For some reason one one of my shares most of my users are getting an “you need permission to perform this action” when trying to write a file or folder to it. I cannot figure out why this is getting stopped up. My test user is in my ldap Ugrad group. Below is what I have written in my smb.conf file for this share. Any help would be appreciated on how to troubleshoot this…
[common]
comment = Common Volume
inherit acls = Yes
force create mode = 0777
security mask = 0777
directory security mask = 0777
force directory mode = 0777 #force security mode = 0 #force directory security mode = 0
path = /common/
read only = no
writeable = Yes
write list = @Admins@faculty@staff@Ugrad@Grad
valid users = @Admins@faculty@staff@Ugrad@Grad
it might be that system permissions (on the directory) are prohibiting write access - have you checked via “ls -l /common” and “getfacl /common”, to see if your users (or their groups) have proper rights?
it might be that system permissions (on the directory) are prohibiting write access - have you checked via “ls -l /common” and “getfacl /common”, to see if your users (or their groups) have proper rights?
Regards,
Jens[/QUOTE]
Well, I see getfacl /common looks good as the defaults show rwx. I am somewhat new to Linux and the ls -l /common is all over the place. Most of the directories show different user owners and different group names. Then some of them are drwxxrwxrwx+ and some of them are much less. Here is a short example. Hmm…
For some reason one one of my shares most of my users are getting an “you need permission to perform this action” when trying to write a file or folder to it.
Creating a new file or folder on your share would need the proper permissions on the /common directory itself - I should have given you “ls -ld /common” as a command to just show those permissions.
Are you basically familiar with access permissions? The basic ones (as seen by “ls -l[d]”) come as three groups of “rwx” - telling whether the file/directory owning user, group or anyone else has either “read”, “write” or “execute” permission. (In case of directories, “w” means add/remove entries to that dir, “read” means you can actually search the directory for entries, and “execute” allows to access an entry if you specifically know it’s name - so you don’t need “r” if you already know the entry’s name.) If there’s a “+” behind these groups, extended access control lists (ACLs) are set, so you neeed to use “getfacl” to see the actual permissions.
So if /common is owned by “root” and group “Admin” and you’d have “rwxr-xr-x” as permission, only the root user can modify that directory anyone else may just look at/for entries.
You probably will want to set ACLs for /common that allow modifying access to /common for the groups you named in smb.conf.
Please note that this only applies to directory entries - even if /common had rwxrwxrwx (giving full acces to anyone), the file /common/20140306155821376.pdf would still only be writeable by the root user (rwxr–r–)!
Okay, I am still a bit confused. I guess my question would be how would you go about making sure 3 of my groups had full read/write access to every file and directory under the /common share?
Make all these users member of a common group and set “force group = +commongroup” in smb.conf for that share.
From “man smb.conf”:
[QUOTE] force group (S)
This specifies a UNIX group name that will be assigned as the default primary group for all users connecting to this service. This is useful for sharing files by ensuring that all access to files on service will use the
named group for their permissions checking. Thus, by assigning permissions for this group to the files and directories within this service the Samba administrator can restrict or allow sharing of these files.
In Samba 2.0.5 and above this parameter has extended functionality in the following way. If the group name listed here has a + character prepended to it then the current user accessing the share only has the primary
group default assigned to this group if they are already assigned as a member of that group. This allows an administrator to decide that only users who are already in a particular group will create files with group
ownership set to that group. This gives a finer granularity of ownership assignment. For example, the setting force group = +sys means that only users who are already in group sys will have their default primary group
assigned to sys when accessing this Samba share. All other users will retain their ordinary primary group.
If the force user parameter is also set the group specified in force group will override the primary group set in force user.
Default: force group =
Example: force group = agroup[/QUOTE]
Then, to clean up the current situation, recursively change group ownership and access rights via “chgrp -R commongroup /common; chmod -R g+rw /common”. Depending on how your users (and Linux admins) act, you might need to do this clean-up from time to time again (since accessing the directory outside of SAMBA may create files with different ownership).