Howto to configure samba, add users and groups, with different permissions in various folders












0















I am trying to implement a server with Samba 4.5.x on Debian 9. The Samba server shall be accessible from Mac OS X and Windows.



Here is the thing.



I have those groups (maybe is it my mistake ?) :




  • Admin (User 1 + User 2)

  • Group1 (User 3 + User 4)

  • Group2 (User 5 + User 6)

  • Group3 (User 7 + User 8)


I have these directories :




  • Directory1

  • Directory2


  • Directory3




    • SubDirectoryOfUser7

    • SubDirectoryOfUser8




I'd like to have to have :




  • User 1 + User 2 (Admin) to have read, write and navigate on any folders in all directories.


  • I'd like to have User 3 + User 4 (Group1) able to read, write and navigate in anything in Directory1 + guests to have right to read and navigate in this directory.


  • I want User 5 + User 6 (Group2) able to read, write and navigate in Directory2 and User 3 + User 4 (Group1) able to read and navigate in it.


  • I try to have User 7 + User 8 (Group 3) able to read and navigate in Directory3, but just able to write in their own SubDirectoryOfUserN7 and SubDirectoryOfUser8, User 5 + User 6 (Group 2) should be able to read, write and navigate in Directory3 + SubDirectoryOfUserS.



I have tried to organize the group like above, but I also tried a group configuration regarding directories. For instance Admin, who are User 1 and User 2 are also in Group1, Group2, etc. But It still doesn't work how I would like to.



I have tried to deal with ACL as well. But I still don't know what I should put in my smb.conf for read / write lists and create / directory masks. I don't know how I could correctly organize my groups to link them to directories. I don't know how to deal with nested directories in Directory3 as well.



Since I have tried so many ideas since 3 days, I feel literaly stupid with Samba now. I read many threads here, the Arch Wiki, the Debian Wiki, the Samba Documentation and an old manual, but about Samba 3, and I would say I am in the desert and all my knowledge and small experiments at home cannot be enough to deploy such a server in my NGO.



Please, if you would have recommendations, solutions or an appropriate link that would answer to those cases, I would be very thankful.



Thank you in advance !










share|improve this question





























    0















    I am trying to implement a server with Samba 4.5.x on Debian 9. The Samba server shall be accessible from Mac OS X and Windows.



    Here is the thing.



    I have those groups (maybe is it my mistake ?) :




    • Admin (User 1 + User 2)

    • Group1 (User 3 + User 4)

    • Group2 (User 5 + User 6)

    • Group3 (User 7 + User 8)


    I have these directories :




    • Directory1

    • Directory2


    • Directory3




      • SubDirectoryOfUser7

      • SubDirectoryOfUser8




    I'd like to have to have :




    • User 1 + User 2 (Admin) to have read, write and navigate on any folders in all directories.


    • I'd like to have User 3 + User 4 (Group1) able to read, write and navigate in anything in Directory1 + guests to have right to read and navigate in this directory.


    • I want User 5 + User 6 (Group2) able to read, write and navigate in Directory2 and User 3 + User 4 (Group1) able to read and navigate in it.


    • I try to have User 7 + User 8 (Group 3) able to read and navigate in Directory3, but just able to write in their own SubDirectoryOfUserN7 and SubDirectoryOfUser8, User 5 + User 6 (Group 2) should be able to read, write and navigate in Directory3 + SubDirectoryOfUserS.



    I have tried to organize the group like above, but I also tried a group configuration regarding directories. For instance Admin, who are User 1 and User 2 are also in Group1, Group2, etc. But It still doesn't work how I would like to.



    I have tried to deal with ACL as well. But I still don't know what I should put in my smb.conf for read / write lists and create / directory masks. I don't know how I could correctly organize my groups to link them to directories. I don't know how to deal with nested directories in Directory3 as well.



    Since I have tried so many ideas since 3 days, I feel literaly stupid with Samba now. I read many threads here, the Arch Wiki, the Debian Wiki, the Samba Documentation and an old manual, but about Samba 3, and I would say I am in the desert and all my knowledge and small experiments at home cannot be enough to deploy such a server in my NGO.



    Please, if you would have recommendations, solutions or an appropriate link that would answer to those cases, I would be very thankful.



    Thank you in advance !










    share|improve this question



























      0












      0








      0








      I am trying to implement a server with Samba 4.5.x on Debian 9. The Samba server shall be accessible from Mac OS X and Windows.



      Here is the thing.



      I have those groups (maybe is it my mistake ?) :




      • Admin (User 1 + User 2)

      • Group1 (User 3 + User 4)

      • Group2 (User 5 + User 6)

      • Group3 (User 7 + User 8)


      I have these directories :




      • Directory1

      • Directory2


      • Directory3




        • SubDirectoryOfUser7

        • SubDirectoryOfUser8




      I'd like to have to have :




      • User 1 + User 2 (Admin) to have read, write and navigate on any folders in all directories.


      • I'd like to have User 3 + User 4 (Group1) able to read, write and navigate in anything in Directory1 + guests to have right to read and navigate in this directory.


      • I want User 5 + User 6 (Group2) able to read, write and navigate in Directory2 and User 3 + User 4 (Group1) able to read and navigate in it.


      • I try to have User 7 + User 8 (Group 3) able to read and navigate in Directory3, but just able to write in their own SubDirectoryOfUserN7 and SubDirectoryOfUser8, User 5 + User 6 (Group 2) should be able to read, write and navigate in Directory3 + SubDirectoryOfUserS.



      I have tried to organize the group like above, but I also tried a group configuration regarding directories. For instance Admin, who are User 1 and User 2 are also in Group1, Group2, etc. But It still doesn't work how I would like to.



      I have tried to deal with ACL as well. But I still don't know what I should put in my smb.conf for read / write lists and create / directory masks. I don't know how I could correctly organize my groups to link them to directories. I don't know how to deal with nested directories in Directory3 as well.



      Since I have tried so many ideas since 3 days, I feel literaly stupid with Samba now. I read many threads here, the Arch Wiki, the Debian Wiki, the Samba Documentation and an old manual, but about Samba 3, and I would say I am in the desert and all my knowledge and small experiments at home cannot be enough to deploy such a server in my NGO.



      Please, if you would have recommendations, solutions or an appropriate link that would answer to those cases, I would be very thankful.



      Thank you in advance !










      share|improve this question
















      I am trying to implement a server with Samba 4.5.x on Debian 9. The Samba server shall be accessible from Mac OS X and Windows.



      Here is the thing.



      I have those groups (maybe is it my mistake ?) :




      • Admin (User 1 + User 2)

      • Group1 (User 3 + User 4)

      • Group2 (User 5 + User 6)

      • Group3 (User 7 + User 8)


      I have these directories :




      • Directory1

      • Directory2


      • Directory3




        • SubDirectoryOfUser7

        • SubDirectoryOfUser8




      I'd like to have to have :




      • User 1 + User 2 (Admin) to have read, write and navigate on any folders in all directories.


      • I'd like to have User 3 + User 4 (Group1) able to read, write and navigate in anything in Directory1 + guests to have right to read and navigate in this directory.


      • I want User 5 + User 6 (Group2) able to read, write and navigate in Directory2 and User 3 + User 4 (Group1) able to read and navigate in it.


      • I try to have User 7 + User 8 (Group 3) able to read and navigate in Directory3, but just able to write in their own SubDirectoryOfUserN7 and SubDirectoryOfUser8, User 5 + User 6 (Group 2) should be able to read, write and navigate in Directory3 + SubDirectoryOfUserS.



      I have tried to organize the group like above, but I also tried a group configuration regarding directories. For instance Admin, who are User 1 and User 2 are also in Group1, Group2, etc. But It still doesn't work how I would like to.



      I have tried to deal with ACL as well. But I still don't know what I should put in my smb.conf for read / write lists and create / directory masks. I don't know how I could correctly organize my groups to link them to directories. I don't know how to deal with nested directories in Directory3 as well.



      Since I have tried so many ideas since 3 days, I feel literaly stupid with Samba now. I read many threads here, the Arch Wiki, the Debian Wiki, the Samba Documentation and an old manual, but about Samba 3, and I would say I am in the desert and all my knowledge and small experiments at home cannot be enough to deploy such a server in my NGO.



      Please, if you would have recommendations, solutions or an appropriate link that would answer to those cases, I would be very thankful.



      Thank you in advance !







      linux samba






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Feb 2 at 16:58







      jaunerg

















      asked Jan 31 at 13:37









      jaunergjaunerg

      11




      11






















          1 Answer
          1






          active

          oldest

          votes


















          0














          I finally made it, if it can help someone. I don't know if it is nice, but it works nice with POSIX rights, without ugly ACL.



          1] Create groups



          $ sudo groupadd Group1
          $ sudo groupadd ...


          Please notice I did not create an Admin group since my admin users will be in all the other groups. This is the only way I made it work so far. If someone has a nicer way to deal with for instance an admin group with rights on anything, please tell me ! My solution is correct since I am managing a dozen of accounts but not hundreds or thousands...



          2] Create users (without home folder and ability to use SSH for security reasons)



          $ sudo adduser --no-create-hom --shell /usr/sbin/nologin user1
          $ sudo adduser --no-create-hom --shell /usr/sbin/nologin user...


          3] Add users in smbpasswd database. Please pay attention to the fact I had to add them, but also to enable them to avoid any kind of problems.



          $ sudo smbpasswd -a user1
          $ sudo smbpasswd -e user1
          $ ...


          4] Add users to the groups where they will be. Please notice I thought samba was not able to recognize secondary groups, but actually it does. The mistake was a misusing of the command line.



          The error was:



          $ sudo usermod -G user1 Group1
          $ sudo usermod -G user1 Group2


          If you do:



          $ groups user1


          You have something like:



          user1 Group2


          Because the secondary group has disappeared.



          The good practice is:



          $ sudo usermod -G Group1,Group2,Group3 user1


          In this case:



          $ groups user1


          Will show:



          $ user1 Admin Group1 Group2 Group3


          Please, be careful of primary and secondary groups. An user can be in multiple secondary groups, but only in one primary group.



          So another mistake would be:



          $ sudo usermod -g Group1


          If you do:



          $ groups user1


          You got:



          $ Group1


          4] Create the folders with the good permissions:



          $ sudo mkdir /path/to/Directory1
          $ sudo chown root:Group1 /path/to/Directory1
          $ sudo chmod 2775 /path/to/Directory1


          Please read this if you don't know nothing about file system permissions and setuid, setgid : chmod + setuid and setgid. The permissions and also there inheritances are important for your groups.



          5] Create as many directories you want with the permissions you want.



          6] Configure your smb.conf file with the editor of your choice. I personally use vim. Make a backup first before losing anything that was running well.



          $ sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
          $ sudo vim /etc/samba/smb.conf


          Your config file here, with global config and Directory1 config is:



          [global]

          workgroup = YOUR-LOCAL-WORKGROUP
          server string = %h # hostname
          log file = /var/samba/smb-%h.log
          max log size = 1000
          disable netbios = yes # since this is a standalone server
          server role = standalone server
          veto files = /*.exe/*.com/*.dll/*.bat/*.vbs/*.tmp/ # whatever your want
          delete veto files = yes

          [Directory1]

          path = /path/to/Directory1
          browseable = yes
          guest only = no
          guest ok = yes
          read list = nobody guest
          write list = @Group1
          force create mode = 0665 # please see system file permissions ...
          force directory mode = 2775 # ... and setuid, setgid, right above !


          Please note the execution is important for your users. This allows them to navigate through the directories. But the execution is also a danger regarding files. You don't want you users to execute scripts or whatsoever, reading is widely enough.



          That is why I restrict files on reading and writing for users and reading for anonymous, while I let executing on directories for navigation. Execute a folder is not a danger but execute a file is.



              force create mode = 0665
          force directory mode = 2775


          Note the options delete veto file and veto files are also another shield since you don't want your silly Windows Mac OS X users put blobs or binaries or executable randomwares on your clean server.



          7] Test your config file with a gentle command:



          $ testparm


          8] Everything is good ? Then.



