Samba share permissions simplified

by on January 5, 2007 · 41 comments· LAST UPDATED February 15, 2007

in , ,

Samba software, is a free, open source implementation of networking protocols to share files between UNIX/Linux and Windows computers.

Samba provides -
=> File and print services

=> Integration with a Windows Server domain / PDC

=> Part of Active Directory domain etc

Permission precedence

Samba comes with different types of permissions for share. Try to remember few things about UNIX and Samba permissions.
(a) Linux system permissions take precedence over Samba permissions. For example if a directory does not have Linux write permission, setting samba writeable = Yes (see below) will not allow to write to shared directory / share.

(b) The filesystem permission cannot be take priority over Samba permission. For example if filesystem mounted as readonly setting writeable = Yes will not allow to write to any shared directory or share via samba server.

In short (thanks to Craig [see below in comment section]) :
Limits set by kernel-level access control such as file permissions, file system mount options, ACLs, and SELinux policies cannot be overridden by Samba. Both the kernel and Samba must permit the user to perform an action on a file before that action can occur.

How do I set permissions to Samba shares?

Samba Basic permissions are as follows (configuration file is smb.conf [/etc/samba/smb.conf]):

  • read only: This parameter controls whether an user has the ability to create or modify files within a share. This is default.
  • guest ok: Uf this parameter is set to yes, the users will have access to the share without
    having to enter a password. This can pose security risk.
  • writeable: Specifies users should have write access to the share.

You can create the share called helpfiles with read only permission
[helpfiles]
path = /usr/share/docs
read only = Yes

You can create the share called salesdoc with write permission
[salesdoc]
path = /home/shared/sales
writeable = Yes

You can also create a list of users to give write access to the share with write list option. For example allow rocky and tony to write to the share called sales:
[salesdoc]
path = /home/shared/sales
write list = rocky tony

You can use following options

  • read list: This option accepts a list of usernames or a group as its value. Users will be given read-only access to the share.
  • valid users: You can make a share available to specific users. Usernames or group names can be passed on as its value.
  • invalid users: Users or groups listed will be denied access to this share.

Samba mask permission

It is also possible to specify samba default file creation permission using mask.

  • create mask: This option is set using an octal value when setting permissions for files.
  • directory mask: Directories must have the execute bit for proper access. Default parameter is 0755.

[salesdoc]
path = /home/shared/sales
write list = rocky sys
create mask = 0775

References

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 41 comments… read them below or add one }

1 _ranger_ January 17, 2007 at 9:02 am

Instead of keeping your access controls in the samba configuration (write list =), rather apply unix permissions (eg create groups etc. etc.). Then, the access controls will apply when you (eventually) use services besides samba (e.g. NFS, web servers or webdav etc. etc.).

Reply

2 Chaitanya Parekh March 12, 2011 at 6:41 am

Please explain in more details or add some links where we can see some examples of this

Reply

3 Gern March 16, 2011 at 2:02 pm

sorry if this sounds trollish, but, google.

Reply

4 nixCraft January 17, 2007 at 10:25 pm

_ranger_,

You’ve raised some good points

Appreciate your post.

Reply

5 Craig Ringer February 3, 2007 at 8:53 pm

(b) is wrong:

“(b) The filesystem permission cannot be take priority over Samba permission.”

I think you meant “Samba can not override limits set by file system mount options.”.

Strictly, you can just combine (a) and (b) into:

“Limits set by kernel-level access control such as file permissions, file system mount options, ACLs, and SELinux policies cannot be overridden by Samba. Both the kernel and Samba must permit the user to perform an action on a file before that action can occur.”

Reply

6 Hugh Grant February 6, 2007 at 7:31 pm

The range of settable perameters in Samba is confusing to me. For example if I set
writable = yes
read only = yes
what happens? hopefully an error. But if
writable = no
write list = peter paul
Does paul get write access? Presumably mary only gets read access.

Reply

7 Archonic June 27, 2013 at 4:21 pm

Use testparm /etc/samba/smb.conf to test you syntax and get the permissions results.

Reply

8 Mukund February 14, 2007 at 2:52 pm

Guys,
I have a problem trying to communicate with samba server setup on Fedora core 4 from my windows xp machine..
I see only the folders and there are no files
I dont get to even see them on my windows PC when i try to access the corresponding samba related folders…
Any idea..Kindly help :)

Reply

9 nixCraft February 15, 2007 at 4:30 am

@Hugh,

If user peter paul is in both the read list and the write list then they will be given write access.

