I have deployed this docker container : https://github.com/dperson/samba
Using following config :
services:
samba:
image: dperson/samba
environment:
TZ: 'EST5EDT'
ports:
- "137:137/udp"
- "138:138/udp"
- "139:139/tcp"
- "445:445/tcp"
read_only: true
tmpfs:
- /tmp
restart: unless-stopped
stdin_open: true
tty: true
volumes:
- /data:/data
command: '-s "docker;/data/docker;yes;no;no;" -s "photo;/data/photo" -s "docker-dev;/data/docker-dev;yes;no;no;" -s "docker-prod;/data/docker-prod;yes;no;no;" -u "myuser;myuser" -p'
I am confused about the way Samba/Linux permissions are working :
I want to use the samba share from Windows and also Mac and have following questions :
Who should the owner be on the shares ?
Looking inside the docker container i see following config :
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
# http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = MYGROUP
# server string is the equivalent of the NT Description field
server string = Samba Server
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /dev/stdout
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Specifies the Kerberos or Active Directory realm the host is part of
; realm = MY_REALM
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
; passdb backend = tdbsam
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
# this line. The included file is read at that point.
; include = /usr/local/samba/lib/smb.conf.%m
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
dns proxy = no
# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
; add user script = /usr/sbin/useradd %u
; add group script = /usr/sbin/groupadd %g
; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
; delete user script = /usr/sbin/userdel %u
; delete user from group script = /usr/sbin/deluser %u %g
; delete group script = /usr/sbin/groupdel %g
pam password change = yes
map to guest = bad user
usershare allow guests = yes
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
force user = smbuser
force group = smb
follow symlinks = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
strict locking = no
aio read size = 0
aio write size = 0
vfs objects = catia fruit recycle streams_xattr
recycle:keeptree = yes
recycle:maxsize = 0
recycle:repository = .deleted
recycle:versions = yes
# Security
client ipc max protocol = SMB3
client ipc min protocol = SMB2_10
client max protocol = SMB3
client min protocol = SMB2_10
server max protocol = SMB3
server min protocol = SMB2_10
# Time Machine
fruit:delete_empty_adfiles = yes
fruit:time machine = yes
fruit:veto_appledouble = no
fruit:wipe_intentionally_left_blank_rfork = yes
[docker]
path = /data/docker
browsable = yes
read only = no
guest ok = no
veto files = /.apdisk/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
delete veto files = yes
[photo]
path = /data/photo
browsable = yes
read only = yes
guest ok = yes
veto files = /.apdisk/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
delete veto files = yes
[docker-dev]
path = /data/docker-dev
browsable = yes
read only = no
guest ok = no
veto files = /.apdisk/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
delete veto files = yes
[docker-prod]
path = /data/docker-prod
browsable = yes
read only = no
guest ok = no
veto files = /.apdisk/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
delete veto files = yes
How does the force user play with the user i have created when making the docker container ? I use the user to log in on the share from windows but when i copy files it uses the user specified in the force user. Is that ok ?
I have all weird problems when i copy files from windows and i then get errors, it's looking like something is not right on the permissions side.
Here is output from less /etc/passwd
smbuser:x:100:101:Samba User:/tmp:/sbin/nologin
myuser:x:1000:1000:Linux User,,,:/home/myuser:/bin/ash
and here is the output from the shares using ls -l
drwxrwxr-x 2 systemd-timesync systemd-journal 2 May 11 2021 docker
drwxrwxr-x 4 systemd-timesync systemd-journal 5 Dec 8 14:37 docker-dev
drwxrwxr-x 46 systemd-timesync systemd-journal 47 May 7 2021 docker-prod
drwxrwxr-x 2 systemd-timesync systemd-journal 2 Apr 28 2021 photo
and the correspoding less /etc/passwd from the host machine where docker is running and the shares exists :
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
_apt:x:103:65534::/nonexistent:/usr/sbin/nologin
messagebus:x:104:111::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
_rpc:x:106:65534::/run/rpcbind:/usr/sbin/nologin
postfix:x:107:113::/var/spool/postfix:/usr/sbin/nologin
statd:x:108:65534::/var/lib/nfs:/usr/sbin/nologin
gluster:x:109:116::/var/lib/glusterd:/usr/sbin/nologin
ceph:x:64045:64045:Ceph storage service:/var/lib/ceph:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
myuser:x:1000:1000::/home/myuser:/bin/bash
dockeruser:x:3000:3000::/home/dockeruser:/bin/sh
ntp:x:110:117::/nonexistent:/usr/sbin/nologin
I can see the ID is matched from the docker container to the share but i am not sure it's right and why i get the weird permissions problems. Maybe somebody can see something ?
/donnib
Related
This question was migrated from Stack Overflow because it can be answered on Super User.
Migrated 6 days ago.
I have a directory /home/localuser/share. The localuser owns and has full control over it. But it must be accessed through a samba share, as read only by user "nobody" (no password required).
I can't figure out how to correctly set smb.conf and give the right permissions to nobody in my linux terminal.
I tried this:
smb.conf:
[Download Videos]
path = /home/localuser/share
browseable = yes
read only = yes
create mask = 0700
directory mask = 0700
guest ok = yes
Terminal:
setfacl -R -m "u:nobody:r" /home/localuser/share
We have a RHEL server where multiple users have access to it through application. Application RStudio running on these servers default the workspace to the users /home folder. Though there is separate space provided for individual users, users tend to store the files onto /home filling up the /home.
Is there any possibility to restrict users from storing data to their home folders either at server level or R Studio level which would force them to use the provided location?
Though there are options to change the default workspace for all the users, due to the large number of teams each having their sensitive data, it is not possible to have a shared folder as default location.
You could create a group without write permissions on home folder and start rstudio through the command sg, which allows you to start it with the group id with reduced permissions.
The ls -l command displays directory contents in long format. The long format contains both permissions and ownership.
# ls -l
With chown you can change owner and group associated to a file/directory (-R == recursive)
# sudo chown -R user01:groupA Directory
By setting the owner and the single group, the others will have restrictions (if set) in accessing files / folders.
The chmod command is used to modify the various permissions/restrictions.
# sudo chmod -c ug=rwx,o= file1
going specifically
-c == report if the change is made
u == user
g == group
rwx == read, write, execute
o == others
=null == no permission
For create a new group you can use groupadd
# sudo groupadd rstudiogroup
You will have to set the new group created as the owner of the save destination folder and finally start the software through the command sg
# sudo sg rstudiogroup -c rstudio
I have two servers: source-server and target-server. I want use lsyncd to sync files in a directory on source-server to another directory on target-server.
In my ssh daemon, on both servers, I have root logins disabled (PermitRootLogin no) so I can't use the root user to run lsyncd over ssh.
I created a user 'syncer' on both servers that has a key-pair allowing password-less ssh logins from source-server to target-server. So this works:
[syncer#source-server]$ ssh syncer#target-server
My lsyncd.conf looks like this:
settings = {
logfile = "/var/log/lsyncd.log",
statusFile = "/var/log/lsyncd.stat",
statusInterval = 2
}
sync {
default.rsync,
source="/var/www/html/",
target="target.server.ip:/backup/",
rsync = {
rsh ="/usr/bin/ssh -l syncer -i /home/syncer/.ssh/id_rsa",
compress = true,
acls = true,
xattrs = true,
archive = true
}
}
And it works except the owner of replicated files on the target server is always 'syncer'. The permissions of the source are respected and replicated correctly on the target. I just can't figure out a way to preserve the owner (and group) of the replicated files. (i.e., if the file on source is owned by 'deknuth', I would like the synced file on target to also be owned by 'deknuth' not 'syncer').
TIA
To close this out, using the non-root user will always move a file with that non-root user being the owner on the destination -- regardless of who owned it on the source. This may be acceptable. If not, run lsyncd as root and allow root logins with a key pair.
