Assuming that you have your Unix group set up correctly, you should be able to use a share configuration similar to the following:

[ShareName]
path = /path/to/share
guest ok = no
guest only = no
write list = @engineering
read list = 
valid users = @engineering

The @ sign before the name of the group tells samba that this is a group name instead of a user name.

If you're allowing the group write access through samba, but you are still having trouble writing to the share (but you can authenticate correctly) then you should check file permissions and your force user and force group options. These can be set globally or per-share.

If this doesn't help, you should provide more information about the trouble you're running into.

Answer from jkt123 on Stack Exchange
🌐
Samba
samba.samba.narkive.com › psA2NpCc › weird-permissions-issue
[Samba] weird permissions issue
Permalink Recently some folks in ... the problem are all in the eng group is /etc/groups. smb.conf for that share: smb.conf: #smb.conf is the main Samba configuration file....
🌐
Quizack
quizack.com › linux › mcq › when-configuring-a-samba-share-how-would-the-engineering-group-be-specified-in-the-smb-conf
When configuring a Samba share, how would the engineering group be specified in the smb.conf? - Linux | Quizack
1.Samba uses Linux operating system groups from the /etc/group file; just specify the group name., 2.It would be preceded by a percent sign (%), such as %engineers., 3.Use the group name by itself; Samba checks for its existence., 4.It would be preceded by an @ symbol, such as @engineering.
🌐
Samba
samba.org › samba › docs › 4.7 › man-html › smb.conf.5.html
smb.conf
This is the full pathname to a script that will be run AS ROOT by smbd(8) when a new group is requested. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. The script is free to create a group with an ...
🌐
RootUsers
rootusers.com › home › how to provide smb/cifs network shares for group collaboration
How To Provide SMB/CIFS Network Shares For Group Collaboration
June 10, 2019 - Next we need to configure SELinux, a directory requires the samba_share_t context in order to be shared with samba. [root@server ~]# semanage fcontext -a -t samba_share_t "/groupshare(/.*)?" [root@server ~]# restorecon -v /groupshare/ restorecon reset /groupshare context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:samba_share_t:s0 · Finally we need to actually define the group file share in the /etc/samba/smb.conf configuration file, we have added the below content to this file.
🌐
Rigacci
rigacci.org › docs › biblio › online › Samba-HOWTO-Collection › groupmapping.html
Chapter 11. Group Mapping MS Windows and UNIX
Administrators should be aware that where smb.conf group interface scripts make direct calls to the UNIX/Linux system tools (the shadow utilities, groupadd, groupdel, and groupmod), the resulting UNIX/Linux group names will be subject to any limits imposed by these tools. If the tool does not allow upper case characters or space characters, then the creation of an MS Windows NT4/200x style group of Engineering ...
🌐
TechRepublic
techrepublic.com › home › networking
How to set up Samba shares for groups - TechRepublic
March 12, 2024 - sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.BAK · Now create a new configuration file with the following command: ... In this new file, we’ll add the following contents to share out our editorial directory to the group editorial (customize as needed):
🌐
Ask Ubuntu
askubuntu.com › questions › 1043786 › samba-sharing-with-groups
networking - Samba Sharing with groups - Ask Ubuntu
June 5, 2018 - ; add group script = /usr/sbin/addgroup --force-badname %g ############ Misc ############ # Using the following line enables you to customise your configuration # on a per machine basis. The %m gets replaced with the netbios name # of the machine that is connecting ; include = /home/samba/etc/smb.conf.%m # Some defaults for winbind (make sure you're not using the ranges # for something else.)
Find elsewhere
🌐
Samba
samba.org › samba › docs › old › Samba3-HOWTO › groupmapping.html
Chapter 12. Group Mapping: MS Windows and UNIX
Administrators should be aware that where smb.conf group interface scripts make direct calls to the UNIX/Linux system tools (the shadow utilities, groupadd, groupdel, and groupmod), the resulting UNIX/Linux group names will be subject to any limits imposed by these tools. If the tool does not allow uppercase characters or space characters, then the creation of an MS Windows NT4/200x-style group of Engineering ...
🌐
Red Hat
access.redhat.com › discussions › 1156813
Red Hat Customer Portal - Access to 24x7 support and knowledge
August 5, 2014 - 172. smb ports = 139 445 # --------------------------- Logging Options ----------------------------- log file = /var/log/samba/log.%m max log size = 20 log level = 3 # ----------------------- Domain Members Options ------------------------ security = domain encrypt passwords = yes passdb backend = tdbsam password server = * domain master = no wins server = 10.XXX.XX.XX,172.XX.XX.XXX dns proxy = yes deadtime = 10 # ----------------------- Browser Control Options ---------------------------- local master = no preferred master = no os level = 33 # -------------------------- Printing Options -----
🌐
O'Reilly
oreilly.com › library › view › using-samba-3rd › 0596007698 › ch04.html
4. The Samba Configuration File - Using Samba, 3rd Edition [Book]
January 23, 2007 - A.1. SMB URI SyntaxA.2. Samba DaemonsA.3. Samba Client ProgramsA.3.1. Common OptionsA.3.1.1. General optionsA.3.1.2. Authentication optionsA.3.1.3. Connection options · C.1. Install Directory and Library OptionsC.2. Developer OptionsC.3. Authentication OptionsC.4. File Serving FeaturesC.5. Printing OptionsC.6. Clients and Libraries ... In the beginning, Samba servers were managed solely by a text configuration file named smb.conf.
Authors   Gerald CarterJay Ts
Published   2007
Pages   450
Top answer
1 of 2
3

