Samba how inherit the father's folder permissions

hi to everybody

openSUSE 13.1

well … at the local level, I was able to inherit the correct permissions of the parent folder
and everything works fine !!!
enabling either the ACL that mounting the home with bindfs

What I can not understand is how to do the same thing that I do at the local level, but with SAMBA,
namely:
I need to inherit the permissions of “/home/localShared” (smb://Netbook/Shared)

  • I tried with bindfs, but does not work

  • I tried with smb.conf’s permissions and acl, but does not work

  • I tried to change the “/home” permissions in 777 of the file “/etc/permission”

  • I try to change the permissions of the following files?
    /etc/permission.easy, /etc/permission.local, /etc/permission.secure, /etc/permission.paranoid

  • the way … to change the permissions of APPARMOR is the right one?

  • if so, to what folder you need to change the permissions samba Directory to inherit the permissions you want?

  • if so, in the APPARMOR files, for which path I need to change the permissions?

  • for samba shares there is some umask to be set?

Thanks

Hi NeverGiveUp01,

Samba applies a mask to files and directories created inside a share. The default is 0744 for files and 0755 for directories. You can change that with create mask and directory mask share’s parameters, respectively.

For you problem, you should set inherit permissions share’s parameter to true in smb.conf. Note that inherit permissions parameter overrides create mask, directory mask, force create mode and force directory mode:

You may be also interested by inherit owner share’s parameter:

Hi, thank you very much for your help (openSUSE13.1, kde 4.12)

I think I’ve tried all:
umask logindef, the acl, bindfs suid etc. … etc. …
but the permissions remain the same as those of my “home”
the only thing that comes to mind is Aparmor

In any case I attached my smb.conf maybe it is full of errors :frowning:
Ciao and thank you!!

aparmor:


# aa-status
apparmor module is loaded.
29 profiles are loaded.
29 profiles are in enforce mode.
   /sbin/klogd
   /sbin/syslog-ng
   /sbin/syslogd
   /usr/lib/apache2/mpm-prefork/apache2
   /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
   /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
   /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/lib/nagios/plugins/check_dhcp
   /usr/lib/nagios/plugins/check_ntp_time
   /usr/sbin/avahi-daemon
   /usr/sbin/dnsmasq
   /usr/sbin/dovecot
   /usr/sbin/identd
   /usr/sbin/mdnsd
   /usr/sbin/nmbd                                                            -----> ???
   /usr/sbin/nscd
   /usr/sbin/ntpd
   /usr/sbin/smbldap-useradd                                       -----> ???
   /usr/sbin/smbldap-useradd///etc/init.d/nscd           -----> ???
   /usr/sbin/winbindd
   /usr/{sbin/traceroute,bin/traceroute.db}
   /{usr/,}bin/ping
0 profiles are in complain mode.
8 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
8 processes are unconfined but have a profile defined.
   /usr/sbin/avahi-daemon (420) 
   /usr/sbin/nmbd (5140)                                                              
   /usr/sbin/nscd (426) 
   /usr/sbin/ntpd (668) 
   /usr/sbin/winbindd (564) 
   /usr/sbin/winbindd (599) 
   /usr/sbin/winbindd (663) 
   /usr/sbin/winbindd (664) 


smb.conf:


[global]
    ;============== identity ============== 
    workgroup = WORKGROUP                                
    netbios name = Netbook                               
    server string = %i_smb_%v                         
    comment = SonyVaio netbook                           
    ;============== security ==============
    security = user                                      
    ;=========== name resolution ==========
    include = /etc/samba/dhcp.conf
    preferred master = yes                              
    local master = yes                                   
    os level = 65                                        
    wins support = Yes                                   
    dns proxy = no
    name resolve order = wins bcast lmhosts hosts        
    domain master = Auto                          
    domain logons = No                            
    ;================ users ===============
    username map = /etc/samba/smbusers                
    smb passwd file = /etc/samba/smbpasswd               
    passdb backend = tdbsam                
    encrypt passwords = Yes
    ; definire regole password
    ; password level = Yes                             
    ; password level = 2                      
    ; invalid users = root
    guest account = guest                               
    map to guest = Bad User                        
    usershare allow guests = Yes
    ; idmap gid = 10000-20000 ...deprecated
    ; idmap uid = 10000-20000 ...deprecated
    ;================ hosts ================
    hostname lookups = No                               
    hosts allow = 192.168.                               
    hosts deny = ALL EXCEPT 192.168.
    interfaces = 192.168.1.0/255.255.255.0 127.0.0.1
    ; interfaces = eth0 lo
    bind interfaces only = Yes
    ;=============== shares ================
    usershare max shares = 100    
    ;============= permissions =============
    ; create mask = 0755                                 
    ;================ debug ================
    log file = /var/log/samba/samba.%m.log
    log level = 3
    max log size = 50
    debug pid = no
    debug uid = no
    max log size = 200
    ;======= performance optimizations ======
    winbind enum users = No                       
    winbind enum groups = No                              
    socket options = TCP_NODELAY
    ;================ scripts ===============
    logon home = \\%L\%U\.profile                         
    logon path = \\%L\samba\profiles\%U                   
    logon drive = P:                                      
    logon script = netlogon.bat                           
    ;=============== printers ===============
    printing = cups                                       
    printcap name = cups
    printcap cache time = 750
    cups options = raw
    load printers = yes
    ; display charset = ISO-8859-15
    unix charset = ISO-8859-15
        
