Results 1 to 5 of 5
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- May 2011
Strange Samba write access problem
I've been using the forums on/off for quite some time, but I never registered as a user. I guess my problems were so trivial that it was always possible to find helpful replies to other users experiencing the same problems I've had. That is unfortunately not the case this time. I'm facing a (to me) very strange problem, and I'm hoping that some of you either know the cause of it, or can give me some input to further trouble shooting.
I have a file/media server running Ubuntu, where I installed a Samba server to allow for file sharing between the server and both Windows and Linux clients.
The setup is slightly more complex than described here, but for the sake of troubleshooting, I greatly simplified the setup to try to isolate the problem. I am now down to the following 2 shares, which still illustrates my problem.
share-jan is supposed to be a completely private share accessed only by me.
The main access restriction is setup in the linux file system, making most of these samba setting irrelevant.
The directory in /srv/rshare is setup like this:
drwx------ 10 jan jan 4096 2011-05-01 14:36 jan
[share-jan] comment = Jans private share path = /srv/rshare/jan browseable = yes guest ok = no read only = yes create mask = 0755 write list = jan
The directory in /srv/dshare is setup like this:
drwxrwxrwx 2 nobody nogroup 4096 2011-05-01 14:33 temp
[share-temp] comment = Temp share (ingen backup) path = /srv/dshare/temp browseable = yes guest ok = yes read only = yes create mask = 0777 directory mask = 0777 write list = jan, someone, someoneelse
Now, here is the weird part. From any Windows client, logged on as 'jan' and using normal file explorer I can view, create, edit, and delete everything in both shares. 'someone' or 'someoneelse' can do anythin on share-temp, but have no access to share-jan. And anyone else can only view things in share-temp. In other words, this works exactly as expected.
However, from any linux client running Ubuntu, logged on as 'jan' and using the Nautilus file explorer I can view, create, edit, and delete everything in share-jan. But in share-temp I can only view things. 'someone' or 'someoneelse' can only view things in share-temp, and the same goes for guests. In other words my access to share-jan seems to work as expected, but no one has write access to share-temp in spite of the 'write list' configuration.
So... if anyone can see what I cannot... or has some suggestions for what I could try, please let me know.
I did not include the full smb.conf as I didn't want to pollute this already long post any further. But if you think it may be relevant, please tell me, and I'll include that as well.
Any help is appreciated.
To restrict modifying the share "share-temp" to some users, you need to use extended ACL, not the samba "write list" capability. To use ACL to restrict writing access to the directory, you must do next things:
1)delete "create mask = 0777", "directory mask = 0777" and " write list = jan, someone, someoneelse" statements.
2)Change permissions to the directory "/srv/dshare/temp" back to 755.
3)Install acl-tools(by running apt-get install acl).
4)Add "acl" option to your filesystem in /etc/fstab.
5)Finally, run setfacl to add permissions for users jan,someone,someoneelse to modify this directory:
setfacl -Rn -m u:jan:rwx /srv/directory
setfacl -Rn -m default:u:jan:rwx /srv/directory
setfacl -R -m m:rwx /srv/directory
setfacl -R -m default:m:rwx /srv/directory
- Join Date
- May 2011
Thank you for your reply, Bisti. While I can see how ACL would be a solution to the problem, I still have a hard time understanding why this cannot be solved using Samba configuration on top of a directory which is not restricted by Linux file permissions.
I'd go as far as to suggest that if Samba is NOT capable of adding restrictions to the file system permissions, while making exceptions to those restrictions for certain users/groups, then it is a serious design flaw or lack of functionality in Samba.
Again, thank your for your suggestion. I will definately try it, if it turns out that this is the best option, but I really hope that this obvious feature already exists in Samba.
You can modify share permissions with samba from windows clients with "cacls" command or from GUI(right click / permissions). Here samba uses ACL API, and do the same thing, that "setfacl" command do.
- Join Date
- May 2011
Right. I guess the thing I'm having a hard time understanding is that when I create the directories with full access permission on the Linux server running the Samba server, and create the access restrictions in the Samba configuration as shown above, then:
- It works perfectly from any windows client using only the default file explorer.
- It does NOT work from my linux clients using the (default?) Nautilus explorer.
Therefore I would assume that the problem was related to the linux client (Nautilus explorer or something else), and not to the Samba configuration.