Thank you @Morbius1 for your help.

After few more hours of trying things I found the answer.

It turns out the problem wasn't with the Linux machine and therefore not with the Samba share.

My Windows 10 machine kept the shares I had previous in the background. I couldn't see them in the explorer but when I ran net use in the CMD I found there were 2 still linked (from previous mounting attempts). I then used net use * /delete to remove those.

Hope this helps someone else so he and or she doesn't waste 3 days pulling their hair out. If you have any questions, send me a message.

2 of 2
1

I've never seen this happen when the server only has one share especially one that allows guest access. Did you have a different share that required credentials at one point?

Anyway, The Linux samba server can be addressed 2 different ways: By ip address and my name ( mDNS or NetBIOS ). Windows regards these as two different hosts even though they are the same machine.

What I would do is address the Linux samba server by it's mDNS host name: \\hostname.local\media

Note:

[1] Run hostname on the Linux server to find the hostname of the machine then when you address it in Win10 add a .local at the end.

[2] Win10 can do mDNS by default. Ubuntu desktop can as well but if you are using Ubuntu Server you need to install a package:

sudo apt install avahi-daemon

[3] If you intend on keeping this as a guest accessible share I suggest removing sjonnie from the samba password database ( smbpasswd -x sjonnie ). I think this is contributing to the problem.

🌐
LinkedIn
linkedin.com › learning › linux-system-engineer-network-filesystems-using-nfs-and-samba › samba-share-configuration-definitions
Samba share configuration definitions - Red Hat Enterprise Linux Video Tutorial | LinkedIn Learning, formerly Lynda.com
July 11, 2018 - Guest only controls if only guests can access the share. Force group defines which group all newly created files are owned by. Create mask defines the default permissions of newly created files. To learn more about any of these directives, check the main page for smb.conf
🌐
Oracle
docs.oracle.com › cd › E26502_01 › html › E29004 › configuringoperationmodetm.html
Configuring the SMB Server Operation Mode (Task Map) - Managing SMB File Sharing and Windows Interoperability in Oracle Solaris 11.1
The following command shows how jan would run the smbadm join command: ... For information about pre-staging computer accounts on Windows Server 2008, see Pre-Stage Computer Account in Windows Server 2008. In this example, user terry is the designated administrator for the Engineering OU.
Top answer
1 of 1
11

I finally made it, if it can help someone. I don't know if it is nice, but it works nice with POSIX rights, without ugly ACL.

