≡ Menu

Samba share permissions simplified

Samba software, is a free, open source implementation of networking protocols to share files between UNIX/Linux and Windows computers.

Samba provides -
=> File and print services

=> Integration with a Windows Server domain / PDC

=> Part of Active Directory domain etc

Permission precedence

Samba comes with different types of permissions for share. Try to remember few things about UNIX and Samba permissions.
(a) Linux system permissions take precedence over Samba permissions. For example if a directory does not have Linux write permission, setting samba writeable = Yes (see below) will not allow to write to shared directory / share.

(b) The filesystem permission cannot be take priority over Samba permission. For example if filesystem mounted as readonly setting writeable = Yes will not allow to write to any shared directory or share via samba server.

In short (thanks to Craig [see below in comment section]) :
Limits set by kernel-level access control such as file permissions, file system mount options, ACLs, and SELinux policies cannot be overridden by Samba. Both the kernel and Samba must permit the user to perform an action on a file before that action can occur.

How do I set permissions to Samba shares?

Samba Basic permissions are as follows (configuration file is smb.conf [/etc/samba/smb.conf]):

  • read only: This parameter controls whether an user has the ability to create or modify files within a share. This is default.
  • guest ok: Uf this parameter is set to yes, the users will have access to the share without
    having to enter a password. This can pose security risk.
  • writeable: Specifies users should have write access to the share.

You can create the share called helpfiles with read only permission
path = /usr/share/docs
read only = Yes

You can create the share called salesdoc with write permission
path = /home/shared/sales
writeable = Yes

You can also create a list of users to give write access to the share with write list option. For example allow rocky and tony to write to the share called sales:
path = /home/shared/sales
write list = rocky tony

You can use following options

  • read list: This option accepts a list of usernames or a group as its value. Users will be given read-only access to the share.
  • valid users: You can make a share available to specific users. Usernames or group names can be passed on as its value.
  • invalid users: Users or groups listed will be denied access to this share.

Samba mask permission

It is also possible to specify samba default file creation permission using mask.

  • create mask: This option is set using an octal value when setting permissions for files.
  • directory mask: Directories must have the execute bit for proper access. Default parameter is 0755.

path = /home/shared/sales
write list = rocky sys
create mask = 0775


Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

{ 41 comments… add one }

  • _ranger_ January 17, 2007, 9:02 am

    Instead of keeping your access controls in the samba configuration (write list =), rather apply unix permissions (eg create groups etc. etc.). Then, the access controls will apply when you (eventually) use services besides samba (e.g. NFS, web servers or webdav etc. etc.).

    • Chaitanya Parekh March 12, 2011, 6:41 am

      Please explain in more details or add some links where we can see some examples of this

      • Gern March 16, 2011, 2:02 pm

        sorry if this sounds trollish, but, google.

  • nixCraft January 17, 2007, 10:25 pm


    You’ve raised some good points

    Appreciate your post.

  • Craig Ringer February 3, 2007, 8:53 pm

    (b) is wrong:

    “(b) The filesystem permission cannot be take priority over Samba permission.”

    I think you meant “Samba can not override limits set by file system mount options.”.

    Strictly, you can just combine (a) and (b) into:

    “Limits set by kernel-level access control such as file permissions, file system mount options, ACLs, and SELinux policies cannot be overridden by Samba. Both the kernel and Samba must permit the user to perform an action on a file before that action can occur.”

  • Hugh Grant February 6, 2007, 7:31 pm

    The range of settable perameters in Samba is confusing to me. For example if I set
    writable = yes
    read only = yes
    what happens? hopefully an error. But if
    writable = no
    write list = peter paul
    Does paul get write access? Presumably mary only gets read access.

    • Archonic June 27, 2013, 4:21 pm

      Use testparm /etc/samba/smb.conf to test you syntax and get the permissions results.

  • Mukund February 14, 2007, 2:52 pm

    I have a problem trying to communicate with samba server setup on Fedora core 4 from my windows xp machine..
    I see only the folders and there are no files
    I dont get to even see them on my windows PC when i try to access the corresponding samba related folders…
    Any idea..Kindly help :)

  • nixCraft February 15, 2007, 4:30 am


    If user peter paul is in both the read list and the write list then they will be given write access.

    If the connecting user is in this list then they will be given write access, no matter what the read only option is set to.

    However in your specific example peter or paul will not get write access and writable is specifically set to NO.

  • nixCraft February 15, 2007, 4:32 am


    Can you paste your smb.conf file (or better use our forum nixcraft.com for more info)

  • nixCraft February 15, 2007, 4:35 am


    Yes, you are right. I will update this article to point to your comment.

    Appreciate your post.

  • hmcentury May 5, 2007, 3:51 am

    I have had linux joined the windows domain.Now I can log in the samba from windows client.But I get a message “Acess Denied” when I manage the share ACL using remote management. I don’t know why.How to control the samba share acl in the smb.conf?

    How to simulta the ACL of windows in samba?

    What’s your Email。I have another questions wanted to kown。

  • Sharad July 19, 2008, 10:39 am

    Can you help me with creating an access list/ ip table as how to provide permissions to samba share for specific systems with specific ip addresses

  • Mustafa February 18, 2009, 9:08 am

    I have the same problem, I have set my simple samba server in SUSE Linux and put the smb.conf file as follows

    workgroup = ftpgrp
    logon path = \\%L\profiles\.msprofile
    logon home = \\%L\%U\.9xprofile
    logon drive = P:
    security = user
    encrypt passwords = yes
    local master = yes
    writable = yes
    passdb backend = smbpasswd
    domain master = yes
    preferred master = yes
    os level = 2
    wins support = yes
    comment = Network Profiles Service
    path = /rbidata/RBIPublic/output/
    write list = tigocdr
    store dos attributes = Yes
    create mask = 0600
    directory mask = 0777
    browseable = yes
    guest ok = no
    printable = no
    comment = Network Profiles Service
    path = /rbidata/RBIPublic/bak/
    read only = No
    store dos attributes = Yes
    create mask = 0600
    directory mask = 0700
    browseable = yes
    guest ok = no
    printable = no
    but still the user “tigocdr” can not write to output directory

  • Jon Cage March 30, 2009, 11:00 pm

    @Mustafa: What permissions are set on /rbidata/RBIPublic/output/ and who owns that directory and/or whatever it is you’re trying to write to?

  • V.Balaviswanathan April 27, 2009, 1:12 pm

    Hi NixCraft,

    I have a doubt I have configured samba on Ubuntu 9.04 and i am able to connect to windows properly but not with Linux (ubuntu 9.04) and moreover the users must be able to create a folder and each time when I connect to this share , it must request for a password. Kindly help me please.I would be thankful to you

    • CaliforniaRobert July 24, 2010, 6:19 pm

      @V.Balaviswanathan: It’s obviously been 15 months since you asked your question, I hope that you resolved this.
      I know under Windows XP/Vista (Probably NT/2000/7 as well), if you’re connecting by mapping a drive letter, in the window for selecting the drive letter and the share to connect to, click the hyperlink that says something close to “Connect under a different Username”. It will then pop up another window that will allow you to specify the username and password for the samba share.
      If you don’t, it will let you connect, as it will pop up a similar window when you try to actually connect, but it won’t save the username or password.
      I know this will definitely stop it from asking about the username, though I only have had this going for 2 days, and on some of my machines, it’s still wanting a password, but apparently not all. I think it’s a Windows thing about it storing the password or not.
      If anyone else has more to add, please feel free.

  • Marcelo October 1, 2009, 3:32 pm


    Thanks for this tutorial
    If someone needs to get deeper, I recommend:

  • jamin June 6, 2010, 2:12 pm

    I found today that users must have permissions on Linux side recusively from the root to be able to “get into” a folder. This cause me much pain

  • Paul July 25, 2010, 1:29 pm

    after 2 weeks of problems with samba – i’ve figured out the problem.

    If trying to access folders in SAMBA share from windows machine, you get the error message “Windows cannot access “insert samba share””

    You do not have permission to access “samba share”. Contact your network administrator to request access.

    It is to do with the linux permissions on the folders in the samba share,

    right click on the folder -> properties -> permissions

    under group and folder access this had defaulted to none

    change to create and delete files and apply permissions to enclosed files


  • Alijohn September 28, 2010, 5:30 am

    In my system i’m using ubuntu 10.04.In that while i’m trying to share the folder it is sharing as read only file over windows systems.even if go to terminals and type ?etc/samba/smb.conf the result is permision denied.. wat can i do now..any one pls.

  • Randy December 10, 2010, 3:55 am

    Alijhon, with regards to your problem..
    just type sudo /etc/samba/smb.conf
    it will ask for a password before it will execute the command. after that, you can modify the file.

    always use sudo before you command.

    or best you type: sudo su
    with this, the next you run any command, you do not need anymore to type sudo. coz your running you ubuntu with that as root.

    • Chaitanya Parekh March 12, 2011, 6:50 am

      hey randy
      you skipped the mention of text editor in your command

      you said its
      sudo /etc/samba/smb.conf

      it should rather be
      sudo nano /etc/samba/smb.conf

      where nano is a text editor in linux you can also use vi or any other text editor of your convenience.

  • Leopoldo March 11, 2011, 2:40 pm

    Hi there
    I´m new in the Samba world…. Where does samba saves the user permissions to the folders? which path / file?

    Thanks in advance

    • Mike March 25, 2011, 12:19 pm

      samba permissions is set up in smb.conf for each share, not on specific folders or files. That should(and must) be done in linux/unix.

  • Peter May 21, 2011, 6:26 am

    – Ubuntu 10.04 Server, included Samba server
    – e.g.: user xx writes a file or makes a directory, permission user:group is set to xx:xx
    user yy can enter the directory and read the file. but cannot write a file
    because he has got no group rights.
    if yy makes a directory, xx cannot …
    – the problem arises because there is always a group xx generated. I would like to
    have xx and yy and any other user generating permissions with
    xx:sambashare odr xx:users.
    – if I change the rights from xx:xx or yy:yy to xx:sambashare or yy.sambashare (xx and yy are members of the group sambashare) then everything works fine.


  • fayaz July 6, 2011, 5:08 am

    I have a ViXS SOC which runs a embedded linux and Linux server. I want to mount a particular directory on the embedded device on to the server. When i try the below command I get Permission denied, though I have set permission to 777.
    mount –o nolock linux_pc_ip:/home/user /nfs
    The above command is run from the embedded linux through tera term.
    Can someone please help me?

  • steve December 21, 2011, 12:54 am

    Had a lot of problems with final step, CENT OS 6, trying to share a folder, i got windows to see it, and open it..but still not writable under any changes to SMB.CONF, anyone experiencing this same issue. after a lot of searching, came up with this fix,

    chcon -R -t samba_share_t /media

    as to why it works, well I’m a beginner, but the new version of LINUX os, has extra layer of security, and this command fixes it. hope it helps someone else,

    writable issues that don’t make sense use this command.

    • Roger January 2, 2012, 10:55 pm

      Steve, you’re a life saver! That was EXACTLY the problem I was having and the command you mentioned fixed it. Thank you, thank you, thank you!

      • nkent August 23, 2012, 5:03 pm

        Not working for me!
        I believe this has something to do with SELinux; I’m running openSUSE 11.4 and I thought it uses SELinux too.
        I successfully used Samba shares previously with openSUSE 10.* and just tried recently on 11.4.
        Trying to setup guest share, read only and I get the following:
        1. /srv/shared/ – either asking for user/pwd and rejecting or directly Access Denied or it connects but no file is visible (depending on client OS or SMB settings).
        2. /home/user1/srv/shared/ – works as expected (per SMB settings).
        Tried all kind of different settings in Samba but made no difference (forced users, groups, acl changes, etc.).
        Changed all permissions to “user1/users” on /srv/shared – still NG.
        Since /srv is an actual HDD I just changed the mount point to /home/user1/srv and then it works.
        Question: Why directories with same exact permissions are shared differently, depending on the mount point and how to deal with that in Samba?
        Thanks in advance,

        • TheOmegaShadow June 5, 2013, 8:43 am

          SELinux is exactly the problem for most people. chcon fixes lots of things where selinux is stepping in the way of access to files.

          if you do:
          # ls -Z
          this will show any se linux contexts on files and directories
          so you can recursively assign them by doing:
          # chcon -r -t the_selinux_contex_t /destination/file/directory

          I find it’s a good thing to do at the end of your checklist when making changes etc.

  • John March 24, 2012, 12:59 pm

    Hi All,

    Is it possible for users to have access to password protected shares using User name and a password but WITHOUT having a Linux account defined?


  • sandeep May 29, 2012, 5:41 am

    hi ,
    iam sharing different shares in samba. so this all folders should be viewed by a single user. so how to configure this?

  • Adam July 25, 2012, 6:58 pm

    Let me preface this with Im a Windows guy, have very little knowledge about Linux aside from the nefarious stuff we learned about in my ethical hacking class dealing with backtrack5

    So I have a Linux/Samba file server that is holding a my company’s patient’s records. I did not set this up, but so far its been holding the files people needed to access and there hasn’t been much of an issue.
    Recently, someone will randomly start getting a “pathway blah blah…access is denied” But when it happens, its only ever the few most recent files reguarding some random patient.
    I started by going into the LDAP Account Manager and adding the clinician to a higher privelege group, as I dont feel comfortable adjusting permissions via Linux CLI. Well, I know have some clinicians that are in the administrator groups now(with myself) and are unable to access certain clients.
    So far, everytime there has been this issue, I have been able to go in and access the files under my credentials and so this is making zero sense to me.
    I have a new Windows SBS 2011 server that I might just be migrating the Linux server files over to if I cant figure this out, but I would like to be able to keep this file server up and running, as we’ve had zero problem with it (aside from the aforementioned permission issue) in the 6 months I’ve been here.
    Any help would be greatly appreciated, and if that help invloves me CLI’n in Linux, Ill need it literally spelled out.

  • Florin December 12, 2012, 2:39 pm

    i’ve struggled with permission from samba a few hours untill i remembered to change system permissions with chmod…
    Nice topic

  • joe January 16, 2013, 8:05 pm

    Sag uns ach so unwissenden doch mal wie wir auf unsere Freigabe auch schreiben dürfen. Guest = no führt nicht zu einem Anmeldprompt !!! writable = yes ist es auch nicht , chmod bla bla bla – Noch immer die alte Linux Krankheit weshalb alle weiter Windows benutzen. Ich würde da gern von weg aber nach kurzer Zeit Danke ich Bill auf Knien für Windows wenn ich diesen Linux Mist sehe.

  • NK February 2, 2013, 7:07 pm

    I have a samba share /dev/Disk1 set up. There is a folder on Disk1 called backed (Disk1/Backup). How do i make it so that a certain user (say user1) can access and see the folder, but another user (user2) cannot access the folder (or can’t see the folder and also cant access it).

    For now what i’ve done is in my Disk1 share specifically said veto files = /Disk1/Backup
    and then Set up a separate share in Samba config for Disk1/Backup folder in which my user (user1) is the only user allowed to access it.

    Is there a way to mix the veto files command with something else so that i don’t need to create a separate share and can just allow user1 to access the veto’ed share?

  • Shashi Bhushan June 13, 2013, 5:48 pm

    Hello All,
    It was really frustrating when I was not able to write or create folder on the server side share from windows 7. Reason SELINUX policies (^_^)

    If you create a new directory you want to share you should mark it as
    “samba_share_t” so that selinux will let you write into it. So, please make changes to your share i.e. something like below:

    #chcon -t samba_share_t /path (where /path is your shared path on the server). Hope this will helps to all. Thanks!

  • om July 10, 2013, 6:21 am

    For your issue give writeable = yes on output share.
    Hope this will work.

  • sreek's August 7, 2013, 8:14 am

    i want to know how to install swat and working with swat

  • Hades August 16, 2013, 9:53 am

    Hi everyone!!
    I’m testing the samba sever but I’ve that problem. When I’m try to share one folder & that can access multiple user it is ok. But when I’m trying that (eg. I’ve 1 folder that contain 3 sub folders MRS/aa/bb/cc and I’ve 3 user user1,2,3. Now I want user 1 can access all folder aa,bb,cc but other user can only access their folder I mean user2 can access bb & user3 can access cc) How can I do that????? I try write list/ read list/ valid user but didn’t work. Now I can’t even access my Home folder MRS. When I’m trying one Folder and all writable permission for all user at that time everything is ok. But When I’m trying to configure multiple permission I can’t :(. So, if anyone who know what my problem pls kindly reply my mail htoo.mtth@gmail.com because I found this website while I’m trying to solve that problem. So, I’m not sure I’ll be here again. Pls if you explain detail configure by mail I’ll be appreciate.

Leave a Comment