How to get group write permission with Samba 4?

file-sharing permissions samba

I have a Samba share server running Ubuntu. After upgrading to 14.04, I had Samba upgraded from 3 to 4. Since then, I can't get group write permission on my newly created directory or files.

What was previously working in Samba3 was using these settings:

security mask = 000
force security mode = 660
directory security mask = 000
force directory security mode = 770
force user = nobody
force group = Domain Users

These settings were removed in Samba 4 (see https://wiki.samba.org/index.php/Samba_4.0_Features_added/changed#smb.conf_changes).

But now, my directories are created "drwxr-x--- 2 nobody Domain Users" and my new files "-rwxr-x--- 1 nobody Domain Users".

So what is the way in Samba 4 to allow my users to create and share with write permissions new directories and files ?

Here is my full samba config:

[global]
    workgroup = WORKGROUP
    server string = %h server (Samba, Ubuntu)
    interfaces = 127.0.0.0/8, eth0
    map to guest = Bad User
    obey pam restrictions = Yes
    passdb backend = ldapsam:ldap://ldap
    pam password change = Yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    load printers = No
    domain master = Yes
    dns proxy = No
    ldap admin dn = cn=root,dc=example,dc=com
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    ldap machine suffix = ou=Computers
    ldap passwd sync = yes
    ldap suffix = dc=example,dc=com
    ldap ssl = no
    ldap user suffix = ou=People
    usershare allow guests = Yes
    panic action = /usr/share/samba/panic-action %d
    idmap config * : backend = tdb

[CommonShare]
    comment = Common share
    path = /srv/samba/common
    valid users = @myusers
    read only = No
    create mask = 0660
    force create mode = 0770
    directory mask = 0770
    force directory mode = 0770
    inherit permissions = Yes
    inherit owner = Yes

Solution 1:

To fix the problem you may add the force user username to the list of valid users for the share.

In your case:

[Myshare]
...
valid users = @bureau
...

should be:

[Myshare]
...
valid users = nobody @bureau
...

Solution 2:

This same problem happened to me.

I had to update the access control lists of all directories with the default group permissions:

sudo setfacl -R -m d:g:family:rwx /mnt/backup

-R = recursive
-m = modify
d: = defaults
g: = group name ("family" in my case) or gid number
rwx = default permissions read write execute for all in group

/mnt/backup is the directory (and subdirectories) to modify.

Solution 3:

I know this is an old thread, but this might help someone. I solved this by setting the setgid bit to 2 (instead of 0) so the directories / files are created with group write permissions, e.g.

force create mode = 2777 force directory mode = 2777

From : https://linuxconfig.org/how-to-use-special-permissions-the-setuid-setgid-and-sticky-bits#h7-the-setgid-bit

Solution 4:

While researching this problem, I stumbled onto this Samba mailing list message:

https://www.spinics.net/lists/samba/msg169260.html

In it, a developer implies that Samba completely ignores traditional Unix file permissions when a client asks for the file's permissions. So if you right-click on the file from Windows and look at its permissions, it will show up as having no group write permission. While in most cases this is fine (Windows leaves it up to Samba to enforce the permissions), it makes a file effectively non-group-writable if it's in Word format, since Word checks the permission and switches to a special read-only mode if it thinks (incorrectly in this case) the file isn't writable. OpenOffice does the same thing.

To work around the problem you must add an ACL to whatever file you want to be group writable using certain Windows programs:

apt-get install acl # Not installed by default on Debian
setfacl -m 'group:<group-name> :rw' <filename>

If you mistype the group name, setfacl will report it as if it was a syntax error. The space before :rw is required. After this command succeeds, the group write permission will show up for Windows programs that check it.

Related

Can I change the Linux distribution without formatting or losing my data? [duplicate]
Ctrl+Shift working but not Shift+Ctrl in Ubuntu 20.04 LTS
How to force firefox to show mobile version of websites?
Unable to find what's taking up so much space
Alt+Tab show-up speed is too slow - can I make it instant on Ubuntu 17.10?
How to uninstall Roblox?
no files in grive Google Drive Folder
What happens to AirDropped files on the iPad that do not prompt the user to open an app? [duplicate]
Where is the App Store wishlist in iOS 11?
Terminal showing 192 instead of computername [duplicate]
How to stop iTerm2 closing tabs on error? [duplicate]
How to share multiple Voice Memos instead of one by one? (post iOS 12) [duplicate]