Will i need to use winbind and kerberos?
Most likely not. The Samba fileserver provides the same features regardless of where the accounts come from – your local Samba accounts are already automatically associated with the corresponding OS accounts, etc.
(However, Active Directory would be a good idea if you have more than 3-4 servers.)
Who should be the owner of the shared folders?
Doesn't really matter; root would be a good choice if there's no specific owner otherwise.
If set create mask, directory mask to 755 do i have to change the directory permission with chmod?
Depends on situation, but most likely "yes".
Samba's "create/directory mask" settings do not change existing permissions; they only specify what will be used for new files created on that share. If you want to make a public share but the directory currently has permissions 0700 – Samba won't change that; you have to chmod it yourself.
Will the 755 permission work or is should change?
It's the standard "readable by others" permission. It doesn't really match your descriptions though – for home directories it'd grant too much (unnecessary 'read/execute' for others); for shared directories it'd grant too little (missing 'write' for others); so you probably need to change it in both cases.
If someone downloads a file via transmission can the user be the owner instead of transmission?
Only if the users run their own Transmission instances (each on its own port number).
As Transmission is a local process, it is unaffected by SMB server configuration – all files it creates will be owned by the account that Transmission itself runs as.
Disable the system-wide Transmission service, then create a "user-level" transmission.service in /etc/systemd/user/, which each user could start using systemctl --user. (There are some differences in what settings to use, but those are already documented elsewhere.)
Don't forget to use loginctl enable-linger to allow the users' personal services start on boot (by default they're limited to login—logout, but the "linger" mode avoids that).
Videos
Edit the samba configuration file.
sudo nano /etc/samba/smb.conf
Add this to the end of the file:
[Public Directory]
comment = Contents are read/write by all.
path = /home/user/directory-to-be-shared
read only = no
guest ok = yes
create mask = 0666
force create mode = 0666
directory mask = 0777
force directory mode = 0777
Then restart samba.
sudo service smbd restart
Notes:
- The string within brackets (
Public Directoryin the example above) is what users will see when accessing the shared folder from other systems. - Files created within this directory by users on other systems will be owned by nobody:nogroup, with read and write permissions for owner, group, and other.
- Directories created in this directory by users on other systems will be owned by nobody:nogroup, with read, write, and directory traversal permissions for owner, group, and other.
- The masks and modes in the configuration file apply to files and
directories created by users on other systems. These masks and modes
are ignored when creating files as a user on the server. Or, to put it
another way, if you are user on the server, make sure that each file
and directory that you create within
/home/user/directory-to-be-sharedhas 666 and 777 permissions respectively. If you have enabled a firewall on the server, you will need to open port 445 for tcp. For example, if you use
ufw(uncomplicated firewall) to configure the firewall:sudo ufw allow in 445/tcp sudo ufw reload sudo ufw status verbose
It's not clear to me if you want a share accessible to everyone or only a group of client users so this is a template for the latter.
Note: This will only work as described if the default umask of your system is 0002 so it will not work for Ubuntu Desktop 17/18 but it will work for Xubuntu Desktop and Ubuntu Server.
In this template it is required that all users you want to have access become members of the "users" group. It will assign the setgid bit on the shared directory and any future subdirectories which forces anything new added to them to inherit the group of it's parent folder.
sudo mkdir /path
sudo chown root:users /path
sudo chmod 2775 /path
The share would look like this:
[UsersShare]
path = /path
valid users = @users
force group = users
read only = no
create mask = 0664
force directory mode = 2775
When bob - who was made a member of the "users" group - logs in with his samba username/password and adds a file to the [UsersShare] share it will have owner = bob, group = users, mode = 664 files / 2775 folders.
All other client users who are members of the users group who sign in will have full access to whatever bob did.
Any local users - those on the server itself - who add or modify files who are also members of the users group will all have the same ability and newly created files/folders will have the same 664/2775 mode and all will have as group: "users". The one exception to all this is root - as in when you use sudo - since it's default umask is 022 unlike a regular user his files will inherit the "users" group but will have a mode of 644.
If you truly want a pure public share where everyone has access replace "valid users = @users" with "guest ok = yes". For this to work locally on the server you would still need to add those users to the "users" group.
Logged into the server with a bash prompt as my domain user, I'm able to move around the files as expected. It's only when accessing it over samba, both windows and another linux vm, that I'm getting permission denied moving the files.
