Find the answer to your Linux question:
Results 1 to 5 of 5
Hi Linux Forum users. I've been using the forums on/off for quite some time, but I never registered as a user. I guess my problems were so trivial that it ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2011
    Location
    Denmark
    Posts
    7

    Strange Samba write access problem


    Hi Linux Forum users.

    I've been using the forums on/off for quite some time, but I never registered as a user. I guess my problems were so trivial that it was always possible to find helpful replies to other users experiencing the same problems I've had. That is unfortunately not the case this time. I'm facing a (to me) very strange problem, and I'm hoping that some of you either know the cause of it, or can give me some input to further trouble shooting.


    I have a file/media server running Ubuntu, where I installed a Samba server to allow for file sharing between the server and both Windows and Linux clients.

    The setup is slightly more complex than described here, but for the sake of troubleshooting, I greatly simplified the setup to try to isolate the problem. I am now down to the following 2 shares, which still illustrates my problem.


    share-jan is supposed to be a completely private share accessed only by me.
    The main access restriction is setup in the linux file system, making most of these samba setting irrelevant.

    The directory in /srv/rshare is setup like this:
    Code:
    drwx------ 10 jan      jan      4096 2011-05-01 14:36 jan
    The samba configuration for this share is setup like this:
    Code:
    [share-jan]
        comment = Jans private share
        path = /srv/rshare/jan
        browseable = yes
        guest ok = no
        read only = yes
        create mask = 0755
        write list = jan
    share-temp is supposed to be accessible by anyone including guests. However, only a few trusted people (including myself) will be allowed to create/edit/delete files and directories. Therefore I grant full access to everyone in the file system, and attempt to perform the access restriction in Samba.

    The directory in /srv/dshare is setup like this:
    Code:
    drwxrwxrwx 2 nobody nogroup  4096 2011-05-01 14:33 temp
    The samba configuration for this share is setup like this:
    Code:
    [share-temp]
        comment = Temp share (ingen backup)
        path = /srv/dshare/temp
        browseable = yes
        guest ok = yes
        read only = yes
        create mask = 0777
        directory mask = 0777
        write list = jan, someone, someoneelse

    Now, here is the weird part. From any Windows client, logged on as 'jan' and using normal file explorer I can view, create, edit, and delete everything in both shares. 'someone' or 'someoneelse' can do anythin on share-temp, but have no access to share-jan. And anyone else can only view things in share-temp. In other words, this works exactly as expected.

    However, from any linux client running Ubuntu, logged on as 'jan' and using the Nautilus file explorer I can view, create, edit, and delete everything in share-jan. But in share-temp I can only view things. 'someone' or 'someoneelse' can only view things in share-temp, and the same goes for guests. In other words my access to share-jan seems to work as expected, but no one has write access to share-temp in spite of the 'write list' configuration.


    So... if anyone can see what I cannot... or has some suggestions for what I could try, please let me know.

    I did not include the full smb.conf as I didn't want to pollute this already long post any further. But if you think it may be relevant, please tell me, and I'll include that as well.

    Any help is appreciated.

    Regards,

    Jan

  2. #2
    Just Joined! bisti's Avatar
    Join Date
    Jan 2011
    Posts
    7
    To restrict modifying the share "share-temp" to some users, you need to use extended ACL, not the samba "write list" capability. To use ACL to restrict writing access to the directory, you must do next things:

    1)delete "create mask = 0777", "directory mask = 0777" and " write list = jan, someone, someoneelse" statements.

    2)Change permissions to the directory "/srv/dshare/temp" back to 755.

    3)Install acl-tools(by running apt-get install acl).

    4)Add "acl" option to your filesystem in /etc/fstab.

    5)Finally, run setfacl to add permissions for users jan,someone,someoneelse to modify this directory:

    PHP Code:
    setfacl -Rn -m u:jan:rwx /srv/directory
    setfacl 
    -Rn -default:u:jan:rwx /srv/directory 
    Than, run "getfacl /srv/run" ro be sure, if this user has correct permissions. And, if your user has incorrect permissions, you need to manual set "mask" permission:

    PHP Code:
    setfacl --m m:rwx /srv/directory
    setfacl 
    --default:m:rwx /srv/directory 
    And, of course, read the manual page for "setfacl" and "getfacl"

  3. #3
    Just Joined!
    Join Date
    May 2011
    Location
    Denmark
    Posts
    7
    Thank you for your reply, Bisti. While I can see how ACL would be a solution to the problem, I still have a hard time understanding why this cannot be solved using Samba configuration on top of a directory which is not restricted by Linux file permissions.

    I'd go as far as to suggest that if Samba is NOT capable of adding restrictions to the file system permissions, while making exceptions to those restrictions for certain users/groups, then it is a serious design flaw or lack of functionality in Samba.

    Again, thank your for your suggestion. I will definately try it, if it turns out that this is the best option, but I really hope that this obvious feature already exists in Samba.

  4. #4
    Just Joined! bisti's Avatar
    Join Date
    Jan 2011
    Posts
    7
    You can modify share permissions with samba from windows clients with "cacls" command or from GUI(right click / permissions). Here samba uses ACL API, and do the same thing, that "setfacl" command do.

  5. #5
    Just Joined!
    Join Date
    May 2011
    Location
    Denmark
    Posts
    7
    Right. I guess the thing I'm having a hard time understanding is that when I create the directories with full access permission on the Linux server running the Samba server, and create the access restrictions in the Samba configuration as shown above, then:
    - It works perfectly from any windows client using only the default file explorer.
    - It does NOT work from my linux clients using the (default?) Nautilus explorer.

    Therefore I would assume that the problem was related to the linux client (Nautilus explorer or something else), and not to the Samba configuration.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •