Linux & Samba Permissions

Infidelus

Infidelus

Infidelus

Soldato
Joined
3 Aug 2012
Posts
2,711
Location
Second Star to the Right
Hey all,

I'm slowly migrating my home network to Linux and am currently trying to set up a file server.

For my setup I'm using Ubuntu Server 16.04 with a ZFS RAIDZ pool and Samba (although I'm quite interested in NFS too).

So far I've had intermittent success with the correct permissions connecting from my remaining Windows boxes and my Linux Mint machine.

I've been Googling around for a couple of days now, but I can't find any definitive information on how to correctly set this stuff up, so I'm hoping somebody here can assist.

I have about 6 users to cater for, and they need different access rights depending on the share.

I have a Public share where we can all dump stuff, some multimedia shares that I want them to have read/write to, a couple of other media shares that I only want some of them to have read access to but others need read/write, and some shares that are just for me.

Problems I'm having are, even with the Samba shares set as I 'think' they should be, sometimes I can't access them, and sometimes I can. Every Samba guide I look at only tells me about Samba, but I'm fairly sure I need to do something with the underlying file permissions too.

The ZFS pool is currently set with owner hts (it's a Tvheadend server too) and group root. As a temporary measure I've run chmod -R 777 over the pool just so I can copy the files back from my Windows server.

All the users have Linux and smb accounts.

The main problem I'm seeing is that everything that's already in the pool that I've run chmod over is accessible (even to people without permissios sometimes!), but every new file I copy over from the Windows server gets that user's permissions and nobody else can access the files.

I've tried changing the user:group of various folders to see if that fixes things, but it only seems to make it worse. :(

Sample of my smb.conf:

Code: 
[global]

        workgroup = WORKGROUP
        name resolve order = bcast host lmhosts wins
        security = user
        encrypt passwords = yes
        server string = %h server (Samba, Ubuntu)
        dns proxy = no
        log file = /var/log/samba/log.%m
        max log size = 1000
        syslog = 0
        panic action = /usr/share/samba/panic-action %d
        server role = standalone server
        passdb backend = tdbsam
        obey pam restrictions = yes
        unix password sync = yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        pam password change = yes
        map to guest = bad user
        guest account = nobody
        usershare allow guests = yes

[Recordings]
        comment = Tvheadend Recording Share
        path = /volume1/Recordings
        writable = yes
        browsable = yes
        valid users = bill, ben, me
        create mask = 0775
        directory mask = 0775

[Music]
        comment = My Music
        path = /volume1/Music
        writable = yes
        browsable = yes
        read list = bill, ben, george, zippy
        write list = me, weed
        create mask = 0775
        directory mask = 0775

[Private]
        comment = Other stuff
        path = /volume1/Private
        writable = yes
        browsable = no
        valid users = me
        create mask = 0775
        directory mask = 0775

[Public]
        comment = Public Share
        path = /volume1/Public
        writable = yes
        browsable = yes
        guest ok = yes
        read only = no
        force user = nobody

All help very gratefully accepted before the air turns completely blue from all the naughty words I've been uttering.
 
Last edited:
Samba configuration can be quite frustrating, especially when you are trying to set up different users/permissions/shares, as you are. Have you considered installing something like Webmin - it will basically give you a way to configure via a gui and it can sometimes make more sense that way, as well as take some of the command-line hassle out of it.
 
Samba is probably fine.

When you chmod try flagging -R which makes it recursive. I have a similar setup in use and every time I reinstall I get stuck for a day on samba shares.

Webmin helps a huge amount though.
 
Buffalo2102 said:
Samba configuration can be quite frustrating, especially when you are trying to set up different users/permissions/shares, as you are. Have you considered installing something like Webmin - it will basically give you a way to configure via a gui and it can sometimes make more sense that way, as well as take some of the command-line hassle out of it.
Click to expand...

I had considered it, but was trying to avoid using Webmin, and trying to actually learn something instead of letting the GUI do it for me.

Steveocee said:
Samba is probably fine.

When you chmod try flagging -R which makes it recursive. I have a similar setup in use and every time I reinstall I get stuck for a day on samba shares.

Webmin helps a huge amount though.
Click to expand...

I'd actually already tried with -R. I still can't get it set up properly. I've got a Downloads folder that, to all extents and purposes, I should be able to access. The Samba and file permissions are the same as some of the other shares I can-actually-access, yet no matter what I do, Samba won't let me access the folder, which is why I'm getting so frustrated with it.
 
Infidelus said:
I had considered it, but was trying to avoid using Webmin, and trying to actually learn something instead of letting the GUI do it for me.
Click to expand...

Fair play to you and that's what I do myself. I use samba flawlessly on my network but there aren't many users and it's not near as complicated as your setup so I can't really help with the detail of your config. If you do use Webmin (and it works), at least it will create a config file that you can then examine and so you should still learn something.

Thinking about it, I used to use zfs myself but not anymore and iirc there are specific zfs commands to set up samba sharing on zfs volumes. Are you using those are doing everything via the smb.conf file?
 
I had a look at the zfs way of creating shares, but wasn't keen on the resultant share names. I seem to remember reading there are limitations doing it that way too, but I've Googled so much over the last week trying to get this working I may be crossing information in that respect.

I've installed Webmin and had a look at at the permissions it's showing for what I've set up, but it still looks to me like I *should* be able to access the shares, yet I still can't.

