Samba share permissions simplified

by LinuxTitli on January 5, 2007 · 26 comments

Samba software, is a free, open source implementation of networking protocols to share files between UNIX/Linux and Windows computers.

Samba provides -
=> File and print services

=> Integration with a Windows Server domain / PDC

=> Part of Active Directory domain etc

Permission precedence

Samba comes with different types of permissions for share. Try to remember few things about UNIX and Samba permissions.
(a) Linux system permissions take precedence over Samba permissions. For example if a directory does not have Linux write permission, setting samba writeable = Yes (see below) will not allow to write to shared directory / share.

(b) The filesystem permission cannot be take priority over Samba permission. For example if filesystem mounted as readonly setting writeable = Yes will not allow to write to any shared directory or share via samba server.

In short (thanks to Craig [see below in comment section]) :
Limits set by kernel-level access control such as file permissions, file system mount options, ACLs, and SELinux policies cannot be overridden by Samba. Both the kernel and Samba must permit the user to perform an action on a file before that action can occur.

How do I set permissions to Samba shares?

Samba Basic permissions are as follows (configuration file is smb.conf [/etc/samba/smb.conf]):

read only: This parameter controls whether an user has the ability to create or modify files within a share. This is default.
guest ok: Uf this parameter is set to yes, the users will have access to the share without
having to enter a password. This can pose security risk.
writeable: Specifies users should have write access to the share.

You can create the share called helpfiles with read only permission
[helpfiles] path = /usr/share/docs read only = Yes
You can create the share called salesdoc with write permission
[salesdoc] path = /home/shared/sales writeable = Yes
You can also create a list of users to give write access to the share with write list option. For example allow rocky and tony to write to the share called sales:
[salesdoc] path = /home/shared/sales write list = rocky tony

You can use following options

read list: This option accepts a list of usernames or a group as its value. Users will be given read-only access to the share.
valid users: You can make a share available to specific users. Usernames or group names can be passed on as its value.
invalid users: Users or groups listed will be denied access to this share.

Samba mask permission

It is also possible to specify samba default file creation permission using mask.

create mask: This option is set using an octal value when setting permissions for files.
directory mask: Directories must have the execute bit for proper access. Default parameter is 0755.

[salesdoc] path = /home/shared/sales write list = rocky sys create mask = 0775

References

Samba documentation
Samba man pages - smb.conf

Featured Articles:

Share this with other sys admins!
Facebook it - Tweet it - Print it -

We're here to help you make the most of sysadmin work. So, subscribe!

{ 26 comments… read them below or add one }

1 _ranger_ January 17, 2007

Instead of keeping your access controls in the samba configuration (write list =), rather apply unix permissions (eg create groups etc. etc.). Then, the access controls will apply when you (eventually) use services besides samba (e.g. NFS, web servers or webdav etc. etc.).

2 Chaitanya Parekh March 12, 2011: Please explain in more details or add some links where we can see some examples of this
Reply

3 nixcraft January 17, 2007

_ranger_,

You’ve raised some good points

Appreciate your post.

4 Craig Ringer February 3, 2007

(b) is wrong:

“(b) The filesystem permission cannot be take priority over Samba permission.”

I think you meant “Samba can not override limits set by file system mount options.”.

Strictly, you can just combine (a) and (b) into:

“Limits set by kernel-level access control such as file permissions, file system mount options, ACLs, and SELinux policies cannot be overridden by Samba. Both the kernel and Samba must permit the user to perform an action on a file before that action can occur.”

5 Hugh Grant February 6, 2007

The range of settable perameters in Samba is confusing to me. For example if I set
writable = yes
read only = yes
what happens? hopefully an error. But if
writable = no
write list = peter paul
Does paul get write access? Presumably mary only gets read access.

6 Mukund February 14, 2007

Guys,
I have a problem trying to communicate with samba server setup on Fedora core 4 from my windows xp machine..
I see only the folders and there are no files
I dont get to even see them on my windows PC when i try to access the corresponding samba related folders…
Any idea..Kindly help :)

7 nixcraft February 15, 2007

@Hugh,

If user peter paul is in both the read list and the write list then they will be given write access.

If the connecting user is in this list then they will be given write access, no matter what the read only option is set to.

However in your specific example peter or paul will not get write access and writable is specifically set to NO.

8 nixcraft February 15, 2007

Mukund,

Can you paste your smb.conf file (or better use our forum nixcraft.com for more info)

9 nixcraft February 15, 2007

@Craig,

Yes, you are right. I will update this article to point to your comment.

Appreciate your post.

10 hmcentury May 5, 2007

I have had linux joined the windows domain.Now I can log in the samba from windows client.But I get a message “Acess Denied” when I manage the share ACL using remote management. I don’t know why.How to control the samba share acl in the smb.conf?

How to simulta the ACL of windows in samba?