I think it's samba specifically, since I'm also mounting the fs from a linux vm and it's giving me the same behaviour.
The only workaround we have right now is to add our usergroup as admin in the smb.conf to get permissions.
Any ideas?
(Sambas support is only through a broken mailing list atm, so thought i'd ask here. ^^)
Thanks!
Hi everyone,
I'm trying to set up radarr on my Ubuntu machine using a docker container and I'm having some issues regarding permissions when mounting a smb network drive.
This network drive is from my Synology NAS and I'm mounting it using etc/fstab and this line:
//{my-ip-adress}/Media_Library /mnt/Media_Library cifs credentials=/home/{my-user}/password,iocharset=utf8 0 0
So, I basically need my mounted drive to have the right permissions so radarr can use it, but every time I mount it, my drive ens up just with drwxr-xr-x instead of drwxrwxrwx which is what I think I need, but I'm not sure about that as I haven't been using Linux for too long and I know user and group permissions have something to do here as well. I tried radarr in Windows before and the drive that I was using had drwxrwxrwx permissions and it was working, so that's why I'm assuming that but I'm not sure if that wouldn't be secure enough. And when I try to add permissions using the command sudo chmod o+w / sudo chmod g+w it doesn't changes anything.
These are the current permissions of the drive that I've mounted:
drwxr-xr-x 2 root root 0 oct 23 19:06 Media_Library
I'm creating the container in docker using docker-compose.
I've been reading about it and I kind of understand that when you mount the smb share permissions overwrite the previous ones but I'm not sure how to approach this. I've read about using the uid and gid options and also about something called umask but I just wanted to make sure that I'm doing this the right way because I don't want to have any security risks as I have personal stuff on my Synology NAS as well, but still I can't use radarr without these permissions.
Also, I don't know if the proper way to do it would be changing the user/groups (in which case I don't know which user/group would radarr need) or if it's just a matter of giving write permissions to all users and groups (in which case I don't know how to do it either..)
So if anyone can help me with this I will really appreciate it :')
Thanks!
I recommend to create a dedicated user for that share and specify it in force user(see docs).
Create a user (shareuser for example) and set the owner of everything in the share folder to that user:
adduser --system shareuser
chown -R shareuser /path/to/share
Then add force user and permission mask settings in smb.conf:
[myshare]
path = /path/to/share
writeable = yes
browseable = yes
public = yes
create mask = 0644
directory mask = 0755
force user = shareuser
Note that guest ok is a synonym for public.
In the share settings in smb.conf, you'll need to specify the names of users and/or groups that are allowed to write to the share, using a write list = ... line.
Example:
[myshare]
...
write list = my_linux_username
Then you'll need to use the smbpasswd command to set up a password to authenticate my_linux_username for Samba:
sudo smbpasswd -a my_linux_username
This step is necessary because the standard system passwords in /etc/shadow are hashed in algorithms that are incompatible with the password hash algorithms used in the SMB protocol. When a client sends a SMB authentication packet, it includes a hashed password. It can only be compared to another password hash that uses the same algorithm.
(Very, very old instructions from the previous millennium may recommend disabling password encryption in Samba, and using certain registry hacks to allow Windows to emit unencrypted passwords to the network. This advice is obsolete: those registry hacks may no longer work in current versions of Windows, and allow anyone who can monitor your network traffic to trivially capture your password.)
There's one more thing you may have to do client-side. When your Windows client system is joined to an Active Directory domain and you're logged in with an AD account, it automatically prefixes all unqualified usernames with the name of the AD domain of the user, i.e. you will be authenticating as AD_DOMAIN\your_username, not just your_username.
If you are logged in with a local account (or your client system is not joined to an AD domain), Windows may automatically prefix the username with the client hostname unless you specify another domain name.
To successfully log in to a stand-alone Samba server from a stand-alone Windows client, you may have to specify your username as SAMBA_SERVER_HOSTNAME\your_username.
Otherwise Samba will see the username as WINDOWS_CLIENT_HOSTNAME\your_username, conclude that it has no way to verify any users belonging to domain named WINDOWS_CLIENT_HOSTNAME, and will reject the login.
(Newer versions of Samba may have a built-in check for this specific situation, and they might allow you access nevertheless. But this is basically how SMB authentication works "under the hood", and if you need to deal with old versions of Samba, it might be useful still.)