Just upgrade to Ubuntu 12.XX LTS to 14.04.1 LTS.
My Samba server provides users the ability to write to their own directory by using the [homes] section. After upgrading, they no longer have write access to their home directories through Samba.
I have created a test directory with their home directory with permissions of 777 or 775 and they can create files/directories in it that are owned by them. If the permissions are 755 (which is my preference) then the user can't write to them. Since the file are being created as the proper user, I assume that writes are also being attempted by the correct user.
I am trying to write files into directory /home/morris/junk/zz1
drwxr-xr-x 5 morris morris 4096 Nov 30 00:43 zz1
Any help would be GREATLY appreciated!
The relevent segments of my smb.conf are below.
[global]
log level = 3 acls:10
server string = %h server (Samba, Ubuntu)
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
smb ports = 139 445
dns proxy = No
panic action = /usr/share/samba/panic-action %d
hosts deny = 192.168.1.4
veto files = Maildir/imap,Maildir
wide links = Yes
unix extensions = no
[homes]
hide dot files = yes
valid users = %U
read only = No
wide links = yes
writeable = yes
Related
This question was migrated from Stack Overflow because it can be answered on Super User.
Migrated 6 days ago.
I have a directory /home/localuser/share. The localuser owns and has full control over it. But it must be accessed through a samba share, as read only by user "nobody" (no password required).
I can't figure out how to correctly set smb.conf and give the right permissions to nobody in my linux terminal.
I tried this:
smb.conf:
[Download Videos]
path = /home/localuser/share
browseable = yes
read only = yes
create mask = 0700
directory mask = 0700
guest ok = yes
Terminal:
setfacl -R -m "u:nobody:r" /home/localuser/share
I have deployed this docker container : https://github.com/dperson/samba
Using following config :
services:
samba:
image: dperson/samba
environment:
TZ: 'EST5EDT'
ports:
- "137:137/udp"
- "138:138/udp"
- "139:139/tcp"
- "445:445/tcp"
read_only: true
tmpfs:
- /tmp
restart: unless-stopped
stdin_open: true
tty: true
volumes:
- /data:/data
command: '-s "docker;/data/docker;yes;no;no;" -s "photo;/data/photo" -s "docker-dev;/data/docker-dev;yes;no;no;" -s "docker-prod;/data/docker-prod;yes;no;no;" -u "myuser;myuser" -p'
I am confused about the way Samba/Linux permissions are working :
I want to use the samba share from Windows and also Mac and have following questions :
Who should the owner be on the shares ?
Looking inside the docker container i see following config :
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
# http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = MYGROUP
# server string is the equivalent of the NT Description field
server string = Samba Server
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /dev/stdout
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Specifies the Kerberos or Active Directory realm the host is part of
; realm = MY_REALM
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
; passdb backend = tdbsam
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
# this line. The included file is read at that point.
; include = /usr/local/samba/lib/smb.conf.%m
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
dns proxy = no
# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
; add user script = /usr/sbin/useradd %u
; add group script = /usr/sbin/groupadd %g
; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
; delete user script = /usr/sbin/userdel %u
; delete user from group script = /usr/sbin/deluser %u %g
; delete group script = /usr/sbin/groupdel %g
pam password change = yes
map to guest = bad user
usershare allow guests = yes
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
force user = smbuser
force group = smb
follow symlinks = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
strict locking = no
aio read size = 0
aio write size = 0
vfs objects = catia fruit recycle streams_xattr
recycle:keeptree = yes
recycle:maxsize = 0
recycle:repository = .deleted
recycle:versions = yes
# Security
client ipc max protocol = SMB3
client ipc min protocol = SMB2_10
client max protocol = SMB3
client min protocol = SMB2_10
server max protocol = SMB3
server min protocol = SMB2_10
# Time Machine
fruit:delete_empty_adfiles = yes
fruit:time machine = yes
fruit:veto_appledouble = no
fruit:wipe_intentionally_left_blank_rfork = yes
[docker]
path = /data/docker
browsable = yes
read only = no
guest ok = no
veto files = /.apdisk/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
delete veto files = yes
[photo]
path = /data/photo
browsable = yes
read only = yes
guest ok = yes
veto files = /.apdisk/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
delete veto files = yes
[docker-dev]
path = /data/docker-dev
browsable = yes
read only = no
guest ok = no
veto files = /.apdisk/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
delete veto files = yes
[docker-prod]
path = /data/docker-prod
browsable = yes
read only = no
guest ok = no
veto files = /.apdisk/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
delete veto files = yes
How does the force user play with the user i have created when making the docker container ? I use the user to log in on the share from windows but when i copy files it uses the user specified in the force user. Is that ok ?
