Solved

Can't add write permission for 'group' or 'world' on Samba shares - FC4

Posted on 2006-07-24
31
286 Views
Last Modified: 2008-01-16
I have an FC4 box with a second HDD that I mount under /mnt/shr2.  On this HDD are several folders and files that I share with Windows using Samba.  I've set up Samba as a PDC.  All worked great until I tried to add users to my domain and have them access the files of the Samba shares.  The original file creator can read/write the files, but the new users cannot.  I've created a group and put the users that should have access in that group, but when I try to chmod the files / folders, the settings do not take effect.  I would like to change permissions for the files so that anyone in that group have read/write access to the files.  Included are parts of my fstab, smb.conf, and passwd files.

Thanks,

fstab:
/dev/hdd1               /mnt/shr2              vfat defaults,gid=450      0 0


smb.conf:
[global]
        workgroup = LSSFILES
        netbios name = LSS
        server string = LSS Domain
        username map = /etc/samba/smbusers
        log file = /var/log/samba/%m.log
        max log size = 50
        name resolve order = lmhosts wins bcast
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        logon path = \\%L\Profiles
        domain logons = Yes
        os level = 50
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap ssl = no
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431

[Files]
        path = /mnt/shr2/Server
        valid users = webdev, software, designer, lightningss$, root
        read only = No

passwd:
designer:x:500:450::/home/LSSdesigner:/bin/bash
lightningss$:*:1000:900:Trust Account:/dev/null:/dev/null
lss-design$:*:999:900:Trust Account:/dev/null:/dev/null
webdev:x:1002:450::/home/webdev:/bin/bash
software:x:1003:450::/home/software:/bin/bash
0
Comment
Question by:jabeavers
  • 13
  • 11
  • 5
  • +1
31 Comments
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
please post result of:
  ls -ld /mnt/shr2/Server
  ps axl | awk '/smbd/{print $2" "$4" "$13}' | sort -u
0
 

Author Comment

by:jabeavers
Comment Utility
Here are the results:

[root@server ~]# ls -ld /mnt/shr2/Server
drwxr-xr-x  4 designer developers 32768 Jun 27 11:59 /mnt/shr2/Server

[root@server ~]# ps axl | awk '/smbd/{print $2" "$4" "$13}' | sort -u
0 1 smbd
0 2004 smbd
0 7604 awk
0
 
LVL 12

Expert Comment

by:ibu1
Comment Utility
if
designer is user
and
developer is group
than do this exactly
# cd /home/designer
# chown -R designer:developer /home/designer

                                           OR

# chown -R user:group /path to the directory


BEST OF LUCK
0
 
LVL 12

Expert Comment

by:ibu1
Comment Utility
OR
just copy and paste this
# chown -R designer:developer /mnt/shr2/Server

Here is supposed that the new user u add is designer.Replace designer with ur new user name

BEST OF LUCK
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
is 2004 the uid of user designer?
0
 

Author Comment

by:jabeavers
Comment Utility
I tried to chown the shared files I want, as you suggested:

# chown -R designer:developers /mnt/shr2/Server

This gave me an "Operation not permitted" warning on all of the files and folders.  However, the owner and group are set to the correct users and groups, it's just that the group permissions on the files will not accept write privileges when I chmod the files / folders.

John

BTW:

2004 is not the uid of designer if I am reading my info correctly.  I've included a snippet of the passwd file in my first post, and it says that designer's uid is 500.  Hope that helps.
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 100 total points
Comment Utility
> 2004 is not the uid of designer ..
just seen it in the initial question.
You need to make designer (500) and the user with uid 2004 being a member of the same group.
Depending on your other configuration of smbd.conf,
   chown -R
will not only fail (with permission denied) but also make your service unavailable for other users.
0
 

Author Comment

by:jabeavers
Comment Utility
How do I find out the name of the user with uid 2004?

John
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
grep :2004: /etc/passwd
0
 

Author Comment

by:jabeavers
Comment Utility
That just returned a blank line.  Also, I checked the passwd file manually, and there is no 2004 user in it.  What does that mean for samba?
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
damn, trapped in my own cryptic command
2004 is the PID not a UID
Pleas echeck with   ps aux  which user is running smbd
0
 

Author Comment

by:jabeavers
Comment Utility
Ok, root is running smbd.  Should I change the user or add root to the developers group?

John
0
 
LVL 11

Expert Comment

by:kblack05
Comment Utility
First of all you need to be sure that the group in your SMB conf file is the same as the actual name of the workgroup the nodes are in on your local network:

workgroup = LSSFILES

Check your domain controller / PDC / Domain admin, to be sure that this is in fat the name of the workgroup that the computers writing to the share reside on.

Next, I'd like to see your /etc/fstab entry for samba...the mount should look something like this (to get correct results):

the /etc/fstab entry I use (all on one line):

//raid/userid   /home/uersid    smbfs users,noauto,nodev,fmask=664,dmask=775 0 0

These permissions and paths should be modified for your own liking.


0
 
LVL 11

Expert Comment

by:kblack05
Comment Utility
Looking at your initial post on fstab, you will need to add

noauto,nodev,fmask=664,dmask=775 0 0


then re-export the filesystem. (This used to be exportfs from NFS but now I think you just restart the daemon / system...)
0
 

Author Comment

by:jabeavers
Comment Utility
OK, sorry about the long time between posts.  I added root to the developers group, no effect.  The workgroups are the same, so that's no problem.  I added the options to my fstab entry as suggested by kblack05 (except noauto because I do want it to mount automatically), but it changed my permissions to an even worse situation (see below).


[root@server shr2]# ls -l my.cnf
--------w-  1 designer developers 7527 Feb 16  2005 my.cnf
[root@server shr2]# chmod 777 my.cnf
[root@server shr2]# ls -l my.cnf
--------w-   1 designer developers     7527 Feb 16  2005 my.cnf
[root@server shr2]# chmod +w my.cnf
[root@server shr2]# ls -l my.cnf
--------w-  1 designer developers 7527 Feb 16  2005 my.cnf
[root@server shr2]#

This is a sequence I inputted at the console and you can see my results.  Prior to adding the new entries to the fstab, my permissions were:

rwxr-xr-x

Now they are as you see them above.  Things are getting worse, not better, and I still cannot change the permissions of the files, as can be seen above.  What's going on? Please help.

John
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:jabeavers
Comment Utility
I removed the fmask and dmask options from fstab, and my permissions went back to rwxr-xr-x, but I still cannot change the permissions using chmod.

Any ideas? Anybody?

John
0
 
LVL 11

Expert Comment

by:kblack05
Comment Utility
John the command above simply adds world writability where it already exists. It didn't change the permissions as according to chmod the were the same as requested.

I think what you want is

chmod 0755 my.cnf

http://www.tu-berlin.de/zrz/dienste/www/manpages/chmod.html
0
 

Author Comment

by:jabeavers
Comment Utility
Here is a sequence of commands and outputs I entered (I'm just using my.cnf as an example so that there's not a long list of files and folders).

[root@server shr2]# ls -l my.cnf
-rwxr-xr-x  1 designer developers 7527 Feb 16  2005 my.cnf
[root@server shr2]# chmod -v 0777 my.cnf
mode of `my.cnf' changed to 0777 (rwxrwxrwx)
[root@server shr2]# ls -l my.cnf
-rwxr-xr-x  1 designer developers 7527 Feb 16  2005 my.cnf
[root@server shr2]#


Here is another sequence that I tried.  It would not let me change the first digit on the file.

[root@server shr2]# ls -l my.cnf
-rwxr-xr-x  1 designer developers 7527 Feb 16  2005 my.cnf
[root@server shr2]# chmod -v 2777 my.cnf
failed to change mode of `my.cnf' to 2777 (rwxrwsrwx)
chmod: changing permissions of `my.cnf': Operation not permitted
[root@server shr2]# ls -l my.cnf
-rwxr-xr-x  1 designer developers 7527 Feb 16  2005 my.cnf
[root@server shr2]#


As can be seen in the top sequence, it says that the permissions are changed, however, when I list the files again, the permissions revert to what they were before.  I don't care about the first digit in chomd (in the seconde sequence of commands), I just included it incase it helped anybody know what was going on.

