How to get group write permission with Samba 4?












2















I have a Samba share server running Ubuntu. After upgrading to 14.04, I had Samba upgraded from 3 to 4. Since then, I can't get group write permission on my newly created directory or files.



What was previously working in Samba3 was using these settings:



security mask = 000
force security mode = 660
directory security mask = 000
force directory security mode = 770
force user = nobody
force group = Domain Users


These settings were removed in Samba 4 (see https://wiki.samba.org/index.php/Samba_4.0_Features_added/changed#smb.conf_changes).



But now, my directories are created "drwxr-x--- 2 nobody Domain Users" and my new files "-rwxr-x--- 1 nobody Domain Users".



So what is the way in Samba 4 to allow my users to create and share with write permissions new directories and files ?



Here is my full samba config:



[global]
workgroup = WORKGROUP
server string = %h server (Samba, Ubuntu)
interfaces = 127.0.0.0/8, eth0
map to guest = Bad User
obey pam restrictions = Yes
passdb backend = ldapsam:ldap://ldap
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
load printers = No
domain master = Yes
dns proxy = No
ldap admin dn = cn=root,dc=example,dc=com
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap suffix = dc=example,dc=com
ldap ssl = no
ldap user suffix = ou=People
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb

[CommonShare]
comment = Common share
path = /srv/samba/common
valid users = @myusers
read only = No
create mask = 0660
force create mode = 0770
directory mask = 0770
force directory mode = 0770
inherit permissions = Yes
inherit owner = Yes









share|improve this question



























    2















    I have a Samba share server running Ubuntu. After upgrading to 14.04, I had Samba upgraded from 3 to 4. Since then, I can't get group write permission on my newly created directory or files.



    What was previously working in Samba3 was using these settings:



    security mask = 000
    force security mode = 660
    directory security mask = 000
    force directory security mode = 770
    force user = nobody
    force group = Domain Users


    These settings were removed in Samba 4 (see https://wiki.samba.org/index.php/Samba_4.0_Features_added/changed#smb.conf_changes).



    But now, my directories are created "drwxr-x--- 2 nobody Domain Users" and my new files "-rwxr-x--- 1 nobody Domain Users".



    So what is the way in Samba 4 to allow my users to create and share with write permissions new directories and files ?



    Here is my full samba config:



    [global]
    workgroup = WORKGROUP
    server string = %h server (Samba, Ubuntu)
    interfaces = 127.0.0.0/8, eth0
    map to guest = Bad User
    obey pam restrictions = Yes
    passdb backend = ldapsam:ldap://ldap
    pam password change = Yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    load printers = No
    domain master = Yes
    dns proxy = No
    ldap admin dn = cn=root,dc=example,dc=com
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    ldap machine suffix = ou=Computers
    ldap passwd sync = yes
    ldap suffix = dc=example,dc=com
    ldap ssl = no
    ldap user suffix = ou=People
    usershare allow guests = Yes
    panic action = /usr/share/samba/panic-action %d
    idmap config * : backend = tdb

    [CommonShare]
    comment = Common share
    path = /srv/samba/common
    valid users = @myusers
    read only = No
    create mask = 0660
    force create mode = 0770
    directory mask = 0770
    force directory mode = 0770
    inherit permissions = Yes
    inherit owner = Yes









    share|improve this question

























      2












      2








      2








      I have a Samba share server running Ubuntu. After upgrading to 14.04, I had Samba upgraded from 3 to 4. Since then, I can't get group write permission on my newly created directory or files.



      What was previously working in Samba3 was using these settings:



      security mask = 000
      force security mode = 660
      directory security mask = 000
      force directory security mode = 770
      force user = nobody
      force group = Domain Users


      These settings were removed in Samba 4 (see https://wiki.samba.org/index.php/Samba_4.0_Features_added/changed#smb.conf_changes).



      But now, my directories are created "drwxr-x--- 2 nobody Domain Users" and my new files "-rwxr-x--- 1 nobody Domain Users".



      So what is the way in Samba 4 to allow my users to create and share with write permissions new directories and files ?



      Here is my full samba config:



      [global]
      workgroup = WORKGROUP
      server string = %h server (Samba, Ubuntu)
      interfaces = 127.0.0.0/8, eth0
      map to guest = Bad User
      obey pam restrictions = Yes
      passdb backend = ldapsam:ldap://ldap
      pam password change = Yes
      passwd program = /usr/bin/passwd %u
      passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
      syslog = 0
      log file = /var/log/samba/log.%m
      max log size = 1000
      load printers = No
      domain master = Yes
      dns proxy = No
      ldap admin dn = cn=root,dc=example,dc=com
      ldap group suffix = ou=Groups
      ldap idmap suffix = ou=Idmap
      ldap machine suffix = ou=Computers
      ldap passwd sync = yes
      ldap suffix = dc=example,dc=com
      ldap ssl = no
      ldap user suffix = ou=People
      usershare allow guests = Yes
      panic action = /usr/share/samba/panic-action %d
      idmap config * : backend = tdb

      [CommonShare]
      comment = Common share
      path = /srv/samba/common
      valid users = @myusers
      read only = No
      create mask = 0660
      force create mode = 0770
      directory mask = 0770
      force directory mode = 0770
      inherit permissions = Yes
      inherit owner = Yes









      share|improve this question














      I have a Samba share server running Ubuntu. After upgrading to 14.04, I had Samba upgraded from 3 to 4. Since then, I can't get group write permission on my newly created directory or files.



      What was previously working in Samba3 was using these settings:



      security mask = 000
      force security mode = 660
      directory security mask = 000
      force directory security mode = 770
      force user = nobody
      force group = Domain Users


      These settings were removed in Samba 4 (see https://wiki.samba.org/index.php/Samba_4.0_Features_added/changed#smb.conf_changes).



      But now, my directories are created "drwxr-x--- 2 nobody Domain Users" and my new files "-rwxr-x--- 1 nobody Domain Users".



      So what is the way in Samba 4 to allow my users to create and share with write permissions new directories and files ?



      Here is my full samba config:



      [global]
      workgroup = WORKGROUP
      server string = %h server (Samba, Ubuntu)
      interfaces = 127.0.0.0/8, eth0
      map to guest = Bad User
      obey pam restrictions = Yes
      passdb backend = ldapsam:ldap://ldap
      pam password change = Yes
      passwd program = /usr/bin/passwd %u
      passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
      syslog = 0
      log file = /var/log/samba/log.%m
      max log size = 1000
      load printers = No
      domain master = Yes
      dns proxy = No
      ldap admin dn = cn=root,dc=example,dc=com
      ldap group suffix = ou=Groups
      ldap idmap suffix = ou=Idmap
      ldap machine suffix = ou=Computers
      ldap passwd sync = yes
      ldap suffix = dc=example,dc=com
      ldap ssl = no
      ldap user suffix = ou=People
      usershare allow guests = Yes
      panic action = /usr/share/samba/panic-action %d
      idmap config * : backend = tdb

      [CommonShare]
      comment = Common share
      path = /srv/samba/common
      valid users = @myusers
      read only = No
      create mask = 0660
      force create mode = 0770
      directory mask = 0770
      force directory mode = 0770
      inherit permissions = Yes
      inherit owner = Yes






      permissions samba file-sharing






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 14 '14 at 8:28









      alcialci

      3,07043256




      3,07043256






















          4 Answers
          4






          active

          oldest

          votes


















          2














          To fix the problem you may add the force user username to the list of valid users for the share.



          In your case:



          [Myshare]
          ...
          valid users = @bureau
          ...


          should be:



          [Myshare]
          ...
          valid users = nobody @bureau
          ...





          share|improve this answer
























          • Great, this works !

            – alci
            Nov 18 '14 at 11:30



















          1














          This same problem happened to me.



          I had to update the access control lists of all directories with the default group permissions:



          sudo setfacl -R -m d:g:family:rwx /mnt/backup

          -R = recursive
          -m = modify
          d: = defaults
          g: = group name ("family" in my case) or gid number
          rwx = default permissions read write execute for all in group


          /mnt/backup is the directory (and subdirectories) to modify.






          share|improve this answer

































            1














            I know this is an old thread, but this might help someone. I solved this by setting the setgid bit to 2 (instead of 0) so the directories / files are created with group write permissions, e.g.



            force create mode = 2777
            force directory mode = 2777



            From : https://linuxconfig.org/how-to-use-special-permissions-the-setuid-setgid-and-sticky-bits#h7-the-setgid-bit






            share|improve this answer

































              0














              The first four parameters have been removed, not the last two (see: https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html#FORCEUSER).



              So, just put them back in the config file and that should solve the problem. If you want write permissions to users in a particular group, add the write list parameter. It provides ability to grant write permissions to specific users or groups.



              Here is an example of a config I use to allow creation/modification of files to all users belonging to a specific group (and only these users):



              [Myshare]
              writeable = yes
              path = /shares/office
              force directory mode = 770
              force create mode = 770
              force group = bureau
              valid users = @bureau
              write list = @bureau

              .






              share|improve this answer


























              • force user and force group are indeed still valid parameters, but it does not change anything. Files and directories are created as Nobody / Domain Users anyway (don't know why, maybe inherit owner ?, but are NOT group writable...

                – alci
                Nov 17 '14 at 8:13











              • See edited version of my answer. Basically, use write list parameter.

                – Marc Vanhoomissen
                Nov 17 '14 at 12:43











              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "89"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f549513%2fhow-to-get-group-write-permission-with-samba-4%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              4 Answers
              4






              active

              oldest

              votes








              4 Answers
              4






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              2














              To fix the problem you may add the force user username to the list of valid users for the share.



              In your case:



              [Myshare]
              ...
              valid users = @bureau
              ...


              should be:



              [Myshare]
              ...
              valid users = nobody @bureau
              ...





              share|improve this answer
























              • Great, this works !

                – alci
                Nov 18 '14 at 11:30
















              2














              To fix the problem you may add the force user username to the list of valid users for the share.



              In your case:



              [Myshare]
              ...
              valid users = @bureau
              ...


              should be:



              [Myshare]
              ...
              valid users = nobody @bureau
              ...





              share|improve this answer
























              • Great, this works !

                – alci
                Nov 18 '14 at 11:30














              2












              2








              2







              To fix the problem you may add the force user username to the list of valid users for the share.



              In your case:



              [Myshare]
              ...
              valid users = @bureau
              ...


              should be:



              [Myshare]
              ...
              valid users = nobody @bureau
              ...





              share|improve this answer













              To fix the problem you may add the force user username to the list of valid users for the share.



              In your case:



              [Myshare]
              ...
              valid users = @bureau
              ...


              should be:



              [Myshare]
              ...
              valid users = nobody @bureau
              ...






              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Nov 18 '14 at 11:28









              MatgMatg

              361




              361













              • Great, this works !

                – alci
                Nov 18 '14 at 11:30



















              • Great, this works !

                – alci
                Nov 18 '14 at 11:30

















              Great, this works !

              – alci
              Nov 18 '14 at 11:30





              Great, this works !

              – alci
              Nov 18 '14 at 11:30













              1














              This same problem happened to me.



              I had to update the access control lists of all directories with the default group permissions:



              sudo setfacl -R -m d:g:family:rwx /mnt/backup

              -R = recursive
              -m = modify
              d: = defaults
              g: = group name ("family" in my case) or gid number
              rwx = default permissions read write execute for all in group


              /mnt/backup is the directory (and subdirectories) to modify.






              share|improve this answer






























                1














                This same problem happened to me.



                I had to update the access control lists of all directories with the default group permissions:



                sudo setfacl -R -m d:g:family:rwx /mnt/backup

                -R = recursive
                -m = modify
                d: = defaults
                g: = group name ("family" in my case) or gid number
                rwx = default permissions read write execute for all in group


                /mnt/backup is the directory (and subdirectories) to modify.






                share|improve this answer




























                  1












                  1








                  1







                  This same problem happened to me.