Just upgrade to Ubuntu 12.XX LTS to 14.04.1 LTS.
My Samba server provides users the ability to write to their own directory by using the [homes] section. After upgrading, they no longer have write access to their home directories through Samba.
I have created a test directory with their home directory with permissions of 777 or 775 and they can create files/directories in it that are owned by them. If the permissions are 755 (which is my preference) then the user can't write to them. Since the file are being created as the proper user, I assume that writes are also being attempted by the correct user.
I am trying to write files into directory /home/morris/junk/zz1
drwxr-xr-x 5 morris morris 4096 Nov 30 00:43 zz1
Any help would be GREATLY appreciated!
The relevent segments of my smb.conf are below.
[global]
log level = 3 acls:10
server string = %h server (Samba, Ubuntu)
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
smb ports = 139 445
dns proxy = No
panic action = /usr/share/samba/panic-action %d
hosts deny = 192.168.1.4
veto files = Maildir/imap,Maildir
wide links = Yes
unix extensions = no
[homes]
hide dot files = yes
valid users = %U
read only = No
wide links = yes
writeable = yes
I'm trying to export disk image on one machine to another machine using nbd-server and nbd-client.
On the sever side (hostname gpu) where nbd-server will run, I made an disk image using the dd command and created a file system on the image file using the mke2fs command.
The image file looks like this.
hadoop#gpu:~/nbd_test$ file disk_image
disk_image: Linux rev 1.0 ext2 filesystem data, UUID=058e181f-6461-46b1-ba7c-ead455ae83c9 (large files)
Then, I configured /etc/nbd-server/config as follows.
[generic]
# If you want to run everything as root rather than the nbd user, you
# may either say "root" in the two following lines, or remove them
# altogether. Do not remove the [generic] section, however.
user = nbd
group = nbd
includedir = /etc/nbd-server/conf.d
# What follows are export definitions. You may create as much of them as
# you want, but the section header has to be unique.
[nbd-test]
exportname = /home/hadoop/nbd_test/disk_image
# The following line will be ignored unless the
# "oldstyle = true" line in the generic section above is
# enabled.
port = 12345
#authfile = /export/nbd/export1-authfile
#timeout = 30
#filesize = 10000000
readonly = false
multifile = false
copyonwrite = false
#prerun = dd if=/dev/zero of=%s bs=1k count=500
#postrun = rm -f %s
Then, I ran nbd-server as follows
hadoop#gpu:~/nbd_test$ sudo nbd-server -C /etc/nbd-server/config
** (process:17264): WARNING **: A port was specified, but oldstyle exports were not requested. This may not do what you expect.
** (process:17264): WARNING **: Please read 'man 5 nbd-server' and search for oldstyle for more info
Then, on the client machine (pcl-mr1), I got the following resulting after mounting the block special file /dev/nbd0.
hadoop#pcl-mr1:~$ sudo nbd-client gpu -N nbd-test /dev/nbd0
Negotiation: ..size = 1953MB
bs=1024, sz=2048000000 bytes
hadoop#pcl-mr1:~$ sudo mount /dev/nbd0 nbd_disk/
mount: block device /dev/nbd0 is write-protected, mounting read-only
Even though I configured the configuration file on the server side with the disk image both readable and writable,
the disk image appeared as read-only on the client side.
What's wrong in the steps above I went through? How can I export the disk image with read-write permission?
Any help would be greatly appreciated.
You've probably already noticed, but for reference: this was a bug in nbd-client, which was fixed in nbd-client v3.11.
Little late for the answer here but posting it for the benefit of other people who run into this issue -
Option#1: Change ownership of the backing file -
# chown nbd:nbd disk_image
Option#2: Change permissions on the backing file -
# chmod a+w disk_image
Option#3: Change /etc/nbd-server/config to run nbd-server as suitable user (say hadoop) -
# cat /etc/nbd-server/config
[generic]
user = hadoop
group = hadoop
...