I still don't quite understand how they work but after testing a little bit more I found that the following actually worked for what I wanted:
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
I'll us this for now... Let me know if you have an alternative that makes more sense.
Answer from rfgamaral on Stack ExchangeI still don't quite understand how they work but after testing a little bit more I found that the following actually worked for what I wanted:
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
I'll us this for now... Let me know if you have an alternative that makes more sense.
First set unix permission for users,better if use acl for example you want to share pubblica with permission of 770 only for group "domain users"
in smb.conf
[Pubblica]
comment = Dir pubblica
browseable = yes
public = yes
path = /var/pubblica
writable = yes
force create mode = 0660
force directory mode = 0770
valid users = @"Domain Users"
on linux side
chmod 770 /var/pubblica
setfacl -m g:"domain users":rwx /var/pubblica
setfacl -d -m o:--- /var/pubblica
The first acl give to domain users the 777 permission the second deny access read and write to others.
In this case we had a var/pubblica dir only for domain users adapt this to your situation
networking - Why do "force create mode" and "force directory mode" parameters exist in smb.conf? - Unix & Linux Stack Exchange
Correct way for samba permissions?
/etc/samba/smb.conf: why exists the "force create mode" and "force directory mode" parameters?
Why do files I created in my Samba Share have the wrong permissions?
HI
I was wondering if someone could shed some light,
Currently i have working fine my AD/DC using samba but every now and then i get odd permission issue
my question is what is the correct way or the correct config?
I was reading https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
which it says,
If you set the shares permissions from Windows (The recommended way), you can add the line 'acl_xattr:ignore system acls = yes' to your share. If the line is added, Samba will ignore the standard Unix system ACL's (ugo). Once the line is added, running setfacl on the shares directory will not show any permission modifications you may have made from Windows. You must not add this line until you have set up the share permissions from Windows, otherwise you may find that you are denied permission to change the permissions from Windows.. Only add the line if you will only connect to share via Samba.
The part that says must not add this line until you have the share permissions do they mean all the folders permissions? what about the future permissions?
[shares]
path = /usr/local/samba/shares
comment = shares
read only = no
acl_xattr:ignore system acls = yes
writable = yes
read only = no
force create mode = 0660
create mask = 0777
directory mask = 0777
force directory mode = 0770
access based share enum = yes
hide unreadable = yes
vfs objects = recycle full_audit shadow_copy2 acl_xattr
recycle:repository = .trash/%U
recycle:maxsize = 0
recycle:versions = Yes
recycle:keeptree = Yes
recycle:touch = No
recycle:directory_mode = 0704
#recylce:exclude_dir = /tmp /TMP /temp /TEMP /public /cache /CACHE
#recycle:exclude = *.TMP *.tmp *.temp ~$* *.log *.bak
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = _%Y-%m-%d_%H:%M:%S
shadow: snapprefix = ^pyznap
shadow: delimiter = _
shadow:localtime = no
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdirat renameat unlinkat
full_audit:failure = none
full_audit:facility = SYSLOG
full_audit:priority = NOTICEEdit the samba configuration file.
sudo nano /etc/samba/smb.conf
Add this to the end of the file:
[Public Directory]
comment = Contents are read/write by all.
path = /home/user/directory-to-be-shared
read only = no
guest ok = yes
create mask = 0666
force create mode = 0666
directory mask = 0777
force directory mode = 0777
Then restart samba.
sudo service smbd restart
Notes:
- The string within brackets (
Public Directoryin the example above) is what users will see when accessing the shared folder from other systems. - Files created within this directory by users on other systems will be owned by nobody:nogroup, with read and write permissions for owner, group, and other.
- Directories created in this directory by users on other systems will be owned by nobody:nogroup, with read, write, and directory traversal permissions for owner, group, and other.
