0

Tried it many times but never get the SMB sharing right on Unix. A minimal Debian file server, no GUI, just SSH...

I always thought you set all the permissions in SMB and just found out you do it in Windows? https://www.youtube.com/watch?v=QhwOyLtArw0

Maybe then its enough to give me (Ragnar) access and all permissions on the root of the disk and create all the folder there from my windows workstation and set permissions with it?

I want two users: Ragnar and Harald

I call my disk "Records" and "Media":

Records (sdb1 | /mnt/records)
- TV records Harald
- TV records
- Down

Archiv (sdc1 | /mnt/archiv)
- Harald
--- Motorola Tablet

-Backup
--- PC1
--- PC2

-Media
--- Music
--- Music Videos
--- eBooks

Harald should be able see "Records/TV records Harald" and have read, write and delete permissions.
Harald should be able see "Archiv/Harald" and have read, write and delete permissions.
Harald should be able see "Archiv/Media" and have ONLY read permissions.
Friends who visit me should be able to see "Archiv/Media" and have ONLY read permissions.
Ragnar should be able to see and do everything everywhere.

What i did so far:

~# sudo apt install samba

~# sudo useradd Ragnar -s /usr/sbin/nologin
~# sudo smbpasswd -a Ragnar

~# sudo useradd Harald -s /usr/sbin/nologin
~# sudo smbpasswd -a Harald

~# sudo nano /etc/samba/smb.conf

[global]
   workgroup = WORKGROUP
   log file = /var/log/samba/log.%m
   max log size = 1000
   logging = file
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   obey pam restrictions = yes

[Records]
   comment = Disk 1
   path = /mnt/records
   browsable = yes
   read only = no
   create mask = 0666
   directory mask = 0777
   force user = Ragnar
   force group = Ragnar
   hide files = /lost+found/

~# sudo chown Ragnar /mnt/records
~# sudo service smbd restart

If look at security in Windows on the "Records" share i have:
Everyone: Special permissions
root (Unix Group\root): Special permissions
Ragnar (HECTOR\Ragnar): Special permissions

Do i need to change the group somehow?
Are the "Special permissions" normal instead of showing "Full control" for Ragnar and Read, Write for Everyone?

If i now create a file in records and look at security in Windows i have:
Everyone: Read, Write
Ragnar (Unix Group\Ragnar): Read, Write
Ragnar (HECTOR\Ragnar): Read, Write

So also no "Full control" for Ragnar...

What needs to be changed?
Or do i now just create my subfolders on Windows and set the permissions there?

Then is there a way to hide that lost+found entirely?
You still see it in Windows if explorer is set to "show hidden files".
I also see it on my Android devices.

Then there is a folder IPC$ on Android?

EDIT
I cant remove Everyone on folders/files inside Records because of lost+found (access is denied).

EDIT
I did a sudo chown -R Ragnar:Ragnar /mnt/records and can now remove the permissions for Everyone.
But Harald can read and write in Records???

Improve this question

1 Answer 1

Reset to default
3

let me first start off by saying read up at https://www.samba.org/samba/docs/

because there are a handful of knobs to know about with Samba Server in linux and there is probably more than one way to accomplish what you are asking.

But in a nutshell

  • install samba server in linux, this minimal samba functionality to be described should work on any linux
  • edit /etc/samba/smb.conf to be at least the following

# smb.conf file sample
[global]
    security = user
    passdb backend = tdbsam
[scratch]
    path = /scratch
    read only = No
    guest ok = No
  • read up at samba.org for explanation on security and passdb, but this will set up basic functionality meaning a local linux account needs to exist and valid with that account name [ragnar and harald] which also needs to be the account name from whatever the connectting computer is. And if the account passwords are the same between the connnecting computer and the samba password on the linux system hosting the samba server then connection is granted
  • you must do
    • smbpasswd -a ragnar
    • smbpasswd -a harald
    • on your linux system hosting samba server to meet the passdb backend choice... because we are using samba passwords which are different than the local account password in /etc/passwd. Read samba docs for detailed explanation, but this will set up fundamental access security based on linux file/folder permissions for the given account names, until you do guest ok = yes to allow anyone access to that given share specified in smb.conf
    • i only shared out a folder called scratch as an example in my smb.conf sample
  • as for all your other specific questions- too hard to answer sorry
  • doing it this way, if for example account name harald exists on the linux samba server and on the client system, and the linux server smbpasswd for harald matches the account password of harald on the connecting client, then everything that applies to harald on the linux system will be in affect over the samba connection and you can resort to basic file/folder permissions based on users and groups as defined on the linux [samba] server.

always thought you set all the permissions in SMB and just found out you do it in Windows

not necessarily, you can set them from the client side (from your windows computer) but the file/folder permission authority is derived from samba server... so it's first and foremost the linux file system permissions, that are then read by samba server, and then passed over the SMB (server message block) protocol to whoever the client is which must be able to understand SMB. When there's a mismatch (i.e. guest ok== yes and windows account does not exist on linux [samba] server you will notice permissions are set to nobody when viewed on the linux system.

  • read samba doc about Map to Guest
  • there are many other tweaks to be done to meet varying levels of access and restrictions
    • obey pam restrictions
    • I suggest you remove that or say no because that's beyond what seems to be your current level of understanding on samba; and PAM is a whole other animal.
    • I am not sure if nologin for the linux accounts will still allow samba smb access for those accounts, so I suggest you make harald and ragnar fully active linux accounts first; and once everything is working then change those accounts to nologin (to prevent ssh). This is is why i say pam=no because your saying obey pam restrictions then making the account nologin is likely to prevent samba access.
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.