                  I had to update the access control lists of all directories with the default group permissions:



                  sudo setfacl -R -m d:g:family:rwx /mnt/backup

                  -R = recursive
                  -m = modify
                  d: = defaults
                  g: = group name ("family" in my case) or gid number
                  rwx = default permissions read write execute for all in group


                  /mnt/backup is the directory (and subdirectories) to modify.






                  share|improve this answer















                  This same problem happened to me.



                  I had to update the access control lists of all directories with the default group permissions:



                  sudo setfacl -R -m d:g:family:rwx /mnt/backup

                  -R = recursive
                  -m = modify
                  d: = defaults
                  g: = group name ("family" in my case) or gid number
                  rwx = default permissions read write execute for all in group


                  /mnt/backup is the directory (and subdirectories) to modify.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Jul 7 '17 at 21:01









                  guntbert

                  9,331133170




                  9,331133170










                  answered Jul 7 '17 at 20:35









                  Scott LentzScott Lentz

                  111




                  111























                      1














                      I know this is an old thread, but this might help someone. I solved this by setting the setgid bit to 2 (instead of 0) so the directories / files are created with group write permissions, e.g.



                      force create mode = 2777
                      force directory mode = 2777



                      From : https://linuxconfig.org/how-to-use-special-permissions-the-setuid-setgid-and-sticky-bits#h7-the-setgid-bit






                      share|improve this answer






























                        1














                        I know this is an old thread, but this might help someone. I solved this by setting the setgid bit to 2 (instead of 0) so the directories / files are created with group write permissions, e.g.



                        force create mode = 2777
                        force directory mode = 2777



                        From : https://linuxconfig.org/how-to-use-special-permissions-the-setuid-setgid-and-sticky-bits#h7-the-setgid-bit






                        share|improve this answer




























                          1












                          1








                          1







                          I know this is an old thread, but this might help someone. I solved this by setting the setgid bit to 2 (instead of 0) so the directories / files are created with group write permissions, e.g.



                          force create mode = 2777
                          force directory mode = 2777



                          From : https://linuxconfig.org/how-to-use-special-permissions-the-setuid-setgid-and-sticky-bits#h7-the-setgid-bit






                          share|improve this answer















                          I know this is an old thread, but this might help someone. I solved this by setting the setgid bit to 2 (instead of 0) so the directories / files are created with group write permissions, e.g.



                          force create mode = 2777
                          force directory mode = 2777



                          From : https://linuxconfig.org/how-to-use-special-permissions-the-setuid-setgid-and-sticky-bits#h7-the-setgid-bit







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited 2 days ago

























                          answered May 16 '18 at 9:23









                          edededededed

                          112




                          112























                              0














                              The first four parameters have been removed, not the last two (see: https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html#FORCEUSER).



                              So, just put them back in the config file and that should solve the problem. If you want write permissions to users in a particular group, add the write list parameter. It provides ability to grant write permissions to specific users or groups.



                              Here is an example of a config I use to allow creation/modification of files to all users belonging to a specific group (and only these users):



                              [Myshare]
                              writeable = yes
                              path = /shares/office
                              force directory mode = 770
                              force create mode = 770
                              force group = bureau
                              valid users = @bureau
                              write list = @bureau

                              .






                              share|improve this answer


























                              • force user and force group are indeed still valid parameters, but it does not change anything. Files and directories are created as Nobody / Domain Users anyway (don't know why, maybe inherit owner ?, but are NOT group writable...

                                – alci
                                Nov 17 '14 at 8:13











                              • See edited version of my answer. Basically, use write list parameter.

                                – Marc Vanhoomissen
                                Nov 17 '14 at 12:43
















                              0














                              The first four parameters have been removed, not the last two (see: https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html#FORCEUSER).



