Results 1 to 5 of 5

Thread: Samba how inherit the father's folder permissions

  1. #1

    Default Samba how inherit the father's folder permissions

    hi to everybody


    openSUSE 13.1

    well ... at the local level, I was able to inherit the correct permissions of the parent folder
    and everything works fine !!!
    enabling either the ACL that mounting the home with bindfs

    What I can not understand is how to do the same thing that I do at the local level, but with SAMBA,
    namely:
    I need to inherit the permissions of "/home/localShared" (smb://Netbook/Shared)
    - I tried with bindfs, but does not work
    - I tried with smb.conf's permissions and acl, but does not work
    - I tried to change the "/home" permissions in 777 of the file "/etc/permission"

    - I try to change the permissions of the following files?
    /etc/permission.easy, /etc/permission.local, /etc/permission.secure, /etc/permission.paranoid
    - the way ... to change the permissions of APPARMOR is the right one?
    - if so, to what folder you need to change the permissions samba Directory to inherit the permissions you want?
    - if so, in the APPARMOR files, for which path I need to change the permissions?
    - for samba shares there is some umask to be set?

    Thanks

  2. #2
    Join Date
    Sep 2012
    Location
    Canada
    Posts
    112

    Default Re: Samba how inherit the father's folder permissions

    Hi NeverGiveUp01,

    Samba applies a mask to files and directories created inside a share. The default is 0744 for files and 0755 for directories. You can change that with create mask and directory mask share's parameters, respectively.

    For you problem, you should set inherit permissions share's parameter to true in smb.conf. Note that inherit permissions parameter overrides create mask, directory mask, force create mode and force directory mode:

    Quote Originally Posted by man smb.conf 5
    inherit permissions (S)


    The permissions on new files and directories are normally governed by create mask, directory mask, force create mode and force directory mode but the boolean inherit permissions parameter overrides this.

    New directories inherit the mode of the parent directory, including bits such as setgid.

    New files inherit their read/write bits from the parent directory. Their execute bits continue to be determined by map archive, map hidden and map system as usual.

    Note that the setuid bit is never set via inheritance (the code explicitly prohibits this).

    This can be particularly useful on large systems with many users, perhaps several thousand, to allow a single [homes] share to be used flexibly by each user.

    Default: inherit permissions = no
    You may be also interested by inherit owner share's parameter:

    Quote Originally Posted by man smb.conf 5
    inherit owner (S)


    The ownership of new files and directories is normally governed by effective uid of the connected user. This option allows the Samba administrator to specify that the ownership for new files and directories should be controlled by the ownership of the parent directory.

    Common scenarios where this behavior is useful is in implementing drop-boxes where users can create and edit files but not delete them and to ensure that newly create files in a user's roaming profile directory are actually owner by the user.

    Default: inherit owner = no
    Kalten

  3. #3

    Default Re: Samba how inherit the father's folder permissions

    Hi, thank you very much for your help (openSUSE13.1, kde 4.12)

    I think I've tried all:
    umask logindef, the acl, bindfs suid etc. .. etc. ..
    but the permissions remain the same as those of my "home"
    the only thing that comes to mind is Aparmor

    In any case I attached my smb.conf maybe it is full of errors
    Ciao and thank you!!

    aparmor:
    Code:
    # aa-status
    apparmor module is loaded.
    29 profiles are loaded.
    29 profiles are in enforce mode.
       /sbin/klogd
       /sbin/syslog-ng
       /sbin/syslogd
       /usr/lib/apache2/mpm-prefork/apache2
       /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
       /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
       /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
       /usr/lib/dovecot/deliver
       /usr/lib/dovecot/dovecot-auth
       /usr/lib/dovecot/imap
       /usr/lib/dovecot/imap-login
       /usr/lib/dovecot/managesieve-login
       /usr/lib/dovecot/pop3
       /usr/lib/dovecot/pop3-login
       /usr/lib/nagios/plugins/check_dhcp
       /usr/lib/nagios/plugins/check_ntp_time
       /usr/sbin/avahi-daemon
       /usr/sbin/dnsmasq
       /usr/sbin/dovecot
       /usr/sbin/identd
       /usr/sbin/mdnsd
       /usr/sbin/nmbd                                                            -----> ???
       /usr/sbin/nscd
       /usr/sbin/ntpd
       /usr/sbin/smbldap-useradd                                       -----> ???
       /usr/sbin/smbldap-useradd///etc/init.d/nscd           -----> ???
       /usr/sbin/winbindd
       /usr/{sbin/traceroute,bin/traceroute.db}
       /{usr/,}bin/ping
    0 profiles are in complain mode.
    8 processes have profiles defined.
    0 processes are in enforce mode.
    0 processes are in complain mode.
    8 processes are unconfined but have a profile defined.
       /usr/sbin/avahi-daemon (420) 
       /usr/sbin/nmbd (5140)                                                              
       /usr/sbin/nscd (426) 
       /usr/sbin/ntpd (668) 
       /usr/sbin/winbindd (564) 
       /usr/sbin/winbindd (599) 
       /usr/sbin/winbindd (663) 
       /usr/sbin/winbindd (664)
    smb.conf:
    Code:
    [global]
        ;============== identity ============== 
        workgroup = WORKGROUP                                
        netbios name = Netbook                               
        server string = %i_smb_%v                         
        comment = SonyVaio netbook                           
        ;============== security ==============
        security = user                                      
        ;=========== name resolution ==========
        include = /etc/samba/dhcp.conf
        preferred master = yes                              
        local master = yes                                   
        os level = 65                                        
        wins support = Yes                                   
        dns proxy = no
        name resolve order = wins bcast lmhosts hosts        
        domain master = Auto                          
        domain logons = No                            
        ;================ users ===============
        username map = /etc/samba/smbusers                
        smb passwd file = /etc/samba/smbpasswd               
        passdb backend = tdbsam                
        encrypt passwords = Yes
        ; definire regole password
        ; password level = Yes                             
        ; password level = 2                      
        ; invalid users = root
        guest account = guest                               
        map to guest = Bad User                        
        usershare allow guests = Yes
        ; idmap gid = 10000-20000 ...deprecated
        ; idmap uid = 10000-20000 ...deprecated
        ;================ hosts ================
        hostname lookups = No                               
        hosts allow = 192.168.                               
        hosts deny = ALL EXCEPT 192.168.
        interfaces = 192.168.1.0/255.255.255.0 127.0.0.1
        ; interfaces = eth0 lo
        bind interfaces only = Yes
        ;=============== shares ================
        usershare max shares = 100    
        ;============= permissions =============
        ; create mask = 0755                                 
        ;================ debug ================
        log file = /var/log/samba/samba.%m.log
        log level = 3
        max log size = 50
        debug pid = no
        debug uid = no
        max log size = 200
        ;======= performance optimizations ======
        winbind enum users = No                       
        winbind enum groups = No                              
        socket options = TCP_NODELAY
        ;================ scripts ===============
        logon home = \\%L\%U\.profile                         
        logon path = \\%L\samba\profiles\%U                   
        logon drive = P:                                      
        logon script = netlogon.bat                           
        ;=============== printers ===============
        printing = cups                                       
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        load printers = yes
        ; display charset = ISO-8859-15
        unix charset = ISO-8859-15
            
