Home / ubuntu / Questions / 4135
Accepted
matt wilkie
Asked: 2010-09-14 16:55:15 +0800 CST

Group share permisssions to windows clients?

  • 772

On our home network we have Ubuntu 10.4 amd64 Desktop functioning as a file server and a couple of WinXP laptops. Ubuntu is not set up as a domain server, user names and passwords are synched, manually, across all machines.

What is the proper way to set up a shared space for the windows clients so that members of group Parents, and only Parents, both have read and write access to it's contents?

I thought I had this done, but when Dad creates or writes a file in \server\share-parents\ Mom's write access to same is revoked, vice versa. This creates all sorts of havoc when said file is the family expense spreadsheet and the home renos are this close to blowing the year's budget and credit card payment is due... Need I add that last years kludge of recursively chown'ing to :parents and chmod'ing g+w no longer keeps the bacon out of the fire?

The smb.conf shared section:

[global]
# other stuff edited out
security = user

[share-parents]
comment = parents shared files
available = yes
browseable = yes
public = yes
valid users = mom, dad
writable = yes
path=/home/shared
follow symlinks = yes
permissions samba

1 Answers

  1. Best Answer

    This is a permission problem, which you can solve either by:

    1) telling Samba to force some specific permissions (e.g., 664) on all files in the share: the relevant solution is discussed here: http://www.linuxquestions.org/questions/linux-newbie-8/samba-share-permissions-57589/

    It boils down to: assuming you want everything to be read+write for "parents" and read-only for everyone else, add the following lines to you [parents] share configuration:

      force create mode = 0664
  force security mode = 0664 
  force directory mode = 0775

    Every bit set to 1 in one of the "force * mode", will be set by SAMBA on the file, regardless of what the Windows clients requests.

    2) Use the security mask setting to disallow clearing the group-write bit (bits set to 1 in the "security mask" can be manipulated by Windows clients):

       security mask = 757

    So, once you've set a file g+w from Linux, it can never be changed back from Windows.

    A more detailed explanation of the relevant parameters is given at: http://cri.ch/linux/docs/sk0002.html

    Regardless of the chosen workaround, you might also want to force all files in the share to belong to UNIX group parents:

      force group = parents

    Either one of the two options should work; they are compatible so you can also choose to implement both at the same time.

    • 2