Setting Up Samba User Permissions

I’m having trouble setting up a Samba file share on my home server. Security is not a big concern. Here are the 3 things I need to accomplish:

  1. Fix permissions on the existing drive. Right now they are a mess. The shared folder is on a separate internal hard drive and is mounted as /mnt/Shared using the GNOME Disk Utility. The goal is to change permissions of folders to 775 and files to 664. I’ve tried the commands

find /mnt/Shared/ -type d -exec chmod 775 {} \;
find /mnt/Shared/ -type f -exec chmod 664 {} \;

which both ran for a while but didn’t seem to actually change anything. Is there a better way to get the permissions straightened out?

  1. Set it so that the Samba user writes with 775 and 664 permissions. I have successfully forced user ‘smbuser’ and group ‘sambashare’ from Windows machines accessing the shared folder. I have the following in the smb.conf file

    [Shared Folder]

    path = /mnt/Shared
    writeable = yes
    browseable = yes
    public = yes
    create mask = 0664
    directory mask = 0775
    force user = smbuser
    force group = sambashare
    hide unreadable = yes

When a Windows user connects and adds a folder and file, the user and group are correct, but the permissions show up as ‘drwxrwxr-x’ (775) for folders which is right, but ‘-rw-rwxr–’ (674) for files, which is not what I call out in smb.conf.

  1. From the main administrator account I can delete files created by Windows users, but not folders created by Windows users even though the admin is listed as belonging to the group ‘sambashare’. I’m not sure what is going on with permissions here. I would also like to ensure the the admin always writes to the shared folder under the ‘sambashare’ group so that way all files and folders can be accessed and changed from any user. I tried looking into the setgid flag, but didn’t see much on how to use it.

Any help appreciated!

Using /mnt is an approach which can cause headaches - as it is a designated temporary mount point - it is much cleaner to use a dedicated structure and subsequently use bind mount to a folder in the /srv tree.

Create a separate structure for the mount e.g. /data/smb and mount your disk there.

sudo umount /mnt/Shared
sudo mkdir -p /data/smb/Shared

Change group on the mountpoint

sudo chown root:sambashare /data/smb/Shared

Modify your mount command - fstab or mount unit - to point the new location and mount it

Fix your permissions using a slightly different syntax

find /data/smb/Shared -type f | sudo xargs -d'\n' chmod 664
find /data/smb/Shared -type d | sudo xargs -d'\n' chmod 775
find /data/smb/Shared -type d | sudo xargs -d'\n' chmod +s
chown smbuser:sambashare /data/smb/Shared -R

Note: Using chmod +s on a directory, changes the user/group as which you “execute” the directory. This implies that, whenever a new file or subdir is created, it will “inherit” the group ownership of the parent directory if the “setGID” bit is set.

Create a folder under /srv to serve the share

sudo mkdir -p /srv/smb/Shared

Create a bind mount in fstab

/data/smb/Shared /srv/smb/Shared none bind 0 0

Modify the path in your smb.conf and point to the new service mount

path = /srv/smb/Shared

The default umask on Manjaro is 022. (umask - ArchWiki)

If you want the system default to use rw on files and rwx on folders you can change the default in /etc/profile to 027 matching your smbuser:sambashare policy.

Reboot the system.

Windows behavior - that is the closet I get - because I stumbled on this sentence from the umask article

Linux does not allow a file to be created with execution permissions, the default creation permissions are 777 for directories and only 666 for files.

That correlates with experience - if you want to create an executable script you need to chmod the file before you can execute it.

Thank you for the incredibly thorough response! I will try this tonight.

I had not realized that /mnt was only meant to be temporary.

What is the purpose of creating the /srv directory and binding it to the /data directory instead of just pointing the samba share at the /data directory? Is that a “best practices” sort of thing or does that have to do with cleaning up permissions? I could see myself forgetting about this and it seems like the kind of thing that can cause problems if forgotten.

My recommendation on using a separate structure in /data/service/mountpoint is my personal preference - you are free to use whatever structure makes sense for you.

It is best practice - because the bind mount limits the navigational possibilities within the shared folder - but again - you are free to mount directly but it is more difficult to control persmissions on the share.

With a direct mount - though I have never played this part - it could be technically possible to create symlinks that navigates outside the bounds of the remote share thus making it possible to access folders not intended for share.

With a bind mount this should not be possible.

Also the /srv tree is a default location intended to expose the services offered by the system most commonly

  • /srv/http
  • /srv/ftp
  • /srv/nfs
  • /srv/smb

Everything has gone mostly well. I have mounted the drive to the data folder and have samba pointed towards to the bind mount. All of the permissions have been straightened out for existing files. Appreciate the thorough guide.

Still trying to sort out file and folder creation from the admin user. When I create files from the admin account, the group is sambashare as desired, but the permissions are drwxr-sr-x for folders and -rw-r–r-- for files. I tried changing umask, but that didn’t seem to make a difference. Not too big of a deal as I can clean this up easily now and I rarely ever create files and folders from the host machine. I did stumble across the setfacl command, but haven’t had a chance to try that out.

And as far as the Windows file permissions, I tried the map archive and store dos attributes parameters in samba without success. Might be easiest to just clean it up once in a while.