Will i need to use winbind and kerberos?

Most likely not. The Samba fileserver provides the same features regardless of where the accounts come from – your local Samba accounts are already automatically associated with the corresponding OS accounts, etc.

(However, Active Directory would be a good idea if you have more than 3-4 servers.)

Who should be the owner of the shared folders?

Doesn't really matter; root would be a good choice if there's no specific owner otherwise.

If set create mask, directory mask to 755 do i have to change the directory permission with chmod?

Depends on situation, but most likely "yes".

Samba's "create/directory mask" settings do not change existing permissions; they only specify what will be used for new files created on that share. If you want to make a public share but the directory currently has permissions 0700 – Samba won't change that; you have to chmod it yourself.

Will the 755 permission work or is should change?

It's the standard "readable by others" permission. It doesn't really match your descriptions though – for home directories it'd grant too much (unnecessary 'read/execute' for others); for shared directories it'd grant too little (missing 'write' for others); so you probably need to change it in both cases.

If someone downloads a file via transmission can the user be the owner instead of transmission?

Only if the users run their own Transmission instances (each on its own port number).

As Transmission is a local process, it is unaffected by SMB server configuration – all files it creates will be owned by the account that Transmission itself runs as.

Disable the system-wide Transmission service, then create a "user-level" transmission.service in /etc/systemd/user/, which each user could start using systemctl --user. (There are some differences in what settings to use, but those are already documented elsewhere.)

Don't forget to use loginctl enable-linger to allow the users' personal services start on boot (by default they're limited to login—logout, but the "linger" mode avoids that).

Answer from grawity on Stack Exchange
Top answer
1 of 1
1

Will i need to use winbind and kerberos?

Most likely not. The Samba fileserver provides the same features regardless of where the accounts come from – your local Samba accounts are already automatically associated with the corresponding OS accounts, etc.

(However, Active Directory would be a good idea if you have more than 3-4 servers.)

Who should be the owner of the shared folders?

Doesn't really matter; root would be a good choice if there's no specific owner otherwise.

If set create mask, directory mask to 755 do i have to change the directory permission with chmod?

Depends on situation, but most likely "yes".

Samba's "create/directory mask" settings do not change existing permissions; they only specify what will be used for new files created on that share. If you want to make a public share but the directory currently has permissions 0700 – Samba won't change that; you have to chmod it yourself.

Will the 755 permission work or is should change?

It's the standard "readable by others" permission. It doesn't really match your descriptions though – for home directories it'd grant too much (unnecessary 'read/execute' for others); for shared directories it'd grant too little (missing 'write' for others); so you probably need to change it in both cases.

If someone downloads a file via transmission can the user be the owner instead of transmission?

Only if the users run their own Transmission instances (each on its own port number).

As Transmission is a local process, it is unaffected by SMB server configuration – all files it creates will be owned by the account that Transmission itself runs as.

Disable the system-wide Transmission service, then create a "user-level" transmission.service in /etc/systemd/user/, which each user could start using systemctl --user. (There are some differences in what settings to use, but those are already documented elsewhere.)

Don't forget to use loginctl enable-linger to allow the users' personal services start on boot (by default they're limited to login—logout, but the "linger" mode avoids that).

🌐
nixCraft
cyberciti.biz › nixcraft › tutorials › debian linux › samba share permissions simplified
Samba share permissions simplified - nixCraft
January 5, 2007 - It is to do with the linux permissions on the folders in the samba share, right click on the folder -> properties -> permissions · under group and folder access this had defaulted to none · change to create and delete files and apply permissions ...
Top answer
1 of 2
4

Edit the samba configuration file.

sudo nano /etc/samba/smb.conf

Add this to the end of the file:

[Public Directory]
comment = Contents are read/write by all.
path = /home/user/directory-to-be-shared
read only = no
guest ok = yes
create mask = 0666
force create mode = 0666
directory mask = 0777
force directory mode = 0777

Then restart samba.

sudo service smbd restart

Notes:

  1. The string within brackets (Public Directory in the example above) is what users will see when accessing the shared folder from other systems.
  2. Files created within this directory by users on other systems will be owned by nobody:nogroup, with read and write permissions for owner, group, and other.
  3. Directories created in this directory by users on other systems will be owned by nobody:nogroup, with read, write, and directory traversal permissions for owner, group, and other.
  4. The masks and modes in the configuration file apply to files and directories created by users on other systems. These masks and modes are ignored when creating files as a user on the server. Or, to put it another way, if you are user on the server, make sure that each file and directory that you create within /home/user/directory-to-be-shared has 666 and 777 permissions respectively.
  5. If you have enabled a firewall on the server, you will need to open port 445 for tcp. For example, if you use ufw (uncomplicated firewall) to configure the firewall:

    sudo ufw allow in 445/tcp
    sudo ufw reload
    sudo ufw status verbose
    
2 of 2
2

It's not clear to me if you want a share accessible to everyone or only a group of client users so this is a template for the latter.

Note: This will only work as described if the default umask of your system is 0002 so it will not work for Ubuntu Desktop 17/18 but it will work for Xubuntu Desktop and Ubuntu Server.

In this template it is required that all users you want to have access become members of the "users" group. It will assign the setgid bit on the shared directory and any future subdirectories which forces anything new added to them to inherit the group of it's parent folder.

sudo mkdir /path
sudo chown root:users /path
sudo chmod 2775 /path

The share would look like this:

[UsersShare]
path = /path
valid users = @users
force group = users
read only = no
create mask = 0664
force directory mode = 2775

When bob - who was made a member of the "users" group - logs in with his samba username/password and adds a file to the [UsersShare] share it will have owner = bob, group = users, mode = 664 files / 2775 folders.

All other client users who are members of the users group who sign in will have full access to whatever bob did.

Any local users - those on the server itself - who add or modify files who are also members of the users group will all have the same ability and newly created files/folders will have the same 664/2775 mode and all will have as group: "users". The one exception to all this is root - as in when you use sudo - since it's default umask is 022 unlike a regular user his files will inherit the "users" group but will have a mode of 644.

If you truly want a pure public share where everyone has access replace "valid users = @users" with "guest ok = yes". For this to work locally on the server you would still need to add those users to the "users" group.

🌐
Reddit
reddit.com › r/homelab › samba permissions not matching linux permissions?
r/homelab on Reddit: SAMBA Permissions not matching linux permissions?
August 6, 2024 -

Logged into the server with a bash prompt as my domain user, I'm able to move around the files as expected. It's only when accessing it over samba, both windows and another linux vm, that I'm getting permission denied moving the files.

I think it's samba specifically, since I'm also mounting the fs from a linux vm and it's giving me the same behaviour.

The only workaround we have right now is to add our usergroup as admin in the smb.conf to get permissions.

Any ideas?

(Sambas support is only through a broken mailing list atm, so thought i'd ask here. ^^)

Thanks!

🌐
Reddit
reddit.com › r/docker › smb network drive permissions in linux
r/docker on Reddit: SMB Network Drive permissions in Linux
November 4, 2023 -

Hi everyone,

I'm trying to set up radarr on my Ubuntu machine using a docker container and I'm having some issues regarding permissions when mounting a smb network drive.

This network drive is from my Synology NAS and I'm mounting it using etc/fstab and this line:

//{my-ip-adress}/Media_Library /mnt/Media_Library cifs credentials=/home/{my-user}/password,iocharset=utf8 0 0

So, I basically need my mounted drive to have the right permissions so radarr can use it, but every time I mount it, my drive ens up just with drwxr-xr-x instead of drwxrwxrwx which is what I think I need, but I'm not sure about that as I haven't been using Linux for too long and I know user and group permissions have something to do here as well. I tried radarr in Windows before and the drive that I was using had drwxrwxrwx permissions and it was working, so that's why I'm assuming that but I'm not sure if that wouldn't be secure enough. And when I try to add permissions using the command sudo chmod o+w / sudo chmod g+w it doesn't changes anything.

These are the current permissions of the drive that I've mounted:

drwxr-xr-x 2 root root 0 oct 23 19:06 Media_Library

I'm creating the container in docker using docker-compose.

I've been reading about it and I kind of understand that when you mount the smb share permissions overwrite the previous ones but I'm not sure how to approach this. I've read about using the uid and gid options and also about something called umask but I just wanted to make sure that I'm doing this the right way because I don't want to have any security risks as I have personal stuff on my Synology NAS as well, but still I can't use radarr without these permissions.

Also, I don't know if the proper way to do it would be changing the user/groups (in which case I don't know which user/group would radarr need) or if it's just a matter of giving write permissions to all users and groups (in which case I don't know how to do it either..)

So if anyone can help me with this I will really appreciate it :')

Thanks!

Top answer
1 of 5
103

I recommend to create a dedicated user for that share and specify it in force user(see docs).

Create a user (shareuser for example) and set the owner of everything in the share folder to that user:

adduser --system shareuser
chown -R shareuser /path/to/share

Then add force user and permission mask settings in smb.conf:

[myshare]
path = /path/to/share
writeable = yes
browseable = yes
public = yes
create mask = 0644
directory mask = 0755
force user = shareuser

Note that guest ok is a synonym for public.

2 of 5
6

In the share settings in smb.conf, you'll need to specify the names of users and/or groups that are allowed to write to the share, using a write list = ... line.

Example:

[myshare]
...
write list = my_linux_username

Then you'll need to use the smbpasswd command to set up a password to authenticate my_linux_username for Samba:

sudo smbpasswd -a my_linux_username

This step is necessary because the standard system passwords in /etc/shadow are hashed in algorithms that are incompatible with the password hash algorithms used in the SMB protocol. When a client sends a SMB authentication packet, it includes a hashed password. It can only be compared to another password hash that uses the same algorithm.

(Very, very old instructions from the previous millennium may recommend disabling password encryption in Samba, and using certain registry hacks to allow Windows to emit unencrypted passwords to the network. This advice is obsolete: those registry hacks may no longer work in current versions of Windows, and allow anyone who can monitor your network traffic to trivially capture your password.)


There's one more thing you may have to do client-side. When your Windows client system is joined to an Active Directory domain and you're logged in with an AD account, it automatically prefixes all unqualified usernames with the name of the AD domain of the user, i.e. you will be authenticating as AD_DOMAIN\your_username, not just your_username.

If you are logged in with a local account (or your client system is not joined to an AD domain), Windows may automatically prefix the username with the client hostname unless you specify another domain name.

To successfully log in to a stand-alone Samba server from a stand-alone Windows client, you may have to specify your username as SAMBA_SERVER_HOSTNAME\your_username.

Otherwise Samba will see the username as WINDOWS_CLIENT_HOSTNAME\your_username, conclude that it has no way to verify any users belonging to domain named WINDOWS_CLIENT_HOSTNAME, and will reject the login.

(Newer versions of Samba may have a built-in check for this specific situation, and they might allow you access nevertheless. But this is basically how SMB authentication works "under the hood", and if you need to deal with old versions of Samba, it might be useful still.)

