I recommend to create a dedicated user for that share and specify it in force user(see docs).

Create a user (shareuser for example) and set the owner of everything in the share folder to that user:

adduser --system shareuser
chown -R shareuser /path/to/share

Then add force user and permission mask settings in smb.conf:

[myshare]
path = /path/to/share
writeable = yes
browseable = yes
public = yes
create mask = 0644
directory mask = 0755
force user = shareuser

Note that guest ok is a synonym for public.

Answer from yaegashi on Stack Exchange
Top answer
1 of 5
103

I recommend to create a dedicated user for that share and specify it in force user(see docs).

Create a user (shareuser for example) and set the owner of everything in the share folder to that user:

adduser --system shareuser
chown -R shareuser /path/to/share

Then add force user and permission mask settings in smb.conf:

[myshare]
path = /path/to/share
writeable = yes
browseable = yes
public = yes
create mask = 0644
directory mask = 0755
force user = shareuser

Note that guest ok is a synonym for public.

2 of 5
6

In the share settings in smb.conf, you'll need to specify the names of users and/or groups that are allowed to write to the share, using a write list = ... line.

Example:

[myshare]
...
write list = my_linux_username

Then you'll need to use the smbpasswd command to set up a password to authenticate my_linux_username for Samba:

sudo smbpasswd -a my_linux_username

This step is necessary because the standard system passwords in /etc/shadow are hashed in algorithms that are incompatible with the password hash algorithms used in the SMB protocol. When a client sends a SMB authentication packet, it includes a hashed password. It can only be compared to another password hash that uses the same algorithm.

(Very, very old instructions from the previous millennium may recommend disabling password encryption in Samba, and using certain registry hacks to allow Windows to emit unencrypted passwords to the network. This advice is obsolete: those registry hacks may no longer work in current versions of Windows, and allow anyone who can monitor your network traffic to trivially capture your password.)


There's one more thing you may have to do client-side. When your Windows client system is joined to an Active Directory domain and you're logged in with an AD account, it automatically prefixes all unqualified usernames with the name of the AD domain of the user, i.e. you will be authenticating as AD_DOMAIN\your_username, not just your_username.

If you are logged in with a local account (or your client system is not joined to an AD domain), Windows may automatically prefix the username with the client hostname unless you specify another domain name.

To successfully log in to a stand-alone Samba server from a stand-alone Windows client, you may have to specify your username as SAMBA_SERVER_HOSTNAME\your_username.

Otherwise Samba will see the username as WINDOWS_CLIENT_HOSTNAME\your_username, conclude that it has no way to verify any users belonging to domain named WINDOWS_CLIENT_HOSTNAME, and will reject the login.

(Newer versions of Samba may have a built-in check for this specific situation, and they might allow you access nevertheless. But this is basically how SMB authentication works "under the hood", and if you need to deal with old versions of Samba, it might be useful still.)

๐ŸŒ
Ubuntu
ubuntu.com โ€บ server โ€บ docs โ€บ how-to โ€บ samba โ€บ share-access-controls
Share access controls - Ubuntu Server documentation
2 weeks ago - For example, if you wished to use a group named sysadmin in a certain section of the /etc/samba/smb.conf, you would do so by entering the group name as @sysadmin. If a group name has a space in it, use double quotes, like "@LTS Releases". Read and write permissions define the explicit rights a computer or user has to a particular share.
๐ŸŒ
SambaWiki
wiki.samba.org โ€บ index.php โ€บ Setting_up_a_Share_Using_Windows_ACLs
Setting up a Share Using Windows ACLs - SambaWiki
June 26, 2024 - ... Log on to a Windows host using the SAMDOM\Administrator account or an account that is a member of the group that is set as the shares group e.g. SAMDOM\john where john is a member of Domain Admins. Click Start, enter Computer Management, and start the application. Select Action / Connect ...
๐ŸŒ
Manjaro Linux
forum.manjaro.org โ€บ support โ€บ network
Setting Up Samba User Permissions - Network - Manjaro Linux Forum
July 27, 2021 - Iโ€™m having trouble setting up a Samba file share on my home server. Security is not a big concern. Here are the 3 things I need to accomplish: Fix permissions on the existing drive. Right now they are a mess. The shared folder is on a separate internal hard drive and is mounted as /mnt/Shared ...
Top answer
1 of 1
1

Will i need to use winbind and kerberos?

Most likely not. The Samba fileserver provides the same features regardless of where the accounts come from โ€“ your local Samba accounts are already automatically associated with the corresponding OS accounts, etc.

(However, Active Directory would be a good idea if you have more than 3-4 servers.)

Who should be the owner of the shared folders?

Doesn't really matter; root would be a good choice if there's no specific owner otherwise.

If set create mask, directory mask to 755 do i have to change the directory permission with chmod?

Depends on situation, but most likely "yes".

Samba's "create/directory mask" settings do not change existing permissions; they only specify what will be used for new files created on that share. If you want to make a public share but the directory currently has permissions 0700 โ€“ Samba won't change that; you have to chmod it yourself.

Will the 755 permission work or is should change?

It's the standard "readable by others" permission. It doesn't really match your descriptions though โ€“ for home directories it'd grant too much (unnecessary 'read/execute' for others); for shared directories it'd grant too little (missing 'write' for others); so you probably need to change it in both cases.

If someone downloads a file via transmission can the user be the owner instead of transmission?

Only if the users run their own Transmission instances (each on its own port number).

As Transmission is a local process, it is unaffected by SMB server configuration โ€“ all files it creates will be owned by the account that Transmission itself runs as.

Disable the system-wide Transmission service, then create a "user-level" transmission.service in /etc/systemd/user/, which each user could start using systemctl --user. (There are some differences in what settings to use, but those are already documented elsewhere.)

Don't forget to use loginctl enable-linger to allow the users' personal services start on boot (by default they're limited to loginโ€”logout, but the "linger" mode avoids that).

๐ŸŒ
nixCraft
cyberciti.biz โ€บ nixcraft โ€บ tutorials โ€บ debian linux โ€บ samba share permissions simplified
Samba share permissions simplified - nixCraft
January 5, 2007 - Samba software, is a free, open source implementation of networking protocols to share files between UNIX/Linux and Windows computers. Samba provides โ€“ => File and print services => Integration with a Windows Server domain / PDC => Part of Active Directory domain etc Permission precedence Samba comes with different types of permissions for share.
๐ŸŒ
Samba
samba.org โ€บ samba โ€บ docs โ€บ using_samba โ€บ ch09.html
Samba
In other words, a client must first pass Samba's security mechanisms (e.g., authenticating with a valid username and password, passing the check for the valid users parameter and the read only parameter, etc.), as well as the normal Unix file and directory permissions of its Unix-side user, before it can gain read/write access to a share.
Find elsewhere
๐ŸŒ
OneUptime
oneuptime.com โ€บ home โ€บ blog โ€บ how to configure samba share permissions on ubuntu
How to Configure Samba Share Permissions on Ubuntu
March 2, 2026 - # Create the share directory sudo mkdir -p /srv/samba/department # Set ownership: owned by root, group access for the 'finance' group sudo chown root:finance /srv/samba/department # Set permissions: # Owner (root): rwx # Group (finance): rwx # Others: --- sudo chmod 770 /srv/samba/department # Set the setgid bit so new files inherit the group sudo chmod g+s /srv/samba/department # Verify ls -la /srv/samba/ # drwxrws--- root finance /srv/samba/department
Top answer
1 of 2
4

Edit the samba configuration file.

sudo nano /etc/samba/smb.conf

Add this to the end of the file:

[Public Directory]
comment = Contents are read/write by all.
path = /home/user/directory-to-be-shared
read only = no
guest ok = yes
create mask = 0666
force create mode = 0666
directory mask = 0777
force directory mode = 0777

Then restart samba.

sudo service smbd restart

Notes:

  1. The string within brackets (Public Directory in the example above) is what users will see when accessing the shared folder from other systems.
  2. Files created within this directory by users on other systems will be owned by nobody:nogroup, with read and write permissions for owner, group, and other.
  3. Directories created in this directory by users on other systems will be owned by nobody:nogroup, with read, write, and directory traversal permissions for owner, group, and other.
  4. The masks and modes in the configuration file apply to files and directories created by users on other systems. These masks and modes are ignored when creating files as a user on the server. Or, to put it another way, if you are user on the server, make sure that each file and directory that you create within /home/user/directory-to-be-shared has 666 and 777 permissions respectively.
  5. If you have enabled a firewall on the server, you will need to open port 445 for tcp. For example, if you use ufw (uncomplicated firewall) to configure the firewall:

    sudo ufw allow in 445/tcp
    sudo ufw reload
    sudo ufw status verbose
    
2 of 2
2

It's not clear to me if you want a share accessible to everyone or only a group of client users so this is a template for the latter.

Note: This will only work as described if the default umask of your system is 0002 so it will not work for Ubuntu Desktop 17/18 but it will work for Xubuntu Desktop and Ubuntu Server.

In this template it is required that all users you want to have access become members of the "users" group. It will assign the setgid bit on the shared directory and any future subdirectories which forces anything new added to them to inherit the group of it's parent folder.

sudo mkdir /path
sudo chown root:users /path
sudo chmod 2775 /path

The share would look like this:

[UsersShare]
path = /path
valid users = @users
force group = users
read only = no
create mask = 0664
force directory mode = 2775

When bob - who was made a member of the "users" group - logs in with his samba username/password and adds a file to the [UsersShare] share it will have owner = bob, group = users, mode = 664 files / 2775 folders.

All other client users who are members of the users group who sign in will have full access to whatever bob did.

Any local users - those on the server itself - who add or modify files who are also members of the users group will all have the same ability and newly created files/folders will have the same 664/2775 mode and all will have as group: "users". The one exception to all this is root - as in when you use sudo - since it's default umask is 022 unlike a regular user his files will inherit the "users" group but will have a mode of 644.

If you truly want a pure public share where everyone has access replace "valid users = @users" with "guest ok = yes". For this to work locally on the server you would still need to add those users to the "users" group.

๐ŸŒ
Linux Mint Forums
forums.linuxmint.com โ€บ board index โ€บ main edition support โ€บ networking
Changing permissions on Samba shares [SOLVED] - Linux Mint Forums
The system creates special permissions on the /media/bill folder that limits access to "bill" only. The "guest" is not bill so access is denied. You can force the client users to access the share as bill. Or you can make all your clients "appear" to be bill by doing this - on the server.: Edit /etc/samba/smb.conf and right under the workgroup = WORKGROUP line towards the top of the file add this one:
๐ŸŒ
SambaWiki
wiki.samba.org โ€บ index.php โ€บ Setting_up_a_Share_Using_POSIX_ACLs
Setting up a Share Using POSIX ACLs - SambaWiki - Samba.org
June 16, 2023 - The classic UNIX rights support setting permissions for one owner, one group, and everyone else (other). If you need to set multiple ACLs on a directory, see Setting Extended ACLs. For example, to set the owner of the /srv/samba/Demo/ directory to root, grant read and write permissions to the owner and the Domain Users group, and deny access to all other users, enter:
๐ŸŒ
Reddit
reddit.com โ€บ r/homelab โ€บ samba permissions not matching linux permissions?
r/homelab on Reddit: SAMBA Permissions not matching linux permissions?
August 6, 2024 -

Logged into the server with a bash prompt as my domain user, I'm able to move around the files as expected. It's only when accessing it over samba, both windows and another linux vm, that I'm getting permission denied moving the files.

I think it's samba specifically, since I'm also mounting the fs from a linux vm and it's giving me the same behaviour.

The only workaround we have right now is to add our usergroup as admin in the smb.conf to get permissions.

Any ideas?

(Sambas support is only through a broken mailing list atm, so thought i'd ask here. ^^)

Thanks!

๐ŸŒ
OneUptime
oneuptime.com โ€บ home โ€บ blog โ€บ how to configure samba share permissions for ipv4 clients
How to Configure Samba Share Permissions for IPv4 Clients
March 20, 2026 - # /etc/samba/smb.conf [global] ... only = yes [data] comment = Shared Data path = /srv/samba/data # Allow read access for all authenticated users read only = yes # Allow specific users to write write list = @samba, admin ...
๐ŸŒ
CubePath
cubepath.com โ€บ docs โ€บ storage-management โ€บ samba-configuration-for-file-sharing
Samba Configuration for File Sharing: Complete Cross-Platform Setup Guide - CubePath Docs | CubePath
January 11, 2026 - # Check filesystem permissions ls -la /srv/samba/shared # Fix ownership sudo chown -R root:sambashare /srv/samba/shared # Fix permissions sudo chmod -R 2775 /srv/samba/shared # Check Samba configuration # In smb.conf: create mask = 0660 directory mask = 0770 force group = sambashare
๐ŸŒ
OneUptime
oneuptime.com โ€บ home โ€บ blog โ€บ how to configure samba user authentication and permissions on rhel
How to Configure Samba User Authentication and Permissions on RHEL
March 4, 2026 - Samba authentication and permissions on RHEL involve three layers: Samba user accounts (smbpasswd/pdbedit), share-level access control (valid users, write list), and filesystem permissions (create mask, force group).
๐ŸŒ
Reddit
reddit.com โ€บ r/sysadmin โ€บ correct way for samba permissions?
r/sysadmin on Reddit: Correct way for samba permissions?
June 26, 2024 -

HI

I was wondering if someone could shed some light,

Currently i have working fine my AD/DC using samba but every now and then i get odd permission issue

my question is what is the correct way or the correct config?

I was reading https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

which it says,

If you set the shares permissions from Windows (The recommended way), you can add the line 'acl_xattr:ignore system acls = yes' to your share. If the line is added, Samba will ignore the standard Unix system ACL's (ugo). Once the line is added, running setfacl on the shares directory will not show any permission modifications you may have made from Windows. You must not add this line until you have set up the share permissions from Windows, otherwise you may find that you are denied permission to change the permissions from Windows.. Only add the line if you will only connect to share via Samba.

The part that says must not add this line until you have the share permissions do they mean all the folders permissions? what about the future permissions?

[shares]
        path = /usr/local/samba/shares
        comment = shares
        read only = no
        acl_xattr:ignore system acls = yes
        writable = yes
        read only = no
        force create mode = 0660
        create mask = 0777
        directory mask = 0777
        force directory mode = 0770
        access based share enum = yes
        hide unreadable = yes
 vfs objects = recycle full_audit shadow_copy2 acl_xattr
   recycle:repository = .trash/%U
   recycle:maxsize = 0
   recycle:versions = Yes
   recycle:keeptree = Yes
   recycle:touch = No
   recycle:directory_mode = 0704
#recylce:exclude_dir = /tmp /TMP /temp /TEMP /public /cache /CACHE
#recycle:exclude = *.TMP *.tmp *.temp ~$* *.log *.bak
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = _%Y-%m-%d_%H:%M:%S
shadow: snapprefix = ^pyznap
shadow: delimiter = _
shadow:localtime = no
  full_audit:prefix = %u|%I|%m|%S
   full_audit:success = mkdirat renameat unlinkat
   full_audit:failure = none
   full_audit:facility = SYSLOG
   full_audit:priority = NOTICE
๐ŸŒ
StudyVatika
studyvatika.com โ€บ blogs โ€บ setting-up-samba-shares-with-user-specific-permissions-a-complete-guide-for-schools-and-organizations
Setting Up Samba Shares with User-Specific Permissions: A Complete Guide for Schools and Organizations | StudyVatika Blog
September 3, 2025 - After diving deep into Samba documentation and testing various approaches, I found the perfect combination using the sticky bit feature and careful Samba configuration. Here's the step-by-step breakdown: First, let's create our users and set up the shared folder: # Create user accounts sudo useradd admin sudo useradd student # Create the shared directory sudo mkdir -p /home/server/school_drive # Set ownership to admin sudo chown admin:admin /home/server/school_drive # Set basic permissions sudo chmod 770 /home/server/school_drive # Here's the magic - set the sticky bit sudo chmod +t /home/server/school_drive
๐ŸŒ
Red Hat
access.redhat.com โ€บ solutions โ€บ 39821
How to configure samba share such that Windows Users creating folders on Samba share would like the folders to be accessed (Read, write Permissions) to other users also - Red Hat Customer Portal
August 7, 2024 - After doing the above configure smb.conf to inherit permissions and also inherit acls . Example: [global] workgroup = PNQ realm = GSSLAB.PNQ.REDHAT.COM server string = Samba Server Version %v security = ADS password server = 10.65.208.43 passdb backend = tdbsam log file = /var/log/samba/log.%m max log size = 50 idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash inherit permissions = Yes inherit acls = Yes cups options = raw [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [public] comment = Public Stuff path = /abc read only = No guest ok = Yes browseable = yes
๐ŸŒ
Raspberry Pi Forums
forums.raspberrypi.com โ€บ board index โ€บ using the raspberry pi โ€บ troubleshooting
Samba Permissions - Raspberry Pi Forums
Good luck. Adam Edit You can see the file permissions by navigating to the directory where the files are in the terminal and typing: ls -la That will list the files in that directory and the morse code type text at the beginning tells you what permissions you have set.