          $ sudo systemctl start smbd.service # or restart
          $ sudo systemctl enable smbd.service


          Now you can log with the method of your choice and see that anonymous can explore the files on the server without the permission of writing it while your authenticated and designated users can read, write and execute -- i.e navigate from a directory to a directory.



          Et voilà ! I hope it will help someone.






          share|improve this answer


























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1400568%2fhowto-to-configure-samba-add-users-and-groups-with-different-permissions-in-va%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            I finally made it, if it can help someone. I don't know if it is nice, but it works nice with POSIX rights, without ugly ACL.



            1] Create groups



            $ sudo groupadd Group1
            $ sudo groupadd ...


            Please notice I did not create an Admin group since my admin users will be in all the other groups. This is the only way I made it work so far. If someone has a nicer way to deal with for instance an admin group with rights on anything, please tell me ! My solution is correct since I am managing a dozen of accounts but not hundreds or thousands...



            2] Create users (without home folder and ability to use SSH for security reasons)



            $ sudo adduser --no-create-hom --shell /usr/sbin/nologin user1
            $ sudo adduser --no-create-hom --shell /usr/sbin/nologin user...


            3] Add users in smbpasswd database. Please pay attention to the fact I had to add them, but also to enable them to avoid any kind of problems.



            $ sudo smbpasswd -a user1
            $ sudo smbpasswd -e user1
            $ ...


            4] Add users to the groups where they will be. Please notice I thought samba was not able to recognize secondary groups, but actually it does. The mistake was a misusing of the command line.



            The error was:



            $ sudo usermod -G user1 Group1
            $ sudo usermod -G user1 Group2


            If you do:



            $ groups user1


            You have something like:



            user1 Group2


            Because the secondary group has disappeared.



            The good practice is:



            $ sudo usermod -G Group1,Group2,Group3 user1


            In this case:



            $ groups user1


            Will show:



            $ user1 Admin Group1 Group2 Group3


            Please, be careful of primary and secondary groups. An user can be in multiple secondary groups, but only in one primary group.



            So another mistake would be:



            $ sudo usermod -g Group1


            If you do:



            $ groups user1


            You got:



            $ Group1


            4] Create the folders with the good permissions:



            $ sudo mkdir /path/to/Directory1
            $ sudo chown root:Group1 /path/to/Directory1
            $ sudo chmod 2775 /path/to/Directory1


            Please read this if you don't know nothing about file system permissions and setuid, setgid : chmod + setuid and setgid. The permissions and also there inheritances are important for your groups.



            5] Create as many directories you want with the permissions you want.



            6] Configure your smb.conf file with the editor of your choice. I personally use vim. Make a backup first before losing anything that was running well.



            $ sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
            $ sudo vim /etc/samba/smb.conf


            Your config file here, with global config and Directory1 config is:



            [global]

            workgroup = YOUR-LOCAL-WORKGROUP
            server string = %h # hostname
            log file = /var/samba/smb-%h.log
            max log size = 1000
            disable netbios = yes # since this is a standalone server
            server role = standalone server
            veto files = /*.exe/*.com/*.dll/*.bat/*.vbs/*.tmp/ # whatever your want
            delete veto files = yes

            [Directory1]

            path = /path/to/Directory1
            browseable = yes
            guest only = no
            guest ok = yes
            read list = nobody guest
            write list = @Group1
            force create mode = 0665 # please see system file permissions ...
            force directory mode = 2775 # ... and setuid, setgid, right above !


            Please note the execution is important for your users. This allows them to navigate through the directories. But the execution is also a danger regarding files. You don't want you users to execute scripts or whatsoever, reading is widely enough.



            That is why I restrict files on reading and writing for users and reading for anonymous, while I let executing on directories for navigation. Execute a folder is not a danger but execute a file is.



                force create mode = 0665
            force directory mode = 2775


            Note the options delete veto file and veto files are also another shield since you don't want your silly Windows Mac OS X users put blobs or binaries or executable randomwares on your clean server.



            7] Test your config file with a gentle command:



            $ testparm


            8] Everything is good ? Then.



            $ sudo systemctl start smbd.service # or restart
            $ sudo systemctl enable smbd.service


            Now you can log with the method of your choice and see that anonymous can explore the files on the server without the permission of writing it while your authenticated and designated users can read, write and execute -- i.e navigate from a directory to a directory.



            Et voilà ! I hope it will help someone.






            share|improve this answer






























              0














              I finally made it, if it can help someone. I don't know if it is nice, but it works nice with POSIX rights, without ugly ACL.



              1] Create groups



              $ sudo groupadd Group1
              $ sudo groupadd ...


              Please notice I did not create an Admin group since my admin users will be in all the other groups. This is the only way I made it work so far. If someone has a nicer way to deal with for instance an admin group with rights on anything, please tell me ! My solution is correct since I am managing a dozen of accounts but not hundreds or thousands...



              2] Create users (without home folder and ability to use SSH for security reasons)



              $ sudo adduser --no-create-hom --shell /usr/sbin/nologin user1
              $ sudo adduser --no-create-hom --shell /usr/sbin/nologin user...


              3] Add users in smbpasswd database. Please pay attention to the fact I had to add them, but also to enable them to avoid any kind of problems.



              $ sudo smbpasswd -a user1
              $ sudo smbpasswd -e user1
              $ ...


              4] Add users to the groups where they will be. Please notice I thought samba was not able to recognize secondary groups, but actually it does. The mistake was a misusing of the command line.



              The error was:



              $ sudo usermod -G user1 Group1
              $ sudo usermod -G user1 Group2


              If you do:



              $ groups user1


              You have something like:



              user1 Group2


              Because the secondary group has disappeared.



              The good practice is:



              $ sudo usermod -G Group1,Group2,Group3 user1


              In this case:



              $ groups user1


              Will show:



              $ user1 Admin Group1 Group2 Group3


              Please, be careful of primary and secondary groups. An user can be in multiple secondary groups, but only in one primary group.



              So another mistake would be:



              $ sudo usermod -g Group1


              If you do:



              $ groups user1


              You got:



              $ Group1


              4] Create the folders with the good permissions:



              $ sudo mkdir /path/to/Directory1
              $ sudo chown root:Group1 /path/to/Directory1
              $ sudo chmod 2775 /path/to/Directory1


              Please read this if you don't know nothing about file system permissions and setuid, setgid : chmod + setuid and setgid. The permissions and also there inheritances are important for your groups.



              5] Create as many directories you want with the permissions you want.



              6] Configure your smb.conf file with the editor of your choice. I personally use vim. Make a backup first before losing anything that was running well.



              $ sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
              $ sudo vim /etc/samba/smb.conf


              Your config file here, with global config and Directory1 config is:



              [global]

              workgroup = YOUR-LOCAL-WORKGROUP
              server string = %h # hostname
              log file = /var/samba/smb-%h.log
              max log size = 1000
              disable netbios = yes # since this is a standalone server
              server role = standalone server
              veto files = /*.exe/*.com/*.dll/*.bat/*.vbs/*.tmp/ # whatever your want
              delete veto files = yes

              [Directory1]

              path = /path/to/Directory1
              browseable = yes
              guest only = no
              guest ok = yes
              read list = nobody guest
              write list = @Group1
              force create mode = 0665 # please see system file permissions ...
              force directory mode = 2775 # ... and setuid, setgid, right above !


              Please note the execution is important for your users. This allows them to navigate through the directories. But the execution is also a danger regarding files. You don't want you users to execute scripts or whatsoever, reading is widely enough.



              That is why I restrict files on reading and writing for users and reading for anonymous, while I let executing on directories for navigation. Execute a folder is not a danger but execute a file is.



                  force create mode = 0665
              force directory mode = 2775


              Note the options delete veto file and veto files are also another shield since you don't want your silly Windows Mac OS X users put blobs or binaries or executable randomwares on your clean server.



              7] Test your config file with a gentle command:



              $ testparm


              8] Everything is good ? Then.



              $ sudo systemctl start smbd.service # or restart
              $ sudo systemctl enable smbd.service


              Now you can log with the method of your choice and see that anonymous can explore the files on the server without the permission of writing it while your authenticated and designated users can read, write and execute -- i.e navigate from a directory to a directory.



