Trouble with file permissions on samba share.. file creation mask, etc.

Latest response


I'll do my best to explain this. Let me know if any other information is needed. Full disclosure; I am using Centrify to integrate this system into Active Directory. 


This is my smb.conf file: 


    security = ADS
    realm = child.root.pri
    workgroup = CHILD
    netbios name = server

    auth methods = guest, sam, winbind, ntdomain
    machine password timeout = 0
    passdb backend = tdbsam:/etc/samba/private/passdb.tdb

    #   Using kerberos keytab may lead to a serious samba crash.
    #   Centrify recommends against using it.
    #   Kerberos authentication is still supported without it.
    use kerberos keytab = No

    # If your samba server only serves to Windows systems, try server signing = mandatory.
    server signing = auto

    template shell = /bin/bash

    winbind use default domain = Yes

    winbind enum users = No
    winbind enum groups = No
    winbind nested groups = Yes

    ignore syssetgroups error = No
    idmap uid = 1000 - 200000000
    idmap gid = 1000 - 200000000

    enable core files = false
    #  Disable Logging to syslog, and only write log to Samba standard log files.
    syslog = 0

        path = /datasets
        comment = ETL Datasets
        read only = no
        public = no
        write list = +ETL_DataStage_Admin +ETL_DataStage_User KingZing


If user1 creates a file in the datasets share, user2 cannot change it. 


KingZing goes to the share and creates test.txt - permissions are as follows. 

-rwxr--r-- 1 KingZing KingZing    0 Jul 28 08:02 test.txt


So no other users can edit/change/delete that file... and that's now what we want. :( 


What do I need to adjust? 


Hi Aaron,


have you checked the permissions for /datasets?






drwxrwxrwx   6 root  root   4.0K Jul  7 16:23 datasets

Hi Aaron,


well, the setup you've implemented there works as expected - user1 may create his own files, user2 may not touch them. So the write list you've defined works.


What you probably want to achieve is that those files belong to a common group - correct? So group members can access those files?


That'd require to have all the users in the same group, and the files in /dataset belonging to that group. If that's what you want, change the group of /dataset to that group and if required, use the 'force group' parameter in smb.conf.


Oh, and I forgot to say - adding a x to the 'others' for the files may help as well :)







    create mask = 6770
    directory mask = 6770
    force create mode = 6770
    force directory mode = 6770
    force user = commonuser
    force group = commongroup


It should work.



I added everything you've got there but not the "Force User" part. That wouldn't let me get into any folders. 


I set up a test folder like this:



        path = /smbtest
        comment = ETL smbtest
        read only = no
        public = yes
        write list = +ETL_DataStage_Admin +ETL_DataStage_User ajaadmin
create mask = 6770
directory mask = 6770
force create mode = 6770
force directory mode = 6770
force group = +ETL_DataStage_User

Then created a folder and a file in that folder. 


root@npsetl005:/smbtest$ ls -lh
total 4.0K
drwsrws--- 2 ajaadmin ajaadmin 4.0K Jul 29 10:48 folder
root@npsetl005:/smbtest$ cd folder
root@npsetl005:/smbtest/folder$ ls -lh
total 0
-rwsrws--- 1 ajaadmin ajaadmin 0 Jul 29 10:48 file.txt


I can't say I'm familiar with the "s" portion. Is that correct? Feels messy, or something.

On this issue, you might want to create a local group (i.e. commongroup), then change ownership of your existing files/directories to that group.

After that change

force group = +ETL_DataStage_User
force group = commongroup

you also want to check you winbind..... options too. In my box, I have these

   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   idmap backend = rid:ADS=16777216-33554431
   winbind use default domain = true
   winbind offline logon = true
   winbind enum users = Yes
   winbind nss info = Yes
   winbind enum groups = Yes
   winbind cache time = 60