Samba software, is a free, open source implementation of networking protocols to share files between UNIX/Linux and Windows computers.
Samba provides -
=> File and print services
=> Integration with a Windows Server domain / PDC
=> Part of Active Directory domain etc
Permission precedence
Samba comes with different types of permissions for share. Try to remember few things about UNIX and Samba permissions.
(a) Linux system permissions take precedence over Samba permissions. For example if a directory does not have Linux write permission, setting samba writeable = Yes (see below) will not allow to write to shared directory / share.
(b) The filesystem permission cannot be take priority over Samba permission. For example if filesystem mounted as readonly setting writeable = Yes will not allow to write to any shared directory or share via samba server.
In short (thanks to Craig [see below in comment section]) :
Limits set by kernel-level access control such as file permissions, file system mount options, ACLs, and SELinux policies cannot be overridden by Samba. Both the kernel and Samba must permit the user to perform an action on a file before that action can occur.
How do I set permissions to Samba shares?
Samba Basic permissions are as follows (configuration file is smb.conf [/etc/samba/smb.conf]):
- read only: This parameter controls whether an user has the ability to create or modify files within a share. This is default.
- guest ok: Uf this parameter is set to yes, the users will have access to the share without
having to enter a password. This can pose security risk. - writeable: Specifies users should have write access to the share.
You can create the share called helpfiles with read only permission
[helpfiles]
path = /usr/share/docs
read only = Yes
You can create the share called salesdoc with write permission
[salesdoc]
path = /home/shared/sales
writeable = Yes
You can also create a list of users to give write access to the share with write list option. For example allow rocky and tony to write to the share called sales:
[salesdoc]
path = /home/shared/sales
write list = rocky tony
You can use following options
- read list: This option accepts a list of usernames or a group as its value. Users will be given read-only access to the share.
- valid users: You can make a share available to specific users. Usernames or group names can be passed on as its value.
- invalid users: Users or groups listed will be denied access to this share.
Samba mask permission
It is also possible to specify samba default file creation permission using mask.
- create mask: This option is set using an octal value when setting permissions for files.
- directory mask: Directories must have the execute bit for proper access. Default parameter is 0755.
[salesdoc]
path = /home/shared/sales
write list = rocky sys
create mask = 0775
References
- Samba documentation
- Samba man pages - smb.conf
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 33 comments… read them below or add one }
Instead of keeping your access controls in the samba configuration (write list =), rather apply unix permissions (eg create groups etc. etc.). Then, the access controls will apply when you (eventually) use services besides samba (e.g. NFS, web servers or webdav etc. etc.).
Please explain in more details or add some links where we can see some examples of this
_ranger_,
You’ve raised some good points
Appreciate your post.
(b) is wrong:
“(b) The filesystem permission cannot be take priority over Samba permission.”
I think you meant “Samba can not override limits set by file system mount options.”.
Strictly, you can just combine (a) and (b) into:
“Limits set by kernel-level access control such as file permissions, file system mount options, ACLs, and SELinux policies cannot be overridden by Samba. Both the kernel and Samba must permit the user to perform an action on a file before that action can occur.”
The range of settable perameters in Samba is confusing to me. For example if I set
writable = yes
read only = yes
what happens? hopefully an error. But if
writable = no
write list = peter paul
Does paul get write access? Presumably mary only gets read access.
Guys,
I have a problem trying to communicate with samba server setup on Fedora core 4 from my windows xp machine..
I see only the folders and there are no files
I dont get to even see them on my windows PC when i try to access the corresponding samba related folders…
Any idea..Kindly help :)
@Hugh,
If user peter paul is in both the read list and the write list then they will be given write access.
If the connecting user is in this list then they will be given write access, no matter what the read only option is set to.
However in your specific example peter or paul will not get write access and writable is specifically set to NO.
Mukund,
Can you paste your smb.conf file (or better use our forum nixcraft.com for more info)
@Craig,
Yes, you are right. I will update this article to point to your comment.
Appreciate your post.