        
[Homes]
    comment = %L/%u_on_%I                                 
    path = /home/%u                                       
    case sensitive = No                                 
    ;============== security ==============
    available = Yes                                       
    browseable = No                                       
    valid users = @users                                  
    ; invalid users = root                                
    guest ok = No                                         
    read only = No
    follow symlinks = No
    veto files = /MyNetwork/groups/Shared/Public/core/cores/lost+found/*Security*/
    ; prefix allow list =                                 
    ; prefix deny list =                                  
    hide dot files = yes
    hide special files = yes
    hide unreadable = no
    hide unwriteable files = no
    strict locking = No                                   
    ;========= samba permissions ==========
    
    ;============ recycle bin =============
    vfs objects = recycle
    recycle:repository = /home/NetTrash/%U
    recycle:keeptree = yes
    recycle:versions = yes
    recycle:exclude = *.tmp,*.log
    recycle:exclude_dir =
    recycle:touch = Yes
    recycle:maxsize = 20480
    recycle:directory_mode = 0770
    recycle:subdir_mode = 0700    
    recycle:noversions = *.doc
    

[Shared]
    comment = %L/Shared_on_%I                             
    path = /home/Shared                                   
    case sensitive = No                              
    ;============== security ==============
    available = Yes                                       
    browseable = Yes                                      
    admin users =                                         
    valid users = @users                                  
    ; invalid users = root                                
    guest ok = No                                         
    read only = No
    write list = @users guest                             
    read list =                                           
    follow symlinks = No
    veto files = /MyNetwork/groups/Shared/Public/core/cores/lost+found/*Security*/
    ; prefix allow list =                                 
    ; prefix deny list =                                  
    hide dot files = yes
    hide special files = yes
    hide unreadable = no
    hide unwriteable files = no
    strict locking = No                                   
    ;========= samba permissions ==========
    ; force user = guest                                  
    force group = users                                   
    directory mask = 2774                                 
    force directory mode = 2774
    create mask = 2774                                    
    force create mode = 2774    
    vfs objects = acl_xattr                               
    acl group control = Yes
    acl map full control = Yes
    nt acl support = Yes
    profile acls = No
    map acl inherit = Yes
    map archive = no
    ; force unknown acl user = No
    map acl inherit = Yes                                 
    inherit acls = Yes                                    
    inherit owner = Yes
    inherit permissions = Yes 
    ;============ recycle bin =============
    vfs objects = recycle
    recycle:repository = /home/NetTrash/%U
    recycle:keeptree = yes
    recycle:versions = yes
    recycle:exclude = *.tmp,*.log
    recycle:exclude_dir =
    recycle:touch = Yes
    recycle:maxsize = 20480
    recycle:directory_mode = 0770
    recycle:subdir_mode = 0700    
    recycle:noversions = *.doc


I’m not familiar with AppArmor, but by reading the configuration of your SMB share Shared I see that you set inhererit permissions to Yes after you have set the file mask and directory mask. In consequence, the values you set for create mask, directory mask, force create mode and force directory mode are overwritten by the permissions of the parent folder.

My recommendation is to delete or deactivate share’s inherit permissions parameter. The values you set for the file mask and directory mask would then be effective.

Are you a great thanks 1k:)
in these days I’ll try
and I’ll tell you

ciaooo