I think I'm encountering the same problem you have. For some reason force user seems to require group write permissions. It does not appear to require world write permissions though, so as a workaround you should be able to get away with 660/770 permissions rather than 777. This shouldn't reduce security; it's just annoying to move files into it outside of samba since you need to make them group-writeable.

Put this in your smb.conf under [Stuff]:

force user = myuser
create mask = 0660
directory mask = 0770

Then run this on your share folder:

sudo chown -R myuser:myuser /home/myuser/share
sudo chmod -R 0660 /home/myuser/share
sudo chmod -R ug+X /home/myuser/share

Then restart smbd. The above will set all files to 660 and all directories to 770, for currently existing files and for files newly created through samba. Note that you don't need force group; by default it matches the primary group of force user. Also note that I'm denying world permissions entirely here. You could probably use 0664, 0775 and ugw+X instead if you want them world-readable.

Unfortunately I haven't been able to make it work without group write permissions. I suspect it's a bug in samba. The recent samba bug #14617 prevented deleting files via force user. It's possible this is another related bug but I don't know enough about it to report it. If you figure out how to get it working with 0644/0755 please let me know!

Answer from ludocode on Stack Exchange
🌐
Samba
samba.org › samba › docs › current › man-html › smb.conf.5.html
smb.conf
To allow members of the UNIX group foo to create user defined shares, create the directory to contain the share definitions as follows: ... mkdir /usr/local/samba/lib/usershares chgrp foo /usr/local/samba/lib/usershares chmod 1770 /usr/local/samba/lib/usershares ... usershare path = /usr/local/samba/lib/usershares usershare max shares = 10 # (or the desired number of shares) to the global section of your smb.conf...
Top answer
1 of 3
11

I think I'm encountering the same problem you have. For some reason force user seems to require group write permissions. It does not appear to require world write permissions though, so as a workaround you should be able to get away with 660/770 permissions rather than 777. This shouldn't reduce security; it's just annoying to move files into it outside of samba since you need to make them group-writeable.

Put this in your smb.conf under [Stuff]:

force user = myuser
create mask = 0660
directory mask = 0770

Then run this on your share folder:

sudo chown -R myuser:myuser /home/myuser/share
sudo chmod -R 0660 /home/myuser/share
sudo chmod -R ug+X /home/myuser/share

Then restart smbd. The above will set all files to 660 and all directories to 770, for currently existing files and for files newly created through samba. Note that you don't need force group; by default it matches the primary group of force user. Also note that I'm denying world permissions entirely here. You could probably use 0664, 0775 and ugw+X instead if you want them world-readable.

Unfortunately I haven't been able to make it work without group write permissions. I suspect it's a bug in samba. The recent samba bug #14617 prevented deleting files via force user. It's possible this is another related bug but I don't know enough about it to report it. If you figure out how to get it working with 0644/0755 please let me know!

2 of 3
2

OK, have you created users with 'smbpasswd -a username' (needs to be run as root) ? If you haven't, then your guest account 'myuser' will not work. This means that no one will be able to access your share. Authentication (based on your smb.conf) works like this: A user connects to Samba and if the user is known and supplies the correct password, they are allowed access to your share, but anything they save will be saved as if belonging to 'myuser', but they will be able to read and write files. If they are a known user, but supply a wrong password, then the connection is silently dropped. Because you have 'map to guest = bad user' in global and 'guest ok = yes' in the share, an unknown user that connects to Samba will be mapped to the guest account 'myuser' before it gets anywhere near the share and as they are now a known user, they will be allowed access to the share. As for the smb.conf being too short, well, yours could be even shorter. You do not need the 'force group' line, the 'force user' will do that for you, also as 'myuser' has write permissions by default, you do not need the 'write list' line. Finally, you never need to set 'browseable = yes' anywhere, it is a default setting.

Discussions

Default config uses 'force user' and 'force group' in GLOBAL section - intended?
Just noticed I was not able to write to my share, some brute testing (chmod 777 the share directory) was showing smbuser:users as file owner, when I authenticated to the server with a different smb user. Checking smb.conf I noticed in GL... More on github.com
🌐 github.com
3
August 28, 2018
How-to create a (samba) shared folder in your local network – antiX-forum
The only value you have to adapt ... the smb.conf file… · [global] server string = FILESERVER workgroup = WORKGROUP security = user map to guest = Bad User name resolve order = bcast host · [SHARED-FOLDER] path = /FULL/PATH/OF/FOLDER/TO/BE/SHARED force user = smbuser force group = smbgroup ... More on antixforum.com
🌐 antixforum.com
windows - How to set default group for files created in Samba share - Unix & Linux Stack Exchange
If I understand what you are asking correctly then what you want is inside the smb.conf located here: ... In case like me someone is looking to add user, group, and actual permissions string add create mask = 0775 ... you do know that the force directives make any user do operations as the ... More on unix.stackexchange.com
🌐 unix.stackexchange.com
Cannot restrict SMB share access to Active Directory Group
For SSSD you also want to use security = ADS. Example: security = ADSrealm = EXAMPLE.COM If you look up examples online you will often see them also setting "password server = some.kerberos.server". You don't need that. Edit: nice little trick to test if authentification is working is to use smbclient. smbclient -L -U It will prompt you for a password and show available shares as long as your password is either empty or correct. Edit2: I am not 100% sure on that but I think you will also need to configure your nsswitch.conf to use sssd. I believe there were a few things that didn't work with samba otherwise. passwd: compat sss group: compat sss More on reddit.com
🌐 r/linuxadmin
13
3
May 27, 2021
🌐
Red Hat
access.redhat.com › solutions › 7041564
Adding force user/group in smb.conf breaks Samba - Red Hat Customer Portal
The share must contain files whose ownership is a local user in linux, so the configuration options force user and force group in /etc/samba/smb.conf are needed. In this configuration, the target shared directory gets not accessible from the Windows client side.
🌐
LinuxQuestions.org
linuxquestions.org › questions › linux-server-73 › samba-force-group-not-working-4175679079
[SOLVED] SAMBA - force group not working
July 20, 2020 - Hey folks - this is my first post... my Linux experience goes back to the 90's but I have been out for a long time. My current environment is:
🌐
The Geek Diary
thegeekdiary.com › how-to-force-user-group-ownership-of-files-on-a-samba-share
How To Force User/Group Ownership Of Files On A Samba Share – The Geek Diary
In the file /etc/samba/smb.conf you can use the directive: force user = [user] force group = [group] This will override the normal file ownership attributes for file or directory access. Be default, the effective user credentials are used. By using either (or both) of the above directives, ...
🌐
SambaWiki
wiki.samba.org › index.php › Setting_up_Samba_as_a_Standalone_Server
Setting up Samba as a Standalone Server - SambaWiki
January 7, 2026 - You can restrict access to members of a specified group by adding valid users = @demoGroup to the share, you will need to replace demoGroup with the required Unix group name. The log parameters are not necessary for a minimal setup. However they are useful to set the log file and increasing ...
🌐
Linux Mint Forums
forums.linuxmint.com › board index › main edition support › networking
[SOLVED] Sharing Multiple Folders on Local Network using Samba NOT WORKING. - Linux Mint Forums
November 8, 2022 - ; add group script = /usr/sbin/addgroup --force-badname %g ############ Misc ############ # Using the following line enables you to customise your configuration # on a per machine basis. The %m gets replaced with the netbios name # of the machine that is connecting ; include = /home/samba/etc/smb.conf.%m # Some defaults for winbind (make sure you're not using the ranges # for something else.)
Find elsewhere
🌐
Jaytaala Confluence
confluence.jaytaala.com › display › TKB › Create+samba+share+writeable+by+all,+group,+or+only+a+user
Create samba share writeable by all, group, or only a user - Tech Knowledge Base - jaytaala.com Confluence
August 25, 2020 - will change all folders and files' ownership group in /media/share to sharegroup, and then apply the setgid bit to make any new files or folders created also have sharegroup group ownership. We now need to edit /etc/samba/smb.conf. Below are several examples depending on how you want to users to access your smb share. ... # share [share] path = /media/share writeable = yes browseable = yes public = yes create mask = 0644 directory mask = 0755 force user = shareuser ...
🌐
Red Hat
docs.redhat.com › en › documentation › red_hat_enterprise_linux › 5 › html › deployment_guide › s1-samba-servers
22.6. Samba Server Types and the smb.conf File | Deployment Guide | Red Hat Enterprise Linux | 5 | Red Hat Documentation
[global] workgroup = DOCS netbios name = DOCS_SRV security = share [data] comment = Data path = /export force user = docsbot force group = users read only = No guest ok = Yes · The following smb.conf file shows a sample configuration needed to implement an anonymous print server.
🌐
GitHub
github.com › dperson › samba › issues › 157
Default config uses 'force user' and 'force group' in GLOBAL section - intended? · Issue #157 · dperson/samba
August 28, 2018 - Checking smb.conf I noticed in GLOBAL: force user = smbuser force group = users · Therefore it seems that whatever user you log in, it will go with smbuser:users. Is this intended? I can't see this documented other than in the scripts. Reactions are currently unavailable ·
Author   dperson
🌐
CIQ
ciq.com › blog › how-to-make-smb-share-authentication-even-easier-with-groups
CIQ | How to Make SMB Share Authentication Even Easier with Groups
3 weeks ago - The problem is that there's no easy way to force a change of the Samba password. Because of that, you might need to have your users on hand when you add them to Samba. Otherwise, you could create random/strong passwords for those users, send each password to the user, make sure they memorize it or add it to their password manager, and then you, the admin, conveniently forget the password. And that, my friends, is all there is to using groups for Samba share authentication.
🌐
Raspberry Pi Forums
forums.raspberrypi.com › board index › using the raspberry pi › troubleshooting
Configuring a new user for samba - Raspberry Pi Forums
Could you please advise me what changes I should make to the smb.conf file that will allow the user I created to access the HDD, but prevents any other access? It looks like I could remove "browseable = yes" and "only guest = no" as they are the default values? When I run "testparm", this is what the [NAS_backups] section lists: [NAS_backups] comment = Backup Folder path = /media/pi/USBHDD1/shares valid users = @users force user = root force group = users read only = No create mask = 0777 directory mask = 0777 guest ok = Yes Regards, Dennis
🌐
Linux Mint Forums
forums.linuxmint.com › board index › main edition support › beginner questions
[SOLVED] Samba shares, wrong user and group - Linux Mint Forums
July 25, 2021 - Can this be changed, and if so, where/how? Yes and yes. https://www.samba.org/samba/docs/curren ... onf.5.html WARNING: Nuclear blast goggles should be worn before clicking the link above. /etc/samba/smb.conf See: force user, force group, force create mode, and force directory mode
🌐
antiX-forum
antixforum.com › forums › topic › how-to-create-a-samba-shared-folder-your-private-network
How-to create a (samba) shared folder in your local network – antiX-forum
The only value you have to adapt when editing this config file is /FULL/PATH/OF/FOLDER/TO/BE/SHARED that has to be replaced with the full path of the folder you want to be shared: for example- /home/ppc/PublicFiles Optionally you can also replace the smbuser and smbgroup values with any values you select, but you’ll have to apply those exact values on the terminal commands that you’ll have to enter after editing the smb.conf file… · [global] server string = FILESERVER workgroup = WORKGROUP security = user map to guest = Bad User name resolve order = bcast host · [SHARED-FOLDER] path = /FULL/PATH/OF/FOLDER/TO/BE/SHARED force user = smbuser force group = smbgroup create mask = 0664 force create mode = 0664 directory mask = 0775 force directory mode = 0775 public = yes writable = yes
🌐
Google Groups
groups.google.com › g › linux.samba › c › hKiufxt5rkU
[Samba] force group does not work
To prevent Samba from allowing the printer's printername to differ from the sharename defined in smb.conf, set /|force printername = yes|/. Be aware that enabling this parameter may affect migrating printers from a Windows server to Samba since Windows has no way to force the sharename and ...
🌐
Red Hat
docs.redhat.com › en › documentation › red_hat_enterprise_linux › 4 › html › reference_guide › s1-samba-servers
14.3. Samba Server Types and the smb.conf File | Reference Guide | Red Hat Enterprise Linux | 4 | Red Hat Documentation
Although having an anonymous read/write server is possible, it is not recommended. Any files placed in the share space, regardless of user, are assigned the user/group combination as specified by a generic user (force user) and group (force group) in the smb.conf file.
Top answer
1 of 1
11

I finally made it, if it can help someone. I don't know if it is nice, but it works nice with POSIX rights, without ugly ACL.

1] Create groups

$ sudo groupadd Group1
$ sudo groupadd ...

Please notice I did not create an Admin group since my admin users will be in all the other groups. This is the only way I made it work so far. If someone has a nicer way to deal with for instance an admin group with rights on anything, please tell me ! My solution is correct since I am managing a dozen of accounts but not hundreds or thousands...

2] Create users (without home folder and ability to use SSH for security reasons)

$ sudo adduser --no-create-hom --shell /usr/sbin/nologin user1
$ sudo adduser --no-create-hom --shell /usr/sbin/nologin user...

3] Add users in smbpasswd database. Please pay attention to the fact I had to add them, but also to enable them to avoid any kind of problems.

$ sudo smbpasswd -a user1
$ sudo smbpasswd -e user1
$ ...

4] Add users to the groups where they will be. Please notice I thought samba was not able to recognize secondary groups, but actually it does. The mistake was a misusing of the command line.

The error was:

$ sudo usermod -G user1 Group1
$ sudo usermod -G user1 Group2

If you do:

$ groups user1

You have something like:

user1 Group2

Because the secondary group has disappeared.

The good practice is:

$ sudo usermod -G Group1,Group2,Group3 user1

In this case:

$ groups user1

Will show:

$ user1 Admin Group1 Group2 Group3

Please, be careful of primary and secondary groups. An user can be in multiple secondary groups, but only in one primary group.