I have had linux joined the windows domain.Now I can log in the samba from windows client.But I get a message “Acess Denied” when I manage the share ACL using remote management. I don’t know why.How to control the samba share acl in the smb.conf?
How to simulta the ACL of windows in samba?
What’s your Email。I have another questions wanted to kown。
Can you help me with creating an access list/ ip table as how to provide permissions to samba share for specific systems with specific ip addresses
I have the same problem, I have set my simple samba server in SUSE Linux and put the smb.conf file as follows
[global]
workgroup = ftpgrp
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
security = user
encrypt passwords = yes
local master = yes
writable = yes
passdb backend = smbpasswd
domain master = yes
preferred master = yes
os level = 2
wins support = yes
[output]
comment = Network Profiles Service
path = /rbidata/RBIPublic/output/
write list = tigocdr
store dos attributes = Yes
create mask = 0600
directory mask = 0777
browseable = yes
guest ok = no
printable = no
[bak]
comment = Network Profiles Service
path = /rbidata/RBIPublic/bak/
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
browseable = yes
guest ok = no
printable = no
but still the user “tigocdr” can not write to output directory
why??
@Mustafa: What permissions are set on /rbidata/RBIPublic/output/ and who owns that directory and/or whatever it is you’re trying to write to?
Hi NixCraft,
I have a doubt I have configured samba on Ubuntu 9.04 and i am able to connect to windows properly but not with Linux (ubuntu 9.04) and moreover the users must be able to create a folder and each time when I connect to this share , it must request for a password. Kindly help me please.I would be thankful to you
@V.Balaviswanathan: It’s obviously been 15 months since you asked your question, I hope that you resolved this.
I know under Windows XP/Vista (Probably NT/2000/7 as well), if you’re connecting by mapping a drive letter, in the window for selecting the drive letter and the share to connect to, click the hyperlink that says something close to “Connect under a different Username”. It will then pop up another window that will allow you to specify the username and password for the samba share.
If you don’t, it will let you connect, as it will pop up a similar window when you try to actually connect, but it won’t save the username or password.
I know this will definitely stop it from asking about the username, though I only have had this going for 2 days, and on some of my machines, it’s still wanting a password, but apparently not all. I think it’s a Windows thing about it storing the password or not.
If anyone else has more to add, please feel free.
Hi.
Thanks for this tutorial
If someone needs to get deeper, I recommend:
http://oreilly.com/catalog/samba/chapter/book/ch06_02.html
cheers
I found today that users must have permissions on Linux side recusively from the root to be able to “get into” a folder. This cause me much pain
after 2 weeks of problems with samba – i’ve figured out the problem.
If trying to access folders in SAMBA share from windows machine, you get the error message “Windows cannot access “insert samba share”"
You do not have permission to access “samba share”. Contact your network administrator to request access.
It is to do with the linux permissions on the folders in the samba share,
right click on the folder -> properties -> permissions
under group and folder access this had defaulted to none
change to create and delete files and apply permissions to enclosed files
cheer!
In my system i’m using ubuntu 10.04.In that while i’m trying to share the folder it is sharing as read only file over windows systems.even if go to terminals and type ?etc/samba/smb.conf the result is permision denied.. wat can i do now..any one pls.
Alijhon, with regards to your problem..
just type sudo /etc/samba/smb.conf
it will ask for a password before it will execute the command. after that, you can modify the file.
always use sudo before you command.
or best you type: sudo su
with this, the next you run any command, you do not need anymore to type sudo. coz your running you ubuntu with that as root.
hey randy
you skipped the mention of text editor in your command
you said its
sudo /etc/samba/smb.conf
it should rather be
sudo nano /etc/samba/smb.conf
where nano is a text editor in linux you can also use vi or any other text editor of your convenience.
Hi there
I´m new in the Samba world…. Where does samba saves the user permissions to the folders? which path / file?
Thanks in advance
samba permissions is set up in smb.conf for each share, not on specific folders or files. That should(and must) be done in linux/unix.
hi,
I have a ViXS SOC which runs a embedded linux and Linux server. I want to mount a particular directory on the embedded device on to the server. When i try the below command I get Permission denied, though I have set permission to 777.
mount –o nolock linux_pc_ip:/home/user /nfs
The above command is run from the embedded linux through tera term.
Can someone please help me?
Had a lot of problems with final step, CENT OS 6, trying to share a folder, i got windows to see it, and open it..but still not writable under any changes to SMB.CONF, anyone experiencing this same issue. after a lot of searching, came up with this fix,
chcon -R -t samba_share_t /media
as to why it works, well I’m a beginner, but the new version of LINUX os, has extra layer of security, and this command fixes it. hope it helps someone else,
writable issues that don’t make sense use this command.
Steve, you’re a life saver! That was EXACTLY the problem I was having and the command you mentioned fixed it. Thank you, thank you, thank you!
Not working for me!
I believe this has something to do with SELinux; I’m running openSUSE 11.4 and I thought it uses SELinux too.
I successfully used Samba shares previously with openSUSE 10.* and just tried recently on 11.4.
Trying to setup guest share, read only and I get the following:
1. /srv/shared/ – either asking for user/pwd and rejecting or directly Access Denied or it connects but no file is visible (depending on client OS or SMB settings).
2. /home/user1/srv/shared/ – works as expected (per SMB settings).
Tried all kind of different settings in Samba but made no difference (forced users, groups, acl changes, etc.).
Changed all permissions to “user1/users” on /srv/shared – still NG.
Since /srv is an actual HDD I just changed the mount point to /home/user1/srv and then it works.
Question: Why directories with same exact permissions are shared differently, depending on the mount point and how to deal with that in Samba?
Thanks in advance,
nick
SELinux is exactly the problem for most people. chcon fixes lots of things where selinux is stepping in the way of access to files.
if you do:
# ls -Z
this will show any se linux contexts on files and directories
so you can recursively assign them by doing:
# chcon -r -t the_selinux_contex_t /destination/file/directory
I find it’s a good thing to do at the end of your checklist when making changes etc.
Hi All,
Is it possible for users to have access to password protected shares using User name and a password but WITHOUT having a Linux account defined?
John.
hi ,
iam sharing different shares in samba. so this all folders should be viewed by a single user. so how to configure this?
Let me preface this with Im a Windows guy, have very little knowledge about Linux aside from the nefarious stuff we learned about in my ethical hacking class dealing with backtrack5
So I have a Linux/Samba file server that is holding a my company’s patient’s records. I did not set this up, but so far its been holding the files people needed to access and there hasn’t been much of an issue.
Recently, someone will randomly start getting a “pathway blah blah…access is denied” But when it happens, its only ever the few most recent files reguarding some random patient.
I started by going into the LDAP Account Manager and adding the clinician to a higher privelege group, as I dont feel comfortable adjusting permissions via Linux CLI. Well, I know have some clinicians that are in the administrator groups now(with myself) and are unable to access certain clients.
So far, everytime there has been this issue, I have been able to go in and access the files under my credentials and so this is making zero sense to me.
I have a new Windows SBS 2011 server that I might just be migrating the Linux server files over to if I cant figure this out, but I would like to be able to keep this file server up and running, as we’ve had zero problem with it (aside from the aforementioned permission issue) in the 6 months I’ve been here.
Any help would be greatly appreciated, and if that help invloves me CLI’n in Linux, Ill need it literally spelled out.
Thanks!
i’ve struggled with permission from samba a few hours untill i remembered to change system permissions with chmod…
Nice topic
Sag uns ach so unwissenden doch mal wie wir auf unsere Freigabe auch schreiben dürfen. Guest = no führt nicht zu einem Anmeldprompt !!! writable = yes ist es auch nicht , chmod bla bla bla – Noch immer die alte Linux Krankheit weshalb alle weiter Windows benutzen. Ich würde da gern von weg aber nach kurzer Zeit Danke ich Bill auf Knien für Windows wenn ich diesen Linux Mist sehe.