              Et voilà ! I hope it will help someone.






              share|improve this answer




























                0












                0








                0







                I finally made it, if it can help someone. I don't know if it is nice, but it works nice with POSIX rights, without ugly ACL.



                1] Create groups



                $ sudo groupadd Group1
                $ sudo groupadd ...


                Please notice I did not create an Admin group since my admin users will be in all the other groups. This is the only way I made it work so far. If someone has a nicer way to deal with for instance an admin group with rights on anything, please tell me ! My solution is correct since I am managing a dozen of accounts but not hundreds or thousands...



                2] Create users (without home folder and ability to use SSH for security reasons)



                $ sudo adduser --no-create-hom --shell /usr/sbin/nologin user1
                $ sudo adduser --no-create-hom --shell /usr/sbin/nologin user...


                3] Add users in smbpasswd database. Please pay attention to the fact I had to add them, but also to enable them to avoid any kind of problems.



                $ sudo smbpasswd -a user1
                $ sudo smbpasswd -e user1
                $ ...


                4] Add users to the groups where they will be. Please notice I thought samba was not able to recognize secondary groups, but actually it does. The mistake was a misusing of the command line.



                The error was:



                $ sudo usermod -G user1 Group1
                $ sudo usermod -G user1 Group2


                If you do:



                $ groups user1


                You have something like:



                user1 Group2


                Because the secondary group has disappeared.



                The good practice is:



                $ sudo usermod -G Group1,Group2,Group3 user1


                In this case:



                $ groups user1


                Will show:



                $ user1 Admin Group1 Group2 Group3


                Please, be careful of primary and secondary groups. An user can be in multiple secondary groups, but only in one primary group.



                So another mistake would be:



                $ sudo usermod -g Group1


                If you do:



                $ groups user1


                You got:



                $ Group1


                4] Create the folders with the good permissions:



                $ sudo mkdir /path/to/Directory1
                $ sudo chown root:Group1 /path/to/Directory1
                $ sudo chmod 2775 /path/to/Directory1


                Please read this if you don't know nothing about file system permissions and setuid, setgid : chmod + setuid and setgid. The permissions and also there inheritances are important for your groups.



                5] Create as many directories you want with the permissions you want.



                6] Configure your smb.conf file with the editor of your choice. I personally use vim. Make a backup first before losing anything that was running well.



                $ sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
                $ sudo vim /etc/samba/smb.conf


                Your config file here, with global config and Directory1 config is:



                [global]

                workgroup = YOUR-LOCAL-WORKGROUP
                server string = %h # hostname
                log file = /var/samba/smb-%h.log
                max log size = 1000
                disable netbios = yes # since this is a standalone server
                server role = standalone server
                veto files = /*.exe/*.com/*.dll/*.bat/*.vbs/*.tmp/ # whatever your want
                delete veto files = yes

                [Directory1]

                path = /path/to/Directory1
                browseable = yes
                guest only = no
                guest ok = yes
                read list = nobody guest
                write list = @Group1
                force create mode = 0665 # please see system file permissions ...
                force directory mode = 2775 # ... and setuid, setgid, right above !


                Please note the execution is important for your users. This allows them to navigate through the directories. But the execution is also a danger regarding files. You don't want you users to execute scripts or whatsoever, reading is widely enough.



                That is why I restrict files on reading and writing for users and reading for anonymous, while I let executing on directories for navigation. Execute a folder is not a danger but execute a file is.



                    force create mode = 0665
                force directory mode = 2775


                Note the options delete veto file and veto files are also another shield since you don't want your silly Windows Mac OS X users put blobs or binaries or executable randomwares on your clean server.



                7] Test your config file with a gentle command:



                $ testparm


                8] Everything is good ? Then.



                $ sudo systemctl start smbd.service # or restart
                $ sudo systemctl enable smbd.service


                Now you can log with the method of your choice and see that anonymous can explore the files on the server without the permission of writing it while your authenticated and designated users can read, write and execute -- i.e navigate from a directory to a directory.



                Et voilà ! I hope it will help someone.






                share|improve this answer















                I finally made it, if it can help someone. I don't know if it is nice, but it works nice with POSIX rights, without ugly ACL.