1] Create groups

$ sudo groupadd Group1
$ sudo groupadd ...

Please notice I did not create an Admin group since my admin users will be in all the other groups. This is the only way I made it work so far. If someone has a nicer way to deal with for instance an admin group with rights on anything, please tell me ! My solution is correct since I am managing a dozen of accounts but not hundreds or thousands...

2] Create users (without home folder and ability to use SSH for security reasons)

$ sudo adduser --no-create-hom --shell /usr/sbin/nologin user1
$ sudo adduser --no-create-hom --shell /usr/sbin/nologin user...

3] Add users in smbpasswd database. Please pay attention to the fact I had to add them, but also to enable them to avoid any kind of problems.

$ sudo smbpasswd -a user1
$ sudo smbpasswd -e user1
$ ...

4] Add users to the groups where they will be. Please notice I thought samba was not able to recognize secondary groups, but actually it does. The mistake was a misusing of the command line.

The error was:

$ sudo usermod -G user1 Group1
$ sudo usermod -G user1 Group2

If you do:

$ groups user1

You have something like:

user1 Group2

Because the secondary group has disappeared.

The good practice is:

$ sudo usermod -G Group1,Group2,Group3 user1

In this case:

$ groups user1

Will show:

$ user1 Admin Group1 Group2 Group3

Please, be careful of primary and secondary groups. An user can be in multiple secondary groups, but only in one primary group.

So another mistake would be:

$ sudo usermod -g Group1

If you do:

$ groups user1

You got:

$ Group1

4] Create the folders with the good permissions:

$ sudo mkdir /path/to/Directory1
$ sudo chown root:Group1 /path/to/Directory1
$ sudo chmod 2775 /path/to/Directory1

Please read this if you don't know nothing about file system permissions and setuid, setgid : chmod + setuid and setgid. The permissions and also there inheritances are important for your groups.

5] Create as many directories you want with the permissions you want.

6] Configure your smb.conf file with the editor of your choice. I personally use vim. Make a backup first before losing anything that was running well.

$ sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
$ sudo vim /etc/samba/smb.conf

Your config file here, with global config and Directory1 config is:

[global]

     workgroup = YOUR-LOCAL-WORKGROUP
     server string = %h # hostname
     log file = /var/samba/smb-%h.log
     max log size = 1000
     disable netbios = yes # since this is a standalone server
     server role = standalone server
     veto files = /*.exe/*.com/*.dll/*.bat/*.vbs/*.tmp/ # whatever your want
     delete veto files = yes

[Directory1]

     path = /path/to/Directory1
     browseable = yes
     guest only = no
     guest ok = yes
     read list = nobody guest
     write list = @Group1
     force create mode = 0665 # please see system file permissions ...
     force directory mode = 2775 # ... and setuid, setgid, right above !

Please note the execution is important for your users. This allows them to navigate through the directories. But the execution is also a danger regarding files. You don't want you users to execute scripts or whatsoever, reading is widely enough.

That is why I restrict files on reading and writing for users and reading for anonymous, while I let executing on directories for navigation. Execute a folder is not a danger but execute a file is.

    force create mode = 0665
    force directory mode = 2775

Note the options delete veto file and veto files are also another shield since you don't want your silly Windows Mac OS X users put blobs or binaries or executable randomwares on your clean server.

7] Test your config file with a gentle command:

$ testparm

8] Everything is good ? Then.

$ sudo systemctl start smbd.service # or restart
$ sudo systemctl enable smbd.service 

Now you can log with the method of your choice and see that anonymous can explore the files on the server without the permission of writing it while your authenticated and designated users can read, write and execute -- i.e navigate from a directory to a directory.

Et voilà ! I hope it will help someone.