🌐
Manjaro Linux
forum.manjaro.org › support › network
Setting Up Samba User Permissions - Network - Manjaro Linux Forum
July 27, 2021 - I’m having trouble setting up a Samba file share on my home server. Security is not a big concern. Here are the 3 things I need to accomplish: Fix permissions on the existing drive. Right now they are a mess. The shared folder is on a separate internal hard drive and is mounted as /mnt/Shared ...
🌐
Samba
samba.org › samba › docs › using_samba › ch09.html
Chapter 9. Users and Security
Be sure to restrict access to this file; make the root user the file's owner and deny write access to others (with octal permissions of 744 or 644). Otherwise, an untrusted user with access to the file can easily map his client username to the root user of the Samba server.
Find elsewhere
🌐
Baeldung
baeldung.com › home › administration › user administration › how to determine smb shares a user has read and write access to
How to Determine SMB Shares a User Has Read and Write Access To | Baeldung on Linux
July 20, 2024 - SMB shares have permissions that dictate the level of access users or groups have to shared resources. Permissions include READ, WRITE, EXECUTE, and DELETE, among others. READ access allows users to view files, while WRITE access grants the ...
🌐
Linux Mint Forums
forums.linuxmint.com › board index › main edition support › software & applications
[SOLVED] SAMBA, shared folder permissions - Linux Mint Forums
May 20, 2023 - But once I try to access it I get an error stating that it failed to mount, permission denied. Which permissions should the folder have so I can access it from another computer? Edit /etc/samba/smb.conf Right under the workgroup = WORKGROUP line towards the top of the file add this line:
🌐
Linux Mint Forums
forums.linuxmint.com › board index › main edition support › networking
Changing permissions on Samba shares [SOLVED] - Linux Mint Forums
The reason isn't samba but Linux. The system creates special permissions on the /media/bill folder that limits access to "bill" only. The "guest" is not bill so access is denied. You can force the client users to access the share as bill. Or you can make all your clients "appear" to be bill by doing this - on the server.: Edit /etc/samba/smb.conf and right under the workgroup = WORKGROUP line towards the top of the file add this one:
🌐
TrueNAS Community
truenas.com › forums › archives › freenas (legacy software releases) › freenas help & support › sharing
SOLVED - Cannot change permissions on SMB share linux client | TrueNAS Community
January 7, 2020 - My advice would be to stick to SMB when accessing the same via both Windows and Linux clients. You can return your data to the default Windows perms using the FreeNAS webUI. Edit the dataset permissions making sure the the share type is set to "Windows" and check the "Apply permissions recursively" box.
🌐
Stack Overflow
stackoverflow.com › questions › 70604661 › can-i-set-permissions-on-an-smb-share-that-is-shared-from-a-read-only-resource
active directory - Can I set permissions on an SMB share that is shared from a read-only resource? - Stack Overflow
Also, please login to the RHEL Server with root administrator permissions or the owner of the file share account. 2022-01-20T14:26:13.95Z+00:00 ... I've had confirmation from a seasoned veteran that what i'm trying to do cannot be done. Since the "disk" that i'm sharing is mounted read-only, neither linux nor windows will let me apply permissions to specific folders inside the share, unless this was done from the original share, which i cannot control.
🌐
Server Fault
serverfault.com › questions › 797771 › how-to-manage-permissions-on-a-samba-mount
linux - How to manage permissions on a Samba mount - Server Fault
Make sure that the GID for the group is the same on server and client by creating the same group on all the clients and ensuring that the users are members of that group. Set permissions for the folder and all the contents to the group.
🌐
Ubuntu
ubuntu.com › server › docs › samba-share-access-control
Share access controls
March 1, 2023 - You should have been redirected · If not, click here to continue
🌐
Stack Exchange
unix.stackexchange.com › questions › 752293 › do-linux-file-security-settings-work-on-smb
Do Linux file security settings work on SMB? - Unix & Linux Stack Exchange
... SMB (Server Message Block), also known as CIFS (Common Internet File System), is a network file-sharing protocol primarily used by Windows systems. it does not directly support Unix-style permissions (owner, group, permissions bits) as found ...
🌐
Ubuntu
documentation.ubuntu.com › server › how-to › samba › share-access-controls
Share access controls - Ubuntu Server documentation
2 weeks ago - For example, if you wanted to give the user Melissa administrative permissions to the share example, you would edit the /etc/samba/smb.conf file, and add the following line under the [share] entry: ... Remember that the users listed in smb.conf for these access controls need to exist both as Linux users, and Samba users.
🌐
OneUptime
oneuptime.com › home › blog › how to configure samba share permissions on ubuntu
How to Configure Samba Share Permissions on Ubuntu
March 2, 2026 - # Check Linux permissions ls -la /srv/samba/department/ # If owned by root and not group-writable: # Fix group ownership and permissions sudo chown root:finance /srv/samba/department/ sudo chmod 2775 /srv/samba/department/ # Verify user is in the correct group id jsmith | grep finance · # If files are created as 0644 but should be 0660: # Add to smb.conf share section: # force create mode = 0660 # create mask = 0660
🌐
SambaWiki
wiki.samba.org › index.php › Setting_up_a_Share_Using_POSIX_ACLs
Setting up a Share Using POSIX ACLs - SambaWiki - Samba.org
June 16, 2023 - Samba supports shares with filesystem access control lists (ACLs) on Unix domain members, they enable you to manage permissions locally on the Samba host using UNIX utilities. The Unix file system must support extended attributes, this will enable you to use NFS4 ACLs; on Linux you are limited to using the withdrawn but still used POSIX draft ACLs to set multiple users and groups in ACLs.