What’s your Email。I have another questions wanted to kown。

11 Sharad July 19, 2008

Can you help me with creating an access list/ ip table as how to provide permissions to samba share for specific systems with specific ip addresses

12 Mustafa February 18, 2009

I have the same problem, I have set my simple samba server in SUSE Linux and put the smb.conf file as follows

[global]
workgroup = ftpgrp
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
security = user
encrypt passwords = yes
local master = yes
writable = yes
passdb backend = smbpasswd
domain master = yes
preferred master = yes
os level = 2
wins support = yes
[output]
comment = Network Profiles Service
path = /rbidata/RBIPublic/output/
write list = tigocdr
store dos attributes = Yes
create mask = 0600
directory mask = 0777
browseable = yes
guest ok = no
printable = no
[bak]
comment = Network Profiles Service
path = /rbidata/RBIPublic/bak/
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
browseable = yes
guest ok = no
printable = no
but still the user “tigocdr” can not write to output directory
why??

13 Jon Cage March 30, 2009

@Mustafa: What permissions are set on /rbidata/RBIPublic/output/ and who owns that directory and/or whatever it is you’re trying to write to?

14 V.Balaviswanathan April 27, 2009

Hi NixCraft,

I have a doubt I have configured samba on Ubuntu 9.04 and i am able to connect to windows properly but not with Linux (ubuntu 9.04) and moreover the users must be able to create a folder and each time when I connect to this share , it must request for a password. Kindly help me please.I would be thankful to you

15 CaliforniaRobert July 24, 2010: @V.Balaviswanathan: It’s obviously been 15 months since you asked your question, I hope that you resolved this.
I know under Windows XP/Vista (Probably NT/2000/7 as well), if you’re connecting by mapping a drive letter, in the window for selecting the drive letter and the share to connect to, click the hyperlink that says something close to “Connect under a different Username”. It will then pop up another window that will allow you to specify the username and password for the samba share.
If you don’t, it will let you connect, as it will pop up a similar window when you try to actually connect, but it won’t save the username or password.
I know this will definitely stop it from asking about the username, though I only have had this going for 2 days, and on some of my machines, it’s still wanting a password, but apparently not all. I think it’s a Windows thing about it storing the password or not.
If anyone else has more to add, please feel free.
Reply

16 Marcelo October 1, 2009

Hi.

Thanks for this tutorial
If someone needs to get deeper, I recommend:
http://oreilly.com/catalog/samba/chapter/book/ch06_02.html
cheers

17 jamin June 6, 2010

I found today that users must have permissions on Linux side recusively from the root to be able to “get into” a folder. This cause me much pain

18 Paul July 25, 2010

after 2 weeks of problems with samba – i’ve figured out the problem.

If trying to access folders in SAMBA share from windows machine, you get the error message “Windows cannot access “insert samba share”"

You do not have permission to access “samba share”. Contact your network administrator to request access.

It is to do with the linux permissions on the folders in the samba share,

right click on the folder -> properties -> permissions

under group and folder access this had defaulted to none

change to create and delete files and apply permissions to enclosed files

cheer!

19 Alijohn September 28, 2010

In my system i’m using ubuntu 10.04.In that while i’m trying to share the folder it is sharing as read only file over windows systems.even if go to terminals and type ?etc/samba/smb.conf the result is permision denied.. wat can i do now..any one pls.

20 Randy December 10, 2010

Alijhon, with regards to your problem..
just type sudo /etc/samba/smb.conf
it will ask for a password before it will execute the command. after that, you can modify the file.

always use sudo before you command.

or best you type: sudo su
with this, the next you run any command, you do not need anymore to type sudo. coz your running you ubuntu with that as root.

21 Chaitanya Parekh March 12, 2011: hey randy
you skipped the mention of text editor in your command
you said its
sudo /etc/samba/smb.conf
it should rather be
sudo nano /etc/samba/smb.conf
where nano is a text editor in linux you can also use vi or any other text editor of your convenience.
Reply

22 Leopoldo March 11, 2011

Hi there
I´m new in the Samba world…. Where does samba saves the user permissions to the folders? which path / file?

Thanks in advance

23 Mike March 25, 2011: samba permissions is set up in smb.conf for each share, not on specific folders or files. That should(and must) be done in linux/unix.
Reply

24 fayaz July 6, 2011

hi,
I have a ViXS SOC which runs a embedded linux and Linux server. I want to mount a particular directory on the embedded device on to the server. When i try the below command I get Permission denied, though I have set permission to 777.
mount –o nolock linux_pc_ip:/home/user /nfs
The above command is run from the embedded linux through tera term.
Can someone please help me?

25 steve December 21, 2011

Had a lot of problems with final step, CENT OS 6, trying to share a folder, i got windows to see it, and open it..but still not writable under any changes to SMB.CONF, anyone experiencing this same issue. after a lot of searching, came up with this fix,

chcon -R -t samba_share_t /media

as to why it works, well I’m a beginner, but the new version of LINUX os, has extra layer of security, and this command fixes it. hope it helps someone else,

writable issues that don’t make sense use this command.

26 Roger January 2, 2012: Steve, you’re a life saver! That was EXACTLY the problem I was having and the command you mentioned fixed it. Thank you, thank you, thank you!
Reply