So another mistake would be:

$ sudo usermod -g Group1

If you do:

$ groups user1

You got:

$ Group1

4] Create the folders with the good permissions:

$ sudo mkdir /path/to/Directory1
$ sudo chown root:Group1 /path/to/Directory1
$ sudo chmod 2775 /path/to/Directory1

Please read this if you don't know nothing about file system permissions and setuid, setgid : chmod + setuid and setgid. The permissions and also there inheritances are important for your groups.

5] Create as many directories you want with the permissions you want.

6] Configure your smb.conf file with the editor of your choice. I personally use vim. Make a backup first before losing anything that was running well.

$ sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
$ sudo vim /etc/samba/smb.conf

Your config file here, with global config and Directory1 config is:

[global]

     workgroup = YOUR-LOCAL-WORKGROUP
     server string = %h # hostname
     log file = /var/samba/smb-%h.log
     max log size = 1000
     disable netbios = yes # since this is a standalone server
     server role = standalone server
     veto files = /*.exe/*.com/*.dll/*.bat/*.vbs/*.tmp/ # whatever your want
     delete veto files = yes

[Directory1]

     path = /path/to/Directory1
     browseable = yes
     guest only = no
     guest ok = yes
     read list = nobody guest
     write list = @Group1
     force create mode = 0665 # please see system file permissions ...
     force directory mode = 2775 # ... and setuid, setgid, right above !

Please note the execution is important for your users. This allows them to navigate through the directories. But the execution is also a danger regarding files. You don't want you users to execute scripts or whatsoever, reading is widely enough.

That is why I restrict files on reading and writing for users and reading for anonymous, while I let executing on directories for navigation. Execute a folder is not a danger but execute a file is.

    force create mode = 0665
    force directory mode = 2775

Note the options delete veto file and veto files are also another shield since you don't want your silly Windows Mac OS X users put blobs or binaries or executable randomwares on your clean server.

7] Test your config file with a gentle command:

$ testparm

8] Everything is good ? Then.

$ sudo systemctl start smbd.service # or restart
$ sudo systemctl enable smbd.service 

Now you can log with the method of your choice and see that anonymous can explore the files on the server without the permission of writing it while your authenticated and designated users can read, write and execute -- i.e navigate from a directory to a directory.

Et voilà ! I hope it will help someone.

Top answer
1 of 5
36

OK, I have found an answer myself.

As this is absolutely not obvious from the docs and HOWTOs and whatever, the reason this thing asks for password is because it cannot map guest user to the owner of the directory being shared.

I have NTFS partitions which I need to mount RW so I used the following setup in my /etc/fstab:

/dev/sdb1  /media/disk1  ntfs defaults,noexec,noatime,relatime,utf8,uid=1000,gid=1000 0       2
/dev/sdb2  /media/disk2  ntfs defaults,noexec,noatime,relatime,utf8,uid=1000,gid=1000 0       2

The most important pieces of config are uid and gid (maybe only uid, don't know). They are set to the UID and GID of the user jonnie set up on the server (obviously not root). So, when ntfs-3g will mount these disks, everything will be owned by him.

After that, I have added this user to the Samba registry (or maybe created new identical one, don't care):

# smbpasswd -a jonnie

It asked for password, I have entered the same as for the main system.

After that, I have added the force user and force group settings to the smb.conf:

[global]
  workgroup = WORKGROUP
  netbios name = HOMESERV
  security = user
  map to guest = Bad User

[disk1]
  comment = Disk 1 on 400GB HDD
  path = /media/disk1
  browsable = yes
  guest ok = yes
  read only = no
  create mask = 666
  directory mask = 777
  force user = jonnie
  force group = jonnie

[disk2]
  comment = Disk 2 on 400GB HDD
  path = /media/disk2
  browsable = yes
  guest ok = yes
  read only = no
  create mask = 666
  directory mask = 777
  force user = jonnie
  force group = jonnie

So, most important piece of config relevant to me was force user.

Courtesy of the Samba HOWTO

2 of 5
6

The config can be shorter:

Create unix user jonnie

sudo useradd jonnie -s /usr/sbin/nologin

Create smbuser

sudo smbpasswd -a jonnie

Create the Linux directory to share

mkdir /mysmbshare

Change the owner of the directory to jonnie

sudo chown jonnie /mysmbshare

smb.conf

[global]
  workgroup = MyWorkGroup
  server string = Hello, use me
  security = user
  map to guest = Bad User
  guest account = jonnie
  passdb backend = tdbsam
  
[the_public_share]
   path = /mysmbshare
   writable = yes
   printable = no
   public = yes

All files are owned by jonnie and everyone has rw access to the files.