By the way, I am able to change the priveldges on the files to settings other than adding write priveldges to group and all.  See below

[root@server shr2]# ls -l my.cnf
-rwxr-xr-x  1 designer developers 7527 Feb 16  2005 my.cnf
[root@server shr2]# chmod 444 my.cnf
[root@server shr2]# ls -l my.cnf
-r--r--r--  1 designer developers 7527 Feb 16  2005 my.cnf
[root@server shr2]# chmod 777 my.cnf
[root@server shr2]# ls -l my.cnf
-rwxr-xr-x  1 designer developers 7527 Feb 16  2005 my.cnf
[root@server shr2]#

I hope this helps you all figure out what's wrong.

Thanks,

John
0
 
LVL 11

Expert Comment

by:kblack05
Comment Utility
John I think you might be running a security program which is modifying ... perhaps a default install of msec or similar...

Can you post the output of

ls /etc/cron*
0
 

Author Comment

by:jabeavers
Comment Utility
Here you go.

[root@server ~]# ls /etc/cron*
/etc/cron.deny  /etc/crontab

/etc/cron.d:

/etc/cron.daily:
00-logwatch  00webalizer  0anacron  certwatch  cups  logrotate  makewhatis.cron  prelink  rpm  slocate.cron  tmpwatch  yum.cron

/etc/cron.hourly:

/etc/cron.monthly:
0anacron

/etc/cron.weekly:
0anacron  makewhatis.cron  yum.cron
[root@server ~]#
0
 
LVL 11

Expert Comment

by:kblack05
Comment Utility
Ok can you try this?

setenforce 0

Then try what you are doing again and see if it works?

0
 

Author Comment

by:jabeavers
Comment Utility
Still no go.  When you had me change the entry in fstab, it changed the permissions on the files on that drive and would not let me change them back (similar to what it is doing currently).  However, it changed the permissions to an unacceptable setting.  I wonder if fstab has anything to do with it.

John
0
 
LVL 11

Accepted Solution

by:
kblack05 earned 400 total points
Comment Utility
fstab tells the server how it can mount or unmount filesystems and their permissions states. You can always remove the entry in fstab, then reboot the computer or remount those systems...

It's likely we are up against a filesystem permssions policy with FC I've seen it before...usually setenforce 0 does the trick.

0
 
LVL 11

Expert Comment

by:kblack05
Comment Utility
make that MODIFY the entry in fstab
0
 
LVL 11

Expert Comment

by:kblack05
Comment Utility
For example set the fstab entry from fmask=664 to fmask=755
0
 

Author Comment

by:jabeavers
Comment Utility
I'm reading the man page for fstab on the fat file system.  It says that the umask option "Sets the umask (the bitmask of the permissions that are *not* present)".  What does it mean by "not present"?
0
 
LVL 11

Expert Comment

by:kblack05
Comment Utility
Meaning if the set bit is already set, you must mask it. It will NOT remove the sticky bit, you'll need chmod for that. (Which I noticed you did set the sticky bit in another post above)
0
 

Author Comment

by:jabeavers
Comment Utility
Okay, I changed the umaks to 775, and this is what it did when I rebooted it.