                1] Create groups



                $ sudo groupadd Group1
                $ sudo groupadd ...


                Please notice I did not create an Admin group since my admin users will be in all the other groups. This is the only way I made it work so far. If someone has a nicer way to deal with for instance an admin group with rights on anything, please tell me ! My solution is correct since I am managing a dozen of accounts but not hundreds or thousands...



                2] Create users (without home folder and ability to use SSH for security reasons)



                $ sudo adduser --no-create-hom --shell /usr/sbin/nologin user1
                $ sudo adduser --no-create-hom --shell /usr/sbin/nologin user...


                3] Add users in smbpasswd database. Please pay attention to the fact I had to add them, but also to enable them to avoid any kind of problems.



                $ sudo smbpasswd -a user1
                $ sudo smbpasswd -e user1
                $ ...


                4] Add users to the groups where they will be. Please notice I thought samba was not able to recognize secondary groups, but actually it does. The mistake was a misusing of the command line.



                The error was:



                $ sudo usermod -G user1 Group1
                $ sudo usermod -G user1 Group2


                If you do:



                $ groups user1


                You have something like:



                user1 Group2


                Because the secondary group has disappeared.



                The good practice is:



                $ sudo usermod -G Group1,Group2,Group3 user1


                In this case:



                $ groups user1


                Will show:



                $ user1 Admin Group1 Group2 Group3


                Please, be careful of primary and secondary groups. An user can be in multiple secondary groups, but only in one primary group.



                So another mistake would be:



                $ sudo usermod -g Group1


                If you do:



                $ groups user1


                You got:



                $ Group1


                4] Create the folders with the good permissions:



                $ sudo mkdir /path/to/Directory1
                $ sudo chown root:Group1 /path/to/Directory1
                $ sudo chmod 2775 /path/to/Directory1


                Please read this if you don't know nothing about file system permissions and setuid, setgid : chmod + setuid and setgid. The permissions and also there inheritances are important for your groups.



                5] Create as many directories you want with the permissions you want.



                6] Configure your smb.conf file with the editor of your choice. I personally use vim. Make a backup first before losing anything that was running well.



                $ sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
                $ sudo vim /etc/samba/smb.conf


                Your config file here, with global config and Directory1 config is:



                [global]

                workgroup = YOUR-LOCAL-WORKGROUP
                server string = %h # hostname
                log file = /var/samba/smb-%h.log
                max log size = 1000
                disable netbios = yes # since this is a standalone server
                server role = standalone server
                veto files = /*.exe/*.com/*.dll/*.bat/*.vbs/*.tmp/ # whatever your want
                delete veto files = yes

                [Directory1]

                path = /path/to/Directory1
                browseable = yes
                guest only = no
                guest ok = yes
                read list = nobody guest
                write list = @Group1
                force create mode = 0665 # please see system file permissions ...
                force directory mode = 2775 # ... and setuid, setgid, right above !


                Please note the execution is important for your users. This allows them to navigate through the directories. But the execution is also a danger regarding files. You don't want you users to execute scripts or whatsoever, reading is widely enough.



                That is why I restrict files on reading and writing for users and reading for anonymous, while I let executing on directories for navigation. Execute a folder is not a danger but execute a file is.



                    force create mode = 0665
                force directory mode = 2775


                Note the options delete veto file and veto files are also another shield since you don't want your silly Windows Mac OS X users put blobs or binaries or executable randomwares on your clean server.



                7] Test your config file with a gentle command:



                $ testparm


                8] Everything is good ? Then.



                $ sudo systemctl start smbd.service # or restart
                $ sudo systemctl enable smbd.service


                Now you can log with the method of your choice and see that anonymous can explore the files on the server without the permission of writing it while your authenticated and designated users can read, write and execute -- i.e navigate from a directory to a directory.



                Et voilà ! I hope it will help someone.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Feb 1 at 12:32

























                answered Feb 1 at 9:24









                jaunergjaunerg

                11




                11






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1400568%2fhowto-to-configure-samba-add-users-and-groups-with-different-permissions-in-va%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Plaza Victoria

                    Puebla de Zaragoza

                    Musa