- The masks and modes in the configuration file apply to files and
directories created by users on other systems. These masks and modes
are ignored when creating files as a user on the server. Or, to put it
another way, if you are user on the server, make sure that each file
and directory that you create within
/home/user/directory-to-be-sharedhas 666 and 777 permissions respectively. If you have enabled a firewall on the server, you will need to open port 445 for tcp. For example, if you use
ufw(uncomplicated firewall) to configure the firewall:sudo ufw allow in 445/tcp sudo ufw reload sudo ufw status verbose
It's not clear to me if you want a share accessible to everyone or only a group of client users so this is a template for the latter.
Note: This will only work as described if the default umask of your system is 0002 so it will not work for Ubuntu Desktop 17/18 but it will work for Xubuntu Desktop and Ubuntu Server.
In this template it is required that all users you want to have access become members of the "users" group. It will assign the setgid bit on the shared directory and any future subdirectories which forces anything new added to them to inherit the group of it's parent folder.
sudo mkdir /path
sudo chown root:users /path
sudo chmod 2775 /path
The share would look like this:
[UsersShare]
path = /path
valid users = @users
force group = users
read only = no
create mask = 0664
force directory mode = 2775
When bob - who was made a member of the "users" group - logs in with his samba username/password and adds a file to the [UsersShare] share it will have owner = bob, group = users, mode = 664 files / 2775 folders.
All other client users who are members of the users group who sign in will have full access to whatever bob did.
Any local users - those on the server itself - who add or modify files who are also members of the users group will all have the same ability and newly created files/folders will have the same 664/2775 mode and all will have as group: "users". The one exception to all this is root - as in when you use sudo - since it's default umask is 022 unlike a regular user his files will inherit the "users" group but will have a mode of 644.
If you truly want a pure public share where everyone has access replace "valid users = @users" with "guest ok = yes". For this to work locally on the server you would still need to add those users to the "users" group.
I think you need to use the following parameters:
# I changes the permissions to rw-rw-r--
# You should be able to change them to 775 if you need the files to
# be executable
create mask = 664
force create mode = 664
security mask = 664
force security mode = 664
# I set the SGID flag here as I thought this is what you wanted
# You could change to 0775
directory mask = 2775
force directory mode = 2775
directory security mask = 2775
force directory security mode = 2775
I was looking for a nice explanation of how these settings work, but could not find anything better then man smb.conf
You will have to scroll down a bit for those options.
Basically, in a nutshell, windows permissions are not the same as unix (linux) and it is a bit odd how samba maps permissions.
I had the same problem, but everything like mask directives did not work for me (Samba 4.3.11):
create mask = 0664
force create mode = 0664
directory mask = 02775
force directory mode = 02775
The only option that worked was under the [global] or share section:
inherit permissions = yes
Just change all folder and file permissions to your need, so future folders and files will inherit the same permissions.
for what it is worth, I couldn't access my samba share, maybe you have forgotten to add you username to the samba password group (for lack of beter description phrase)
this is what I did to get mine to work
smbpasswd -a username
after by using nautilus, shared my drive/folder with right-click, sharing, etc.
create your password, and use your username and passsword (which you just entered) to access your samba drive, you can also map this drive in Windows
hope this could help
Are the group and owner of the shared folder set properly for the samba user? Should be the same, or try
$ chown -R nobody:nogroup sharedfolder
for testing purposes...
** SOLVED! **
I failed to understand that the mask set in the "create mask" parameter is fundamentally different than basic file permission modes.
Instead of a create mask of 0770, I should have used 0660.
Thanks u/lutusp
** Original Problem **
When I connect to my //server/public samba share, and I create a new file, that file has the wrong permissions.
Here is my smb.conf file:
[global]
map to guest = Bad User
name resolve order = bcast
workgroup = WORKGROUP
log file = /var/log/samba/%m
log level = 1
[public]
path = /smb-shares/public
create mask = 0770 # Correct answer was to change this to 0660
force create mode = 660
directory mask = 2770
directory mode = 2770
read only = no
guest ok = yes
valid users = guest, jesse, derek, owner And here are some files I created:
drwxrwsr-x 2 owner public 4096 May 25 11:38 New Folder -rwxrw---- 1 owner public 0 May 25 11:38 text.txt
The folder has permissions 775, even though I specified 770.
The file has permission 760, even though I specified 660. Why?