                              So, just put them back in the config file and that should solve the problem. If you want write permissions to users in a particular group, add the write list parameter. It provides ability to grant write permissions to specific users or groups.



                              Here is an example of a config I use to allow creation/modification of files to all users belonging to a specific group (and only these users):



                              [Myshare]
                              writeable = yes
                              path = /shares/office
                              force directory mode = 770
                              force create mode = 770
                              force group = bureau
                              valid users = @bureau
                              write list = @bureau

                              .






                              share|improve this answer


























                              • force user and force group are indeed still valid parameters, but it does not change anything. Files and directories are created as Nobody / Domain Users anyway (don't know why, maybe inherit owner ?, but are NOT group writable...

                                – alci
                                Nov 17 '14 at 8:13











                              • See edited version of my answer. Basically, use write list parameter.

                                – Marc Vanhoomissen
                                Nov 17 '14 at 12:43














                              0












                              0








                              0







                              The first four parameters have been removed, not the last two (see: https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html#FORCEUSER).



                              So, just put them back in the config file and that should solve the problem. If you want write permissions to users in a particular group, add the write list parameter. It provides ability to grant write permissions to specific users or groups.



                              Here is an example of a config I use to allow creation/modification of files to all users belonging to a specific group (and only these users):



                              [Myshare]
                              writeable = yes
                              path = /shares/office
                              force directory mode = 770
                              force create mode = 770
                              force group = bureau
                              valid users = @bureau
                              write list = @bureau

                              .






                              share|improve this answer















                              The first four parameters have been removed, not the last two (see: https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html#FORCEUSER).



                              So, just put them back in the config file and that should solve the problem. If you want write permissions to users in a particular group, add the write list parameter. It provides ability to grant write permissions to specific users or groups.



                              Here is an example of a config I use to allow creation/modification of files to all users belonging to a specific group (and only these users):



                              [Myshare]
                              writeable = yes
                              path = /shares/office
                              force directory mode = 770
                              force create mode = 770
                              force group = bureau
                              valid users = @bureau
                              write list = @bureau

                              .







                              share|improve this answer














                              share|improve this answer



                              share|improve this answer








                              edited Nov 17 '14 at 12:53

























                              answered Nov 14 '14 at 12:45









                              Marc VanhoomissenMarc Vanhoomissen

                              89811119




                              89811119













                              • force user and force group are indeed still valid parameters, but it does not change anything. Files and directories are created as Nobody / Domain Users anyway (don't know why, maybe inherit owner ?, but are NOT group writable...

                                – alci
                                Nov 17 '14 at 8:13











                              • See edited version of my answer. Basically, use write list parameter.

                                – Marc Vanhoomissen
                                Nov 17 '14 at 12:43



















                              • force user and force group are indeed still valid parameters, but it does not change anything. Files and directories are created as Nobody / Domain Users anyway (don't know why, maybe inherit owner ?, but are NOT group writable...

                                – alci
                                Nov 17 '14 at 8:13











                              • See edited version of my answer. Basically, use write list parameter.

                                – Marc Vanhoomissen
                                Nov 17 '14 at 12:43

















                              force user and force group are indeed still valid parameters, but it does not change anything. Files and directories are created as Nobody / Domain Users anyway (don't know why, maybe inherit owner ?, but are NOT group writable...

                              – alci
                              Nov 17 '14 at 8:13





                              force user and force group are indeed still valid parameters, but it does not change anything. Files and directories are created as Nobody / Domain Users anyway (don't know why, maybe inherit owner ?, but are NOT group writable...

                              – alci
                              Nov 17 '14 at 8:13













                              See edited version of my answer. Basically, use write list parameter.

                              – Marc Vanhoomissen
                              Nov 17 '14 at 12:43





                              See edited version of my answer. Basically, use write list parameter.

                              – Marc Vanhoomissen
                              Nov 17 '14 at 12:43


















                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Ask Ubuntu!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f549513%2fhow-to-get-group-write-permission-with-samba-4%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              數位音樂下載

                              When can things happen in Etherscan, such as the picture below?

                              格利澤436b