I have all weird problems when i copy files from windows and i then get errors, it's looking like something is not right on the permissions side.
Here is output from less /etc/passwd
smbuser:x:100:101:Samba User:/tmp:/sbin/nologin
myuser:x:1000:1000:Linux User,,,:/home/myuser:/bin/ash
and here is the output from the shares using ls -l
drwxrwxr-x 2 systemd-timesync systemd-journal 2 May 11 2021 docker
drwxrwxr-x 4 systemd-timesync systemd-journal 5 Dec 8 14:37 docker-dev
drwxrwxr-x 46 systemd-timesync systemd-journal 47 May 7 2021 docker-prod
drwxrwxr-x 2 systemd-timesync systemd-journal 2 Apr 28 2021 photo
and the correspoding less /etc/passwd from the host machine where docker is running and the shares exists :
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
_apt:x:103:65534::/nonexistent:/usr/sbin/nologin
messagebus:x:104:111::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
_rpc:x:106:65534::/run/rpcbind:/usr/sbin/nologin
postfix:x:107:113::/var/spool/postfix:/usr/sbin/nologin
statd:x:108:65534::/var/lib/nfs:/usr/sbin/nologin
gluster:x:109:116::/var/lib/glusterd:/usr/sbin/nologin
ceph:x:64045:64045:Ceph storage service:/var/lib/ceph:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
myuser:x:1000:1000::/home/myuser:/bin/bash
dockeruser:x:3000:3000::/home/dockeruser:/bin/sh
ntp:x:110:117::/nonexistent:/usr/sbin/nologin
I can see the ID is matched from the docker container to the share but i am not sure it's right and why i get the weird permissions problems. Maybe somebody can see something ?
/donnib
I work under Centos 7.
For some time, I have a problem with the FTP /home/students directory whose access rights( permission) is set to 750. When I create a file as user students the file access permission is 644 (read/write for the owner and read-only for other users). But when the students user receives files by SFTP (with authentication by ssh key), the permission of these files is 600.
Can the right of access (permission) be imposed by the one who uploads the file by SFTP?
How to make the default permission for files received by SFTP automatically 644?
Thank you
I think u should do something like this > Modify /etc/ssh/sshd_config :
Subsystem sftp internal-sftp -m 0644
Then u should reload the SSHD Configuration :
sudo systemctl reload sshd
Unknowingly I give 777 permissions for var folder (chmod -R 0777 /var/).So all the sites in that server are now not coming.I am getting this error,
This site can’t be reached
www.domainname.com refused to connect.
How to revert var folder permissions to default.
Please can you help me.
Since Each process has its own mask, which is applied whenever the process creates a new file.
you can check the mask using command
umask
it will show by default 022
later it will subtract the above value 777-022=755
so now the file has permission like **-**rwx-r-x-r-x****
so it depends on what is the value of umask so please check the umask value and according to that set the value of var
or,
you can set the var directory folder as
drwxr-xr-x 13 root root 4096 Dec 21 19:59 var
command :-or use command
chmod 755 var
I have two servers: source-server and target-server. I want use lsyncd to sync files in a directory on source-server to another directory on target-server.
In my ssh daemon, on both servers, I have root logins disabled (PermitRootLogin no) so I can't use the root user to run lsyncd over ssh.
I created a user 'syncer' on both servers that has a key-pair allowing password-less ssh logins from source-server to target-server. So this works:
[syncer#source-server]$ ssh syncer#target-server
My lsyncd.conf looks like this:
settings = {
logfile = "/var/log/lsyncd.log",
statusFile = "/var/log/lsyncd.stat",
statusInterval = 2
}
sync {
default.rsync,
source="/var/www/html/",
target="target.server.ip:/backup/",
rsync = {
rsh ="/usr/bin/ssh -l syncer -i /home/syncer/.ssh/id_rsa",
compress = true,
acls = true,
xattrs = true,
archive = true
}
}
And it works except the owner of replicated files on the target server is always 'syncer'. The permissions of the source are respected and replicated correctly on the target. I just can't figure out a way to preserve the owner (and group) of the replicated files. (i.e., if the file on source is owned by 'deknuth', I would like the synced file on target to also be owned by 'deknuth' not 'syncer').
TIA
To close this out, using the non-root user will always move a file with that non-root user being the owner on the destination -- regardless of who owned it on the source. This may be acceptable. If not, run lsyncd as root and allow root logins with a key pair.