            
    [Homes]
        comment = %L/%u_on_%I                                 
        path = /home/%u                                       
        case sensitive = No                                 
        ;============== security ==============
        available = Yes                                       
        browseable = No                                       
        valid users = @users                                  
        ; invalid users = root                                
        guest ok = No                                         
        read only = No
        follow symlinks = No
        veto files = /MyNetwork/groups/Shared/Public/core/cores/lost+found/*Security*/
        ; prefix allow list =                                 
        ; prefix deny list =                                  
        hide dot files = yes
        hide special files = yes
        hide unreadable = no
        hide unwriteable files = no
        strict locking = No                                   
        ;========= samba permissions ==========
        
        ;============ recycle bin =============
        vfs objects = recycle
        recycle:repository = /home/NetTrash/%U
        recycle:keeptree = yes
        recycle:versions = yes
        recycle:exclude = *.tmp,*.log
        recycle:exclude_dir =
        recycle:touch = Yes
        recycle:maxsize = 20480
        recycle:directory_mode = 0770
        recycle:subdir_mode = 0700    
        recycle:noversions = *.doc
        
    
    [Shared]
        comment = %L/Shared_on_%I                             
        path = /home/Shared                                   
        case sensitive = No                              
        ;============== security ==============
        available = Yes                                       
        browseable = Yes                                      
        admin users =                                         
        valid users = @users                                  
        ; invalid users = root                                
        guest ok = No                                         
        read only = No
        write list = @users guest                             
        read list =                                           
        follow symlinks = No
        veto files = /MyNetwork/groups/Shared/Public/core/cores/lost+found/*Security*/
        ; prefix allow list =                                 
        ; prefix deny list =                                  
        hide dot files = yes
        hide special files = yes
        hide unreadable = no
        hide unwriteable files = no
        strict locking = No                                   
        ;========= samba permissions ==========
        ; force user = guest                                  
        force group = users                                   
        directory mask = 2774                                 
        force directory mode = 2774
        create mask = 2774                                    
        force create mode = 2774    
        vfs objects = acl_xattr                               
        acl group control = Yes
        acl map full control = Yes
        nt acl support = Yes
        profile acls = No
        map acl inherit = Yes
        map archive = no
        ; force unknown acl user = No
        map acl inherit = Yes                                 
        inherit acls = Yes                                    
        inherit owner = Yes
        inherit permissions = Yes 
        ;============ recycle bin =============
        vfs objects = recycle
        recycle:repository = /home/NetTrash/%U
        recycle:keeptree = yes
        recycle:versions = yes
        recycle:exclude = *.tmp,*.log
        recycle:exclude_dir =
        recycle:touch = Yes
        recycle:maxsize = 20480
        recycle:directory_mode = 0770
        recycle:subdir_mode = 0700    
        recycle:noversions = *.doc

  4. #4
    Join Date
    Sep 2012
    Location
    Canada
    Posts
    112

    Default Re: Samba how inherit the father's folder permissions

    Quote Originally Posted by NeverGiveUp01
    but the permissions remain the same as those of my "home"
    the only thing that comes to mind is Aparmor
    I'm not familiar with AppArmor, but by reading the configuration of your SMB share Shared I see that you set inhererit permissions to Yes after you have set the file mask and directory mask. In consequence, the values you set for create mask, directory mask, force create mode and force directory mode are overwritten by the permissions of the parent folder.

    My recommendation is to delete or deactivate share's inherit permissions parameter. The values you set for the file mask and directory mask would then be effective.
    Kalten

  5. #5

    Default Re: Samba how inherit the father's folder permissions

    Are you a great thanks 1k
    in these days I'll try
    and I'll tell you

    ciaooo

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •