Solved

Samba shared file permissions do not transend to sub folders/files

Posted on 2010-08-30
9
412 Views
Last Modified: 2012-05-10
We use RHEL5.3 with the default Samba version 3.0.33, when a Windows user drops a file into a Samba share, no other users can access the file because it is owned by that user.
Is there a way to allow Linux to propograte permissions from the root object to all sub files and directories when a new file/directory is added.
0
Comment
Question by:Starrett2005
  • 4
  • 2
  • 2
  • +1
9 Comments
 

Expert Comment

by:AtlanticNetworking
ID: 33561507
If you

chown -R root:users /home/shares/allusers/
chmod -R ug+rwx,o+rx-w /home/shares/allusers/

Where /home/shares/allusers/ is your shared directory

Also ensure in smb.conf;

[allusers]
  path = /home/shares/allusers
  valid users = @users
  force group = users
  create mask = 0660
  directory mask = 0771
  writable = yes

That should work
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 33562257
I think you want to include g+s on the group option for chmod...that way the group owner of the parent directory will also be the group owner for anything added to that directory. If the group has permissions on the parent, they will be inherited.

chmod -R g+rwxs <top-level-folder>

0
 
LVL 4

Expert Comment

by:Blundey
ID: 33564939
I tend to add users into the same group for the same share. This makes managing the security easier for myself.

This is a snippet of my smb.conf

[Company Name]
path = /shares/CoName
writeable = yes
browseable = yes
valid users = user1, user2, user3, user4
create mask = 0770
directory mask = 0770
force create mode = 0770
force directory mode = 0770
force group = +jhp

Then do a restart of the samba service and all should be well

0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:Starrett2005
ID: 33568805
Reset permissions first to:
chmod -R 0770 /u01/US/

chmod -R ug+rwx,o+rx-w /u01/US/
Results:
-rwxrwxr-x  applssd programmers  root:object_r:file_t             LMISRDB1.fmb
-rwxr--r--  testuser domain users root:object_r:file_t            Dropped_File.xls
-rwxrwxr-x  applssd programmers  root:object_r:file_t             MRPATPRS.fmb

chmod -R g+rwxs /u01/US/
Results:
-rwxrws---  applssd programmers root:object_r:file_t             LMISRDB1.fmb
-rwxr--r--  testuser programmers root:object_r:file_t            Dropped_File.xls
-rwxrws---  applssd programmers root:object_r:file_t             MRPATPRS.fmb

Neither of these solutions produce the results I need, the "Programmers" and "Domain Users" security groups are Windows Active Directory. The "applssd" is the local linux Oracle account, if this account cannot access the file then Oracle cannot use the updated file.
I need to ensure that the user account "applssd" and the "Programmers" can access the files to read(applssd) or modify(Programmers).
I do not want to use the Public security attribute for security reasons.
Anymore ideas?
0
 
LVL 4

Expert Comment

by:Blundey
ID: 33568832
Have you considered adding the users to the groups file that need shared permissions?
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 33569025
did you set the 's' bit on the group using chown like I suggested? that way if 'programmers' group-owns the parent folder, they will also group-own items added to the folder (rather than domain admins)

is applssd a member of programmers?
0
 

Author Comment

by:Starrett2005
ID: 33569342
Blundey, not sure what your saying.

JammyPack, yes added the 's' bit that came closest to what i need, but the owner is still the user that dropped the file there.
I cannot add the applssd user to "Programmers" because "Programers" is a Windows Domain group and "applssd" is a Linux local user account
If "applssd" user cannot access the updated file then the file cannot be used by Oracle until we manually reset permissions so "applssd" is the owner.
Again, I would perfer not to use the "Public" security attribute to get around this.
0
 

Accepted Solution

by:
Starrett2005 earned 0 total points
ID: 34041808
I created a script that reset's owner an group permissions every 4 hours.  This solved the problem but feels like a bandaid.
0
 

Author Closing Comment

by:Starrett2005
ID: 37736802
This what worked
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Install Predefined Certificate on Ubunto 4 48
how to rebuild XFS volume from LV 19 90
winscp where are logs stored 3 52
lunix and unix command 21 86
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question