I've just dug an old Synology box out of the cupboard and am going to set some Samba shares up on that then ssh in and see what the config says and see if that sheds any light.
 
hts@Server:/volume1$ ls -lah
total 607K
drwxrwxrwx 21 hts root 21 Nov 27 13:56 .
drwxr-xr-x 24 root root 4.0K Nov 26 20:17 ..
drwxrwxrwx 26 hts root 26 Nov 26 15:03 Documents
drwxrwxrwx 9 hts root 32 Nov 27 12:14 Downloads
drwxrwxrwx 4 hts root 6 Nov 15 22:53 Music
drwxrwxrwx 3 hts root 53 Nov 23 12:12 Private
drwxrwsr-x 2 hts users 2 Nov 27 20:08 Public
drwxrwsr-x 2 hts users 14 Nov 27 20:27 Recordings

I've been tinkering with some of the shares today again after looking at my Diskstation, but it's still not right. If I'm connecting from a Linux client, I seem to have more luck than from my Windows 2012 server, but I feel like I'm just making things up as I go along at this stage.

I looked at the folder permissions on the DS and they were root:root at the base level and there were differences in the smb.conf file too (notably no 'create mask' or 'directory mode' settings, yet after I'd set up the users, I had no problems connecting. If I try the same thing on my Ubuntu server though, I don't get anywhere near as much luck.

I've also noticed another oddity. If I connect from my Windows server by name (\\Server\Share), I get different access permissions than if I connect via IP (IP giving me the best results) which is quite frankly confusing the hell out of me!
 
The create mask and directory mask set the initial permissions on new files / folders created over Samba, nothing more interesting than that. Can't remember what the default is off the top of my head when unset, but it's probably 755.
If you're copying files from an external location, Samba will attempt to copy the permissions set. I'm not sure off the top of my head that there's a way to disable that.


Connectivity Issues:
First step is to double check the users and the workgroup set for all the client machines.

IIRC the default workgroup name that Windows uses changed from WORKGROUP to MSHOME at either Windows 8 or Windows 10.

Second step is to check that the other Linux box is not broadcasting the same Samba Netbios name; If you've been copying configs back and forth, there's a distinct possibility that this could be the case.

After that, try pinging both the hostname and the IP from the command prompt when you're having issues.
If the IP pings but the host does not, something is up with the Netbios name resolution.
 
I think the workgroup change is the other way around. Went from MSHOME to WORKGROUP. I've just done another ping test this morning and it's now resolving. I have a feeling it got its knicker's in a twist when I installed Ubuntu Server as by default it gets a DHCP address when installing. It still hasn't fixed the problem of permissions. Really seems quite odd to me that with IP I get access to the share, but with hostname I don't. The only difference between the Windows 2012 machine and all the others is it's on a domain as you can't install 2012 R2 Essentials any other way. I'm less worried about that though as I will be ditching 2012 and installing Ubuntu Server on that machine too when I've sorted out the Samba permissions.
 
OK, so I ...

am a retard!

I've found two mistakes I made with users & groups. The first thing I realised (yesterday), when I was adding users to groups I was just using usermod -G instead of -a -G. Quickly rectified.

Sadly, the second mistake was worse, and I hang my head in shame. :(

When adding computer users I was creating samba users as well .... or at least I thought I was. I've been scratching my head wondering why I was having so many problems with the Windows Server, and why smbstatus showed a different user connected from that machine to the Samba shares. I was beginning to wonder if some odd passthrough authentication was happening on Remmina ... but no.

It turns out that when I couldn't connect as the Server Admin, I substituted different credentials for testing and only when I rebooted and couldn't reconnect at all to the shares did I, on a hunch, look at Webmin (it was useful after all :)), at which point it became clear that I had created Samba accounts for every user .... except the one I was trying to use - again ... retard. I would have sworn blind I created it which is why I hadn't given it a second thought.

Funnily enough that account can now connect via netbios name, so apologies for wasting everyone's time on something so obvious. I'm still not entirely happy with my file and folder permissions, but I will look at that all again to see if there's anything else bleedin' ovbious I've missed.

I do still have one problem. For some reason even when a file is open for use by one user, another user can go along and edit/delete it with no warnings. I've been looking at some of the documentation which mentions oplocks & kernel locks, and I've added that to the smb.conf file, but it doesn't seem to make any difference.

oplocks = yes
kernel oplocks = yes
level2 oplocks = yes
strict locking = yes

I'm surprised Linux lets you do this and I'm a bit stumped at the moment, although I'm certain it won't be the last time on my path to learning Linux.

[edit to add]

Case in point. I recorded a TV show earlier, and I've just gone through it with VideoReDo and cut all the adverts out, then dumped it back in the Recordings share. Two minutes later I am visited by an irate member of the family asking if I'm messing with things. It turns out she was half way through watching the program while I was editing and replacing it, something that I've never seen in Windows. If it's in use, it's locked and you can't do anything until it's not-locked.
 
Last edited:
I think that oplocks don't necessarily deny access to the entire file, only byte ranges within the file that are already being accessed. They are also dependent on the filesystem and OS's involved. You might try setting share modes. It's not something I've ever done but from what I have read, it seems to be a less complicated way of denying access to a file that is already in use.
 
Thanks.

I get the impression from further Googling that it's actually more a Linux issue than Samba. Apparently Linux doesn't care if multiple people have access to the same file at the same time and its default is DENY_NONE. Seems very strange to me that you'd let multiple people write to the same file at the same time, but I am (quite clearly) not a Linux guru.
 
You must log in or register to reply here.
Back
Top Bottom