If the connecting user is in this list then they will be given write access, no matter what the read only option is set to.

However in your specific example peter or paul will not get write access and writable is specifically set to NO.

Reply

10 nixCraft February 15, 2007 at 4:32 am

Mukund,

Can you paste your smb.conf file (or better use our forum nixcraft.com for more info)

Reply

11 nixCraft February 15, 2007 at 4:35 am

@Craig,

Yes, you are right. I will update this article to point to your comment.

Appreciate your post.

Reply

12 hmcentury May 5, 2007 at 3:51 am

I have had linux joined the windows domain.Now I can log in the samba from windows client.But I get a message “Acess Denied” when I manage the share ACL using remote management. I don’t know why.How to control the samba share acl in the smb.conf?

How to simulta the ACL of windows in samba?

What’s your Email。I have another questions wanted to kown。

Reply

13 Sharad July 19, 2008 at 10:39 am

Can you help me with creating an access list/ ip table as how to provide permissions to samba share for specific systems with specific ip addresses

Reply

14 Mustafa February 18, 2009 at 9:08 am

I have the same problem, I have set my simple samba server in SUSE Linux and put the smb.conf file as follows

[global]
workgroup = ftpgrp
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
security = user
encrypt passwords = yes
local master = yes
writable = yes
passdb backend = smbpasswd
domain master = yes
preferred master = yes
os level = 2
wins support = yes
[output]
comment = Network Profiles Service
path = /rbidata/RBIPublic/output/
write list = tigocdr
store dos attributes = Yes
create mask = 0600
directory mask = 0777
browseable = yes
guest ok = no
printable = no
[bak]
comment = Network Profiles Service
path = /rbidata/RBIPublic/bak/
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
browseable = yes
guest ok = no
printable = no
but still the user “tigocdr” can not write to output directory
why??

Reply

15 Jon Cage March 30, 2009 at 11:00 pm

@Mustafa: What permissions are set on /rbidata/RBIPublic/output/ and who owns that directory and/or whatever it is you’re trying to write to?

Reply

16 V.Balaviswanathan April 27, 2009 at 1:12 pm

Hi NixCraft,

I have a doubt I have configured samba on Ubuntu 9.04 and i am able to connect to windows properly but not with Linux (ubuntu 9.04) and moreover the users must be able to create a folder and each time when I connect to this share , it must request for a password. Kindly help me please.I would be thankful to you

Reply

17 CaliforniaRobert July 24, 2010 at 6:19 pm

@V.Balaviswanathan: It’s obviously been 15 months since you asked your question, I hope that you resolved this.
I know under Windows XP/Vista (Probably NT/2000/7 as well), if you’re connecting by mapping a drive letter, in the window for selecting the drive letter and the share to connect to, click the hyperlink that says something close to “Connect under a different Username”. It will then pop up another window that will allow you to specify the username and password for the samba share.
If you don’t, it will let you connect, as it will pop up a similar window when you try to actually connect, but it won’t save the username or password.
I know this will definitely stop it from asking about the username, though I only have had this going for 2 days, and on some of my machines, it’s still wanting a password, but apparently not all. I think it’s a Windows thing about it storing the password or not.
If anyone else has more to add, please feel free.

Reply

18 Marcelo October 1, 2009 at 3:32 pm

Hi.

Thanks for this tutorial
If someone needs to get deeper, I recommend:
http://oreilly.com/catalog/samba/chapter/book/ch06_02.html
cheers

Reply

19 jamin June 6, 2010 at 2:12 pm

I found today that users must have permissions on Linux side recusively from the root to be able to “get into” a folder. This cause me much pain

Reply

20 Paul July 25, 2010 at 1:29 pm

after 2 weeks of problems with samba – i’ve figured out the problem.

If trying to access folders in SAMBA share from windows machine, you get the error message “Windows cannot access “insert samba share”"

You do not have permission to access “samba share”. Contact your network administrator to request access.

It is to do with the linux permissions on the folders in the samba share,

right click on the folder -> properties -> permissions

under group and folder access this had defaulted to none

change to create and delete files and apply permissions to enclosed files

cheer!

Reply

21 Alijohn September 28, 2010 at 5:30 am

In my system i’m using ubuntu 10.04.In that while i’m trying to share the folder it is sharing as read only file over windows systems.even if go to terminals and type ?etc/samba/smb.conf the result is permision denied.. wat can i do now..any one pls.

Reply

22 Randy December 10, 2010 at 3:55 am

Alijhon, with regards to your problem..
just type sudo /etc/samba/smb.conf
it will ask for a password before it will execute the command. after that, you can modify the file.

always use sudo before you command.

or best you type: sudo su
with this, the next you run any command, you do not need anymore to type sudo. coz your running you ubuntu with that as root.

Reply

23 Chaitanya Parekh March 12, 2011 at 6:50 am

hey randy
you skipped the mention of text editor in your command

you said its
sudo /etc/samba/smb.conf

it should rather be
sudo nano /etc/samba/smb.conf

where nano is a text editor in linux you can also use vi or any other text editor of your convenience.

Reply

24 Leopoldo March 11, 2011 at 2:40 pm

Hi there
I´m new in the Samba world…. Where does samba saves the user permissions to the folders? which path / file?

Thanks in advance

Reply

25 Mike March 25, 2011 at 12:19 pm

samba permissions is set up in smb.conf for each share, not on specific folders or files. That should(and must) be done in linux/unix.

Reply

26 Peter May 21, 2011 at 6:26 am

PROBLEM WITH GROUP PERMISSION
- Ubuntu 10.04 Server, included Samba server
- e.g.: user xx writes a file or makes a directory, permission user:group is set to xx:xx
user yy can enter the directory and read the file. but cannot write a file
because he has got no group rights.
if yy makes a directory, xx cannot …
- the problem arises because there is always a group xx generated. I would like to
have xx and yy and any other user generating permissions with
xx:sambashare odr xx:users.
- if I change the rights from xx:xx or yy:yy to xx:sambashare or yy.sambashare (xx and yy are members of the group sambashare) then everything works fine.

so: HOW CAN I MAKE SAMBA GENERATE A PREDEFINED GROUP for any user ?

Reply

27 fayaz July 6, 2011 at 5:08 am

hi,
I have a ViXS SOC which runs a embedded linux and Linux server. I want to mount a particular directory on the embedded device on to the server. When i try the below command I get Permission denied, though I have set permission to 777.
mount –o nolock linux_pc_ip:/home/user /nfs
The above command is run from the embedded linux through tera term.
Can someone please help me?

Reply

28 steve December 21, 2011 at 12:54 am

Had a lot of problems with final step, CENT OS 6, trying to share a folder, i got windows to see it, and open it..but still not writable under any changes to SMB.CONF, anyone experiencing this same issue. after a lot of searching, came up with this fix,

chcon -R -t samba_share_t /media

as to why it works, well I’m a beginner, but the new version of LINUX os, has extra layer of security, and this command fixes it. hope it helps someone else,

writable issues that don’t make sense use this command.

Reply

29 Roger January 2, 2012 at 10:55 pm

Steve, you’re a life saver! That was EXACTLY the problem I was having and the command you mentioned fixed it. Thank you, thank you, thank you!

Reply

30 nkent August 23, 2012 at 5:03 pm

Not working for me!
I believe this has something to do with SELinux; I’m running openSUSE 11.4 and I thought it uses SELinux too.
I successfully used Samba shares previously with openSUSE 10.* and just tried recently on 11.4.
Trying to setup guest share, read only and I get the following:
1. /srv/shared/ – either asking for user/pwd and rejecting or directly Access Denied or it connects but no file is visible (depending on client OS or SMB settings).
2. /home/user1/srv/shared/ – works as expected (per SMB settings).
Tried all kind of different settings in Samba but made no difference (forced users, groups, acl changes, etc.).
Changed all permissions to “user1/users” on /srv/shared – still NG.
Since /srv is an actual HDD I just changed the mount point to /home/user1/srv and then it works.
Question: Why directories with same exact permissions are shared differently, depending on the mount point and how to deal with that in Samba?
Thanks in advance,
nick

Reply

31 TheOmegaShadow June 5, 2013 at 8:43 am

SELinux is exactly the problem for most people. chcon fixes lots of things where selinux is stepping in the way of access to files.

if you do:
# ls -Z
this will show any se linux contexts on files and directories
so you can recursively assign them by doing:
# chcon -r -t the_selinux_contex_t /destination/file/directory

I find it’s a good thing to do at the end of your checklist when making changes etc.

Reply

32 John March 24, 2012 at 12:59 pm

Hi All,

Is it possible for users to have access to password protected shares using User name and a password but WITHOUT having a Linux account defined?

John.

Reply

33 sandeep May 29, 2012 at 5:41 am

hi ,
iam sharing different shares in samba. so this all folders should be viewed by a single user. so how to configure this?

Reply

34 Adam July 25, 2012 at 6:58 pm

Let me preface this with Im a Windows guy, have very little knowledge about Linux aside from the nefarious stuff we learned about in my ethical hacking class dealing with backtrack5

So I have a Linux/Samba file server that is holding a my company’s patient’s records. I did not set this up, but so far its been holding the files people needed to access and there hasn’t been much of an issue.
Recently, someone will randomly start getting a “pathway blah blah…access is denied” But when it happens, its only ever the few most recent files reguarding some random patient.
I started by going into the LDAP Account Manager and adding the clinician to a higher privelege group, as I dont feel comfortable adjusting permissions via Linux CLI. Well, I know have some clinicians that are in the administrator groups now(with myself) and are unable to access certain clients.
So far, everytime there has been this issue, I have been able to go in and access the files under my credentials and so this is making zero sense to me.
I have a new Windows SBS 2011 server that I might just be migrating the Linux server files over to if I cant figure this out, but I would like to be able to keep this file server up and running, as we’ve had zero problem with it (aside from the aforementioned permission issue) in the 6 months I’ve been here.
Any help would be greatly appreciated, and if that help invloves me CLI’n in Linux, Ill need it literally spelled out.
Thanks!

Reply

35 Florin December 12, 2012 at 2:39 pm

i’ve struggled with permission from samba a few hours untill i remembered to change system permissions with chmod…
Nice topic

Reply

36 joe January 16, 2013 at 8:05 pm

Sag uns ach so unwissenden doch mal wie wir auf unsere Freigabe auch schreiben dürfen. Guest = no führt nicht zu einem Anmeldprompt !!! writable = yes ist es auch nicht , chmod bla bla bla – Noch immer die alte Linux Krankheit weshalb alle weiter Windows benutzen. Ich würde da gern von weg aber nach kurzer Zeit Danke ich Bill auf Knien für Windows wenn ich diesen Linux Mist sehe.

Reply

37 NK February 2, 2013 at 7:07 pm

I have a samba share /dev/Disk1 set up. There is a folder on Disk1 called backed (Disk1/Backup). How do i make it so that a certain user (say user1) can access and see the folder, but another user (user2) cannot access the folder (or can’t see the folder and also cant access it).

For now what i’ve done is in my Disk1 share specifically said veto files = /Disk1/Backup
and then Set up a separate share in Samba config for Disk1/Backup folder in which my user (user1) is the only user allowed to access it.

Is there a way to mix the veto files command with something else so that i don’t need to create a separate share and can just allow user1 to access the veto’ed share?

Reply

38 Shashi Bhushan June 13, 2013 at 5:48 pm

Hello All,
It was really frustrating when I was not able to write or create folder on the server side share from windows 7. Reason SELINUX policies (^_^)

If you create a new directory you want to share you should mark it as
“samba_share_t” so that selinux will let you write into it. So, please make changes to your share i.e. something like below:

#chcon -t samba_share_t /path (where /path is your shared path on the server). Hope this will helps to all. Thanks!

Reply

39 om July 10, 2013 at 6:21 am

@mustfa
For your issue give writeable = yes on output share.
Hope this will work.

Reply

40 sreek's August 7, 2013 at 8:14 am

@nixcraft
i want to know how to install swat and working with swat

Reply

41 Hades August 16, 2013 at 9:53 am

Hi everyone!!
I’m testing the samba sever but I’ve that problem. When I’m try to share one folder & that can access multiple user it is ok. But when I’m trying that (eg. I’ve 1 folder that contain 3 sub folders MRS/aa/bb/cc and I’ve 3 user user1,2,3. Now I want user 1 can access all folder aa,bb,cc but other user can only access their folder I mean user2 can access bb & user3 can access cc) How can I do that????? I try write list/ read list/ valid user but didn’t work. Now I can’t even access my Home folder MRS. When I’m trying one Folder and all writable permission for all user at that time everything is ok. But When I’m trying to configure multiple permission I can’t :(. So, if anyone who know what my problem pls kindly reply my mail htoo.mtth@gmail.com because I found this website while I’m trying to solve that problem. So, I’m not sure I’ll be here again. Pls if you explain detail configure by mail I’ll be appreciate.

Reply

Leave a Comment

Previous post:

Next post: