Although I prefer the Samba "force group", "force create mode", and "force directory mode" combination, that approach is effectively obsolete (or at least too much trouble) starting with OS X Lion. Right now, the best solution is to use groups and ACLs.

In System Preferences -> Users & Groups:

  1. Create a new group for the users who need write access to the file share. Do not try to reuse the "staff" group, a new group is required to force ACLs to be created in step 4.
  2. Add the users to the group.

In System Preferences -> Sharing -> File Sharing:

  1. Select the shared folder.
  2. Add the group to the share permissions (click the + under the "Users" list) and give it read/write access.

Check the ACLs on the shared directory and its contents using 'ls -le'. You should see something like this:

-rw-r-----+ 1 scott    staff  43667456 Feb 17 21:59 filename
 0: group:xxx inherited allow read,write,execute,append,...

The permissions are inherited; all group members now have r/w access.

Answer from user1241759 on Stack Exchange
Discussions

Write permission denied for SMB share - General Support - Unraid
I am unable to write to a public SMB share (share is exported and public). I am able to read from the share. I am authenticating as a guest. The output of smbstatus while authenticated is: Samba version 4.11.4 PID Username Group Machine Protocol Version Encryption Signing ------------------------... More on forums.unraid.net
🌐 forums.unraid.net
August 29, 2021
macos - Cannot write to SMB Share with Terminal OS X 10.8 - Ask Different
I am trying to copy some files from my local drive to a SMB share I have set up on my home network using Terminal, but I keep getting this error: fchmod failed: Permission denied The share is set... More on apple.stackexchange.com
🌐 apple.stackexchange.com
November 4, 2012
macos - Permissions issue when copying files over SMB to server on OS X 10.9 Mavericks - Ask Different
First of all I'd like to say that I've spent most of the day trying to figure this problem out. I've already read quite some articles on this issue but can't seem to find the specific issue I'm More on apple.stackexchange.com
🌐 apple.stackexchange.com
mount - Samba share permission denied user writing file but still shows - Unix & Linux Stack Exchange
Very strange issue... Samba share on remote: [javaerpm] path = /u/abas/erpm/java force user = erpm guest ok = yes read only = no writeable = yes Mount command on local using r... More on unix.stackexchange.com
🌐 unix.stackexchange.com
September 24, 2013
🌐
Unraid
forums.unraid.net › home › unraid os support › general support › write permission denied for smb share
Write permission denied for SMB share - General Support - Unraid
August 29, 2021 - I am unable to write to a public SMB share (share is exported and public). I am able to read from the share. I am authenticating as a guest. The output of smbstatus while authenticated is: Samba version 4.11.4 PID Username Group Machine Protocol Version Encryption Signing ------------------------...
Find elsewhere
Top answer
1 of 1
10

Note: I'm just guessing here, I'm not a samba guru.

Samba/CIFS, at least the way you're using it here, does not reproduce credentials between the server and the client. Because of the force user directive on the server, all operations are performed as the user erpm on the server. However, because both the client and the server are running a unix system, they auto-negociated the CIFS POSIX extensions. This makes unix permissions appear to work up to a point, but only as far as the server permits, and you've run into a case where what the unix permissions claim and what the server allows differ.

You'll notice that all files appear as user ID 501. That's their uid on the server.

When you try to create or remove a file, this requires write permission on the directory. All access are mapped to a single user on the server, so write permission boils down to whether erpm is allowed to write to that directory on the server. The answer is yes.

When you run touch, it creates the file and then changes its modification time. Changing the modification time of a file requires ownership, and this is tested by the generic filesystem code, on the client side.

If you run strace touch test, you'll notice that then open call (which creates the file) succeeds, then the utimes call (or rather on Linux the utimensat system call) fails to set the times.

This is actually a bit weird because utimes should succeed, since touch calls it with a NULL argument (meaning “set the timestamp to the current time”), and this is supposed to be permitted to any caller that may write to the file, and not only to the owner like setting an arbitrary timestamp. I suspect that utimensat is actually doing a permissions-based check, and determining that the permissions say you can't write to that file, even though the filesystem would allow a write operation regardless of the actual permissions.

The main advantage of the CIFS POSIX extensions when the server side is running with the permissions of a non-root user are to carry over the executable bit, and possibly group ownership. It may be less confusing if you map user ownership to a single client-side user with the forceuid mount option.

🌐
Super User
superuser.com › questions › 1023925 › give-write-permissions-on-samba-shares
Give write permissions on samba shares - Super User
September 1, 2016 - However, as soon as I attempt to touch a file using the shell or copy files to the share I get Permission denied errors. However, I only get them for folder1 and folder2, in folder3 everything works perfectly. I can't figure out what prevents me from writing to the other folders. Does anyone have any ideas at all? ... If you have any configuration lines that look like they are simply placed after the blocks, the result may be that the configuration line(s) are actually affecting just the last block. In my actually-working Samba configuration, I have this in each block:
🌐
Apple Community
discussions.apple.com › thread › 8539479
Can't copy file to folder on SMB share wi… - Apple Community
October 30, 2018 - If we change the user's permissions on the folder to "Read & Write", i.e. rwx permissions, they CAN copy a file to the folder. The clients are running macOS 10.13.6 and the server hosting the share is running macOS 10.13.5.
🌐
Reddit
reddit.com › r/macsysadmin › file permissions issues on smb share.
r/macsysadmin on Reddit: File permissions issues on SMB share.
March 2, 2023 -

Hello fellow mac admins. I’m trying to troubleshoot a permissions issue on an SMB volume where the user may be able to create files and folders but not delete them. The issue appears to be sporadic and the the affected user has RWX permissions on the files and containing folder. When you attempt to delete files within the folder iOS says that you don’t have permission to delete some files. I’ve looked at permissions(from the mac’s perspective) and SMB versions in use with no luck. The Mac in use is running Monterey 12.6.3. Any other angles to suggest?

Thanks

🌐
Raspberry Pi Forums
forums.raspberrypi.com › board index › projects › networking and servers
samba server gives me a permission denied error when connecting - Raspberry Pi Forums
Whatever username you use must exist as a Unix user. you should also create the same user on all computers that will connect to the share, ideally using the same password everywhere. If you are connecting from a Windows 10 machine and it still does not work, then you may have to turn SMBv1 ...
🌐
Apple Developer
developer.apple.com › forums › thread › 742019
Permission errors within an app af… | Apple Developer Forums
The app is not sandboxed, the SMB share access was probably blocked by MAC. The tool which mounts the share also executes the app. If giving the tool full disk access it works, I guess because this is inherited to the child process. We also solved the permission denied problem for the ip command.
🌐
Raspberry Pi Forums
forums.raspberrypi.com › board index › using the raspberry pi › troubleshooting
Samba Write Access Denied Windows 10 - Raspberry Pi Forums
I just ran chmod -R g=rwx /media/hdd4tb/shares/torrents/ and that fixed my issue. Thanks for the help. Hmm, if I physically take that hard drive and connect it to another linux machine instead of using samba shares, how do I keep permissions intact if I'm working with the files?
🌐
OSMC Forums
discourse.osmc.tv › help and support › raspberry pi
OSMC Samba Permission Issue Mac - SOLVED - Raspberry Pi - OSMC Forums
April 23, 2015 - Hello, I am having an issue with Samba on my Raspberry Pi and Mac, I can view files and open them but I cannot write I am being presented with this error message “Items can’t be copied to “Movies” because you don’t have…
Top answer
1 of 1
4

The permissions are set on the server and are 100% dependent on ACL.

You have two options in order to attempt to solve your issue.

1st option (which may better suit your needs): try to map/match Windows and Unix ACLs.

Edit the SMB server's smb.conf file and add these parameters to the [global] section:

[global]
nt acl support = yes
acl map full control = no

The two parameters above will cause the SMB server to attempt to map/match Windows and Unix ACLs.

From the smb.conf manpage:

nt acl support (S)

       This boolean parameter controls whether smbd(8) will attempt to map
       UNIX permissions into Windows NT access control lists. The UNIX
       permissions considered are the traditional UNIX owner and group
       permissions, as well as POSIX ACLs set on any files or directories.

acl map full control (S)

       This boolean parameter controls whether smbd(8) maps a POSIX ACE
       entry of "rwx" (read/write/execute), the maximum allowed POSIX
       permission set, into a Windows ACL of "FULL CONTROL". If this
       parameter is set to true any POSIX ACE entry of "rwx" will be
       returned in a Windows ACL as "FULL CONTROL", is this parameter is
       set to false any POSIX ACE entry of "rwx" will be returned as the
       specific Windows ACL bits representing read, write and execute.

2nd option (workaround): set specific ACLs for each one of your shares.

In a nutshell, the RWX (read, write and execute) parameters are defined by these equivalent SMB parameters:

  • writeable = no is equivalent to R (read only)
  • writeable = yes is equivalent to RW (read and write)
  • acl allow execute always = true or acl allow execute always = yes is equivalent to X (execute)

In order to set file/folder permissions for all your shares, it's necessary to edit the server's smb.conf file and then add this global setting:

[global]
acl allow execute always = false
guest ok = no
writeable = yes
available = yes
browseable = yes
printable = no
locking = yes

...which will by default force all your shared folders to forbid execution of files (acl allow execute always = false), forbid guest access (guest ok = no), allow read and edit/(re)write access to files and folders (writeable = yes), make all your shares available for use by the remote (client) users (available = yes) and make the available shares visible (browseable = yes), forbid using your shares as a printing spool directory (printable = no), and force locking of your shares if the client sends such request to the SMB server (locking = yes).

From the smb.conf manpage:

acl allow execute always (S)

       This boolean parameter controls the behaviour of smbd(8) when
       receiving a protocol request of "open for execution" from a Windows
       client. With Samba 3.6 and older, the execution right in the ACL
       was not checked, so a client could execute a file even if it did
       not have execute rights on the file. In Samba 4.0, this has been
       fixed, so that by default, i.e. when this parameter is set to
       "False", "open for execution" is now denied when execution
       permissions are not present.

       If this parameter is set to "True", Samba does not check execute
       permissions on "open for execution", thus re-establishing the
       behaviour of Samba 3.6. This can be useful to smoothen upgrades
       from older Samba versions to 4.0 and newer. This setting is not
       meant to be used as a permanent setting, but as a temporary relief:
       It is recommended to fix the permissions in the ACLs and reset this
       parameter to the default after a certain transition period.

Note: if acl allow execute always = false doesn't work, try acl allow execute always = no.

guest ok (S)

       If this parameter is yes for a service, then no password is
       required to connect to the service. Privileges will be those of the
       guest account.

       This parameter nullifies the benefits of setting restrict anonymous
       = 2

       See the section below on security for more information about this
       option.

writeable (S)

       Inverted synonym for read only.

read only (S)

       An inverted synonym is writeable.

       If this parameter is yes, then users of a service may not create or
       modify files in the service's directory.

       Note that a printable service (printable = yes) will ALWAYS allow
       writing to the directory (user privileges permitting), but only via
       spooling operations.

available (S)

       This parameter lets you "turn off" a service. If available = no,
       then ALL attempts to connect to the service will fail. Such
       failures are logged.

browseable (S)

       This controls whether this share is seen in the list of available
       shares in a net view and in the browse list.

printable (S)

       If this parameter is yes, then clients may open, write to and
       submit spool files on the directory specified for the service.

       Note that a printable service will ALWAYS allow writing to the
       service path (user privileges permitting) via the spooling of print
       data. The read only parameter controls only non-printing access to
       the resource.

locking (S)

       This controls whether or not locking will be performed by the
       server in response to lock requests from the client.

       If locking = no, all lock and unlock requests will appear to
       succeed and all lock queries will report that the file in question
       is available for locking.

       If locking = yes, real locking will be performed by the server.

       This option may be useful for read-only filesystems which may not
       need locking (such as CDROM drives), although setting this
       parameter of no is not really recommended even in this case.

       Be careful about disabling locking either globally or in a specific
       service, as lack of locking may result in data corruption. You
       should never need to set this parameter.
Top answer
1 of 2
1

I'm late to this, but I can't be the person that discovered a solution that worked (for me, at least) without putting it out there, since I've been that guy that screams at the "nvm fixed it" comments with no elaboration ;)

Your very first step is to check your fstab. You need to make sure you have

  1. Enabled xattrs support on the filesystem you're sharing from, check your fstab.

  2. Enabled ACL in mount options too, while you're there. Something like this, adjust for your environ:

    /dev/disk/by-label/nas1 /mnt/nas1 ext4 defaults,user_xattr,acl,commit=60 0 2
    

    I just went through a couple of hours of troubleshooting why I got permission errors. I had simply forgotten point 2.

The rest of my setup was already OK with much less fuss than I thought:

  1. Put this in smb.conf [global] section:

    [global]
    vfs objects = fruit catia streams_xattr acl_xattr
    map acl inherit = yes
    fruit:aapl = yes
    fruit:model = MacSamba
    fruit:metadata = stream
    readdir_attr:aapl_rsize = yes
    readdir_attr:aapl_finder_info = yes
    readdir_attr:aapl_max_access = yes
    

    If you wonder what the settings do, I humbly suggest you $> man smb.conf (not a dig at the OP, I confused the text in their post with another more... ignorant post previously.)

The rest of the file can stay default. Change your workgroup name if you're an old Windows 3.11 guy that cares about syncing that across my LAN.

  1. In the share you want to have tag support for, these options work well for me:
    [Pr0n]
      comment = Pr0n
      path = /mnt/nas1/Pr0n
      browseable = no
      guest ok = no
      read only = no
      writable = yes
      valid users = 
    
    [ -- snip -- ]
    
      force directory mode = 0775
      force create mode = 0664
    
      # Fruit config
      fruit:posix_rename = yes
      fruit:veto_appledouble = yes
      fruit:nfs_aces = yes
      fruit:wipe_intentionally_left_blank_rfork = no
      fruit:delete_empty_adfiles = no
    

The directory is owned by my personal user and group, I did not need to fuddle around with net grant SeDiskOperatorStatus or any of that.

One reboot later (might as well, right) everything was automagically good, and tags are both allowed and stick.

2 of 2
0

It is possible that your PAM (Pluggable Authentication Module) setting is overrules your directory mask and create mask settings. Check the line: obey pam restrictions = no in your smb.conf.Should do the trick.