.<\/p>\n
The first command, is for new items (hence the d), the second command, is for old\/existing items under the folder. Hope this helps someone out as this stuff is a bit complicated and not very intuitive.<\/p>\n
Restart samba server
\nsudo service smbd restart<\/code><\/p>\n
log out log in?<\/p>\n
Now make sure new user names are in the group ‘users’<\/p>\n
These are the possible solutions I considered:<\/h4>\n
http:\/\/www.linuxquestions.org\/questions\/linux-server-73\/ownership-on-new-files-in-group-samba-share-set-badly-898489\/<\/a><\/p>\n
To cause all files henceforth created in \/samba\/founders<\/span> to be owned by the “founders<\/span>” group, do the following.<\/p>\n
\n
Code:<\/div>\n
chgrp founders \/samba\/founders && chmod g+s \/samba\/founders<\/p>\n<\/div>\n
So maybe for me this would be:<\/p>\n
chgrp \/media\/Office-Files users \/media\/Office-Files && chmod g+s \/media\/Office-Files<\/p>\n
https:\/\/www.samba.org\/samba\/docs\/using_samba\/ch09.html<\/a><\/p>\n
However, if you’re creating a shared directory for group access, you need to perform a few more steps. Let’s take a stab at a group share for the accounting department in the smb.conf file:<\/p>\n
[accounting]
 comment = Accounting Department Directory
 writable = yes
 valid users = @account
 path = \/home\/samba\/accounting
 create mode = 0660
 directory mode = 0770
 The first thing we did differently is to specify @account as the valid user instead of one or more individual usernames. This is shorthand for saying that the valid users are represented by the Unix group account. These users will need to be added to the group entry account in the system group file ( \/etc\/group or equivalent) to be recognized as part of the group. Once they are, Samba will recognize those users as valid users for the share.<\/p>\n
In addition, you need to create a shared directory that the members of the group can access and point to it with the path configuration option. Here are the Unix commands that create the shared directory for the accounting department (assuming \/home\/samba already exists):<\/p>\n
# mkdir \/home\/samba\/accounting
 # chgrp account \/home\/samba\/accounting
 # chmod 770 \/home\/samba\/accounting
 There are two other options in this smb.conf example, both of which we saw in the previous chapter. These options are create mode and directory mode. These options set the maximum file and directory permissions that a new file or directory can have. In this case, we have denied all world access to the contents of this share. (This is reinforced by the chmod command, shown earlier.)<\/p>\n
http:\/\/unix.stackexchange.com\/questions\/164884\/how-to-set-default-group-for-files-created-in-samba-share<\/a><\/p>\n
One solution: In<\/p>\n
\/etc\/samba\/smb.conf\nAdd these options to the <\/code>[global]<\/code> section:\n<\/pre>\n
force user = rolf force group = coders<\/code><\/p>\n
Another solution:<\/p>\n
you could try adding sticky bit for the group on that folder<\/p>\n
chmod 2770 foldername\nfind foldername -type d -exec chmod g+s {} \\;<\/code><\/pre>\n
http:\/\/askubuntu.com\/questions\/97669\/i-cant-get-samba-to-set-proper-permissions-on-created-directories<\/a><\/p>\n
———–See following post from this web site—————-<\/p>\n
I think you need to use the following parameters:<\/p>\n
# I changes the permissions to rw-rw-r--\n# You should be able to change them to 775 if you need the files to\n# be executable\ncreate mask = 664\nforce create mode = 664\nsecurity mask = 664\nforce security mode = 664\n\n# I set the SGID flag here as I thought this is what you wanted\n# You could change to 0775\ndirectory mask = 2775\nforce directory mode = 2775\ndirectory security mask = 2775\nforce directory security mode = 2775\n<\/code><\/pre>\n
I was looking for a nice explanation of how these settings work, but could not find anything better then man smb.conf<\/a><\/p>\n
———-This one might be the true answer——————-<\/p>\n
\n
After a lot of trial and error, this is the correct code to share samba dir using SGID and unix groups. If user connects anonymously he gets r\/o, if he logs in and is a member of assigned group he gets r\/w.<\/p>\n
I have group named ‘admin’ set as primary group to users with write privileges, everyone else gets read only rights.<\/p>\n
I force user to nobody, so different people working on same files don’t interfere with each other.<\/p>\n
I set chmod 2755 on shared directory, so it inherits created directories with the same group ‘admin’<\/p>\n
$ chmod -R 2755 \/home\/shares\/test\n<\/code><\/pre>\n
Checking if all is good:<\/p>\n
$ stat \/home\/shares\/test\nAccess: (2755\/drwxr-sr-x)  Uid: (65534\/  nobody)   Gid: ( 1001\/   admin)\n<\/code><\/pre>\n
Relevant part of \/etc\/samba\/smb.conf:<\/p>\n
[test]\n        comment = test\n        path = \/home\/shares\/test\n        force user = nobody\n        read only = No\n        create mask = 0664\n        force create mode = 0664\n        directory mask = 02775\n        force directory mode = 02775\n<\/code><\/pre>\n
This post put me on right track, but testparm revealed 4 incorrect directives, so I’m sharing fixed config here. In samba, the less directives you specify the better it works.<\/p>\n<\/div>\n
end<\/p>\n","protected":false},"excerpt":{"rendered":"
My problem is that group and user permissions for the group get changed or created wrong when a file is changed or created by some users. I want a specific group of users to have read\/write permissions to every subdirectory and files. http:\/\/linuxcommand.org\/man_pages\/setfacl1.html Good examples: http:\/\/www.calculate-linux.org\/main\/en\/setting_filesystem_acl I did this: === On the samba serverm in […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,6],"tags":[],"class_list":["post-1522","post","type-post","status-publish","format-standard","hentry","category-general","category-linux"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/wp-json\/wp\/v2\/posts\/1522","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/wp-json\/wp\/v2\/comments?post=1522"}],"version-history":[{"count":0,"href":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/wp-json\/wp\/v2\/posts\/1522\/revisions"}],"wp:attachment":[{"href":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/wp-json\/wp\/v2\/media?parent=1522"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/wp-json\/wp\/v2\/categories?post=1522"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systemsolver.goodhealthyday.com\/StatlerBlog\/wp-json\/wp\/v2\/tags?post=1522"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}