[root@server shr2]# ls -l
total 25952
d-------w-   4 designer developers    32768 Jun 27 10:14 Backups
--------w-   1 designer developers    32768 Dec 31  1979 fsck0000.rec
--------w-   1 designer developers    32768 Dec 31  1979 fsck0001.rec
--------w-   1 designer developers    32768 Dec 31  1979 fsck0002.rec
--------w-   1 designer developers    32768 Dec 31  1979 fsck0003.rec
--------w-   1 designer developers      795 Feb 16  2005 fstab
--------w-   1 designer developers       46 Feb 16  2005 lmhosts
--------w-   1 designer developers       40 Feb 16  2005 lmhosts~
--------w-   1 designer developers     7527 Feb 16  2005 my.cnf
d---------  13 designer developers    32768 Aug 23 13:25 mysql_data
--------w-   1 designer developers 25791187 Feb 16  2005 mysql-standard-5.0.18-linux-i686.tar.gz
--------w-   1 designer developers    81920 Nov  9  2005 php_dbg.dll-5.0.3
--------w-   1 designer developers     8192 Feb 16  2005 secrets.tdb
d-------w-   4 designer developers    32768 Jun 27 11:59 Server
d-------w-   6 designer developers    32768 Jan  2  2006 Shares
--------w-   1 designer developers     8480 Feb 16  2005 smb.conf
--------w-   1 designer developers     7932 Feb 16  2005 smb.conf~
--------w-   1 designer developers    10836 Feb 16  2005 smb.conf.backup
--------w-   1 designer developers      424 Feb 16  2005 smbpasswd
--------w-   1 designer developers      159 Feb 16  2005 smbusers
d-------w-   2 designer developers    32768 Jan 10  2006 tmp
d-------w-   3 designer developers    32768 Jul 15 14:25 uml
[root@server shr2]#

This is not what I want. :)

John
0
 
LVL 11

Expert Comment

by:kblack05
Comment Utility
Actually these should already be modified. 755 is
user read+write+execture group +read+execute other + read+execute. What you have there looks like the result of using alphabetical mods

chmod u+r+w+x g+r+x o+r+x
0
 

Author Comment

by:jabeavers
Comment Utility
Ok, I guess I had things backward.  After playing with fstab, I discovered that the bitmask subtracted from the permission octal settings.  Therefore, setting the umask to 000 set the permissions to 777.  See below.

/dev/hdd1               /mnt/shr2              vfat users,rw,dev,exec,auto,async,suid,uid=500,gid=450,umask=000      0 0

[root@server ~]# ls -l /mnt/shr2
total 25952
drwxrwxrwx   4 designer developers    32768 Jun 27 10:14 Backups
-rwxrwxrwx   1 designer developers    32768 Dec 31  1979 fsck0000.rec
-rwxrwxrwx   1 designer developers    32768 Dec 31  1979 fsck0001.rec
-rwxrwxrwx   1 designer developers    32768 Dec 31  1979 fsck0002.rec
-rwxrwxrwx   1 designer developers    32768 Dec 31  1979 fsck0003.rec
-rwxrwxrwx   1 designer developers      795 Feb 16  2005 fstab
-rwxrwxrwx   1 designer developers       46 Feb 16  2005 lmhosts
-rwxrwxrwx   1 designer developers       40 Feb 16  2005 lmhosts~
-rwxrwxrwx   1 designer developers     7527 Feb 16  2005 my.cnf
dr-xr-xr-x  13 designer developers    32768 Aug 23 13:36 mysql_data
-rwxrwxrwx   1 designer developers 25791187 Feb 16  2005 mysql-standard-5.0.18-linux-i686.tar.gz
-rwxrwxrwx   1 designer developers    81920 Nov  9  2005 php_dbg.dll-5.0.3
-rwxrwxrwx   1 designer developers     8192 Feb 16  2005 secrets.tdb
drwxrwxrwx   4 designer developers    32768 Jun 27 11:59 Server
drwxrwxrwx   6 designer developers    32768 Jan  2  2006 Shares
-rwxrwxrwx   1 designer developers     8480 Feb 16  2005 smb.conf
-rwxrwxrwx   1 designer developers     7932 Feb 16  2005 smb.conf~
-rwxrwxrwx   1 designer developers    10836 Feb 16  2005 smb.conf.backup
-rwxrwxrwx   1 designer developers      424 Feb 16  2005 smbpasswd
-rwxrwxrwx   1 designer developers      159 Feb 16  2005 smbusers
drwxrwxrwx   2 designer developers    32768 Jan 10  2006 tmp
drwxrwxrwx   3 designer developers    32768 Jul 15 14:25 uml
[root@server ~]#

I now have the permissions set how I want them.

Thanks all of you for your help.  Give me some time to figure out the points situation.

John
0
 
LVL 11

Expert Comment

by:kblack05
Comment Utility
That's right, umask is unmask. I'm glad you got it working properly...
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now