Samba Server Not Inheriting Permissions

I have setup a Samba server with about 6 users. My issue is that all of my users can only edit their own files. Even if I manually change the permissions on the parent directory new files are created with the specific user as the owner and the only person that can make changes to the file. I have several user who need to be able to edit the same files. Attached is my smb.conf


# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
#  http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
#  http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba-share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------
#
#======================= Global Settings =====================================

[global]
	security=user
	inherit permissions = yes
# ----------------------- Network Related Options -------------------------
#
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
#
# server string is the equivalent of the NT Description field
#
# netbios name can be used to specify a server name not tied to the hostname
#
# Interfaces lets you configure Samba to use multiple interfaces
# If you have multiple network interfaces then you can list the ones
# you want to listen on (never omit localhost)
#
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
# specifiy it as a per share option as well
#
	workgroup = MYGROUP
	server string = BridgeFront SAMBA

;	netbios name = OREGON

;	interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
;	hosts allow = 127. 192.168.12. 192.168.13.

# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach

	# logs split per machine
;	log file = /var/log/samba/%m.log
	# max 50KB per log file, then rotate
;	max log size = 50

# ----------------------- Standalone Server Options ------------------------
#
# Security can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.

	security = user
	passdb backend = tdbsam


# ----------------------- Domain Members Options ------------------------
#
# Security must be set to domain or ads
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#   password server = *


;	security = domain
;	passdb backend = tdbsam
;	realm = MY_REALM

;	password server = <NT-Server-Name>

# ----------------------- Domain Controller Options ------------------------
#
# Security must be set to user for domain controllers
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
#
# Domain Logons let Samba be a domain logon server for Windows workstations.
#
# Logon Scrpit let yuou specify a script to be run at login time on the client
# You need to provide it in a share called NETLOGON
#
# Logon Path let you specify where user profiles are stored (UNC path)
#
# Various scripts can be used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
#
;	security = user
;	passdb backend = tdbsam

;	domain master = yes
;	domain logons = yes

	# the login script name depends on the machine name
;	logon script = %m.bat
	# the login script name depends on the unix user used
;	logon script = %u.bat
;	logon path = \\%L\Profiles\%u
	# disables profiles support by specifing an empty path
;	logon path =  

;	add user script = /usr/sbin/useradd "%u" -n -g users
;	add group script = /usr/sbin/groupadd "%g"
;	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
;	delete user script = /usr/sbin/userdel "%u"
;	delete user from group script = /usr/sbin/userdel "%u" "%g"
;	delete group script = /usr/sbin/groupdel "%g"


# ----------------------- Browser Control Options ----------------------------
#
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
#
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
#
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
;	local master = no
;	os level = 33
;	preferred master = yes

#----------------------------- Name Resolution -------------------------------
# Windows Internet Name Serving Support Section:
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
#
# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server
#
# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
#
# - WINS Proxy: Tells Samba to answer name resolution queries on
#   behalf of a non WINS capable client, for this to work there must be
#   at least one	WINS Server on the network. The default is NO.
#
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups.

;	wins support = yes
;	wins server = w.x.y.z
;	wins proxy = yes

;	dns proxy = yes

# --------------------------- Printing Options -----------------------------
#
# Load Printers let you load automatically the list of printers rather
# than setting them up individually
#
# Cups Options let you pass the cups libs custom options, setting it to raw
# for example will let you use drivers on your Windows clients
#
# Printcap Name let you specify an alternative printcap file
#
# You can choose a non default printing system using the Printing option

	load printers = yes
	cups options = raw

;	printcap name = /etc/printcap
	#obtain list of printers automatically on SystemV
;	printcap name = lpstat
;	printing = cups

# --------------------------- Filesystem Options ---------------------------
#
# The following options can be uncommented if the filesystem supports
# Extended Attributes and they are enabled (usually by the mount option
# user_xattr). Thess options will let the admin store the DOS attributes
# in an EA and make samba not mess with the permission bits.
#
# Note: these options can also be set just per share, setting them in global
# makes them the default for all shares

;	map archive = no
;	map hidden = no
;	map read only = no
;	map system = no
;	store dos attributes = yes


#============================ Share Definitions ==============================

[homes]
	browseable = no
	comment = Your Personal Folder
	writable = yes
;	valid users = %S
;	valid users = MYDOMAIN\%S

[printers]
	comment = All Printers
	path = /var/spool/samba
	browseable = no
	guest ok = no
	writable = no
	printable = yes

# Un-comment the following and create the netlogon directory for Domain Logons
;	[netlogon]
;	comment = Network Logon Service
;	path = /var/lib/samba/netlogon
;	guest ok = yes
;	writable = no
;	share modes = no


# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;	[Profiles]
;	path = /var/lib/samba/profiles
;	browseable = no
;	guest ok = yes


# A publicly accessible directory, but read only, except for people in
# the "staff" group
;	[public]
;	comment = Public Stuff
;	path = /home/samba
;	public = yes
;	writable = yes
;	printable = no
;	write list = +staff




[corpfiles]
	delete readonly = yes
	writeable = yes
	invalid users = chelseys,dijoa,melaniee
	write list = peterc,lorraines,markm,kentl
	path = /home/corpfiles
	comment = BridgeFront Corpfiles
	valid users = peterc,lorraines,markm,kentl
	public = yes

[ftp]
	comment = BridgeFront FTP
	valid users = chelseys,dijoa,kentl,lorraines,markm,melaniee,peterc
	writeable = yes
	path = /home/ftp

[trainfiles]
	comment = BridgeFront Trainfiles
        valid users = chelseys,dijoa,kentl
	writeable = yes
        invalid users = peterc,lorraines,markm,melaniee
	path = /home/trainfiles

[webfiles]
	comment = BridgeFront Webfiles
	valid users = chelseys,dijoa,kentl
	writeable = yes
	invalid users = lorraines,markm,peterc,melaniee
	path = /home/webfiles

Open in new window

nlhess2003Asked:
Who is Participating?
 
Christopher Raymond MendozaCommented:
Hello nlhess2003,

I think it is better to describe how we do things here. It's not perfect, but I hope it could help.

I have attached the result of the 'ls -l' command from one of our shared folders. As you can see, the files are owned by user1, user2 and user3. The reason why they can edit each other's files is because they are all part of the same primary (initial) group, users, and the permissions allow both the owner and group member to modify the file.

To achieve this, we include both or a combination of the following for specific shares in smb.conf as necessary:
    create mask = 0770
    inherit permissions = yes

When adding users, we use the following:
    useradd -n -g users [username]
    smbpasswd -a [username]

I think we also tinkered around with umask in /etc/bashrc but I do not remember if it affects samba as much.
-rwxrwx---   1 user1      users      936 2009-05-07 14:14 branches.txt
-rwxrwx---   1 user3      users    23404 2009-04-20 17:25 emails.ods
-rwxrwx---   1 user2      users   354577 2009-03-19 00:50 email.pdf
-rwxrwx---   1 user1      users       88 2010-09-09 10:48 Error1.txt
-rwxrwx---   1 user2      users       88 2010-09-09 10:48 Error2.txt
-rwxrwx---   1 user1      users    59392 2009-07-04 00:44 sample.doc

Open in new window

0
 
barrykflCommented:
Have a look of acess rights

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html

Sometimes is also relate to unix access right . release 777 to test first
0
 
Christopher Raymond MendozaCommented:
Hello,

Try adding this to your shares:
    create mask = 0770

For the above to work, the all users must have the same login group in your linux box.

For explanation about the latter you can check on the manual page of useradd and usermod.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
nlhess2003Author Commented:
I have added the create mask but it doesnt appear to be doing anyting. The owner is still changing and other people still cant edit files.
0
 
Christopher Raymond MendozaCommented:
Hello nlhess2003,

Can you post the result of the command 'ls -al' from one of the shared folders please.
0
 
nlhess2003Author Commented:
Command output of "ls -al /home/corpfiles/"

[root@oregon /]# ls -al /home/corpfiles/ total 32
drwxrwxrwx    4 root   root   4096 Oct  4 12:22 .
drwxr-xr-x   16 root   root   4096 Oct  9 11:47 ..
drwxrwxrwx+ 138 root   root   4096 Oct  6 14:41 BridgeFront Corporate Files
-rwxrw-rw-    1 peterc peterc   40 Oct  4 20:28 Mike-Test-Lorraines.txt
-rwxrwxr-x    1 root   root     24 Apr 15 02:25 testing peterc.txt
drwxrwxr-x    4 root   root   4096 Sep 27 04:17 Whizkids Test
[root@oregon /]#
0
 
nlhess2003Author Commented:
That looks like it helped with the permissions issue. Now I am randomly getting a new error that files are locked for editing by "another user" I have double checked and the user opening the file is the only one on the system. Doesnt matter if I try to open it as the creating user or another user. Any idea?
0
 
Christopher Raymond MendozaCommented:
With what software does this usually happen?
0
 
nlhess2003Author Commented:
The error is coming up in word, excel, and powerpoint
0
 
Christopher Raymond MendozaCommented:
Happens to us with Excel too.

You should probably try changing oplock settings.

We usually include this in the global section, but can also be applied on a per-share basis:
    veto oplock files = /*.xls/*.XLS/*.xlt/*.XLT/*.dbf/*.DBF/*.ntx/*.NTX/

It is also passible to disable oplocks totally or on a share:
    oplocks = false
    level2 oplocks = false
0
 
nlhess2003Author Commented:
We are still running in to issues. We narrowed it down to all new office documents .xlsx, docx, and pptx. They all come up saying "File In Use... Locked for editing by 'another users'. I have added the extensions in the veto oplocks thing and added the totally disable setting directly to my shares. Still not luck getting in to these files as the owner.
0
 
Christopher Raymond MendozaCommented:
Try this in your shares please:
    posix locking = no

I do hope it works.
0
 
nlhess2003Author Commented:
Same issue. Still saying they are locked. I am attaching new Samba file to make sure I have everything added correctly. [corpfiles] is the share I am currently working with.
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
#  http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
#  http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba-share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------
#
#======================= Global Settings =====================================

[global]
	load printers = yes
	cups options = raw
	netbios name = oregon
	inherit permissions = yes
	server string = BridgeFront SAMBA
	workgroup = MYGROUP
	os level = 20
	security = user
	passdb backend = tdbsam
	veto oplock files = /*.xls/*.XLS/*.xlsx/*.XLSX/*.doc/*.DOC/*.docx/*.DOXX/*.xlt/*.XLT/*.dbf/*.DBF/*.ntx/*.NTX/

# ----------------------- Network Related Options -------------------------
#
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
#
# server string is the equivalent of the NT Description field
#
# netbios name can be used to specify a server name not tied to the hostname
#
# Interfaces lets you configure Samba to use multiple interfaces
# If you have multiple network interfaces then you can list the ones
# you want to listen on (never omit localhost)
#
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
# specifiy it as a per share option as well
#

;	netbios name = OREGON

;	interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
;	hosts allow = 127. 192.168.12. 192.168.13.

# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach

	# logs split per machine
;	log file = /var/log/samba/%m.log
	# max 50KB per log file, then rotate
;	max log size = 50

# ----------------------- Standalone Server Options ------------------------
#
# Security can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.



# ----------------------- Domain Members Options ------------------------
#
# Security must be set to domain or ads
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#   password server = *


;	security = domain
;	passdb backend = tdbsam
;	realm = MY_REALM

;	password server = <NT-Server-Name>

# ----------------------- Domain Controller Options ------------------------
#
# Security must be set to user for domain controllers
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
#
# Domain Logons let Samba be a domain logon server for Windows workstations.
#
# Logon Scrpit let yuou specify a script to be run at login time on the client
# You need to provide it in a share called NETLOGON
#
# Logon Path let you specify where user profiles are stored (UNC path)
#
# Various scripts can be used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
#
;	security = user
;	passdb backend = tdbsam

;	domain master = yes
;	domain logons = yes

	# the login script name depends on the machine name
;	logon script = %m.bat
	# the login script name depends on the unix user used
;	logon script = %u.bat
;	logon path = \\%L\Profiles\%u
	# disables profiles support by specifing an empty path
;	logon path =  

;	add user script = /usr/sbin/useradd "%u" -n -g users
;	add group script = /usr/sbin/groupadd "%g"
;	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
;	delete user script = /usr/sbin/userdel "%u"
;	delete user from group script = /usr/sbin/userdel "%u" "%g"
;	delete group script = /usr/sbin/groupdel "%g"


# ----------------------- Browser Control Options ----------------------------
#
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
#
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
#
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
;	local master = no
;	os level = 33
;	preferred master = yes

#----------------------------- Name Resolution -------------------------------
# Windows Internet Name Serving Support Section:
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
#
# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server
#
# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
#
# - WINS Proxy: Tells Samba to answer name resolution queries on
#   behalf of a non WINS capable client, for this to work there must be
#   at least one	WINS Server on the network. The default is NO.
#
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups.

;	wins support = yes
;	wins server = w.x.y.z
;	wins proxy = yes

;	dns proxy = yes

# --------------------------- Printing Options -----------------------------
#
# Load Printers let you load automatically the list of printers rather
# than setting them up individually
#
# Cups Options let you pass the cups libs custom options, setting it to raw
# for example will let you use drivers on your Windows clients
#
# Printcap Name let you specify an alternative printcap file
#
# You can choose a non default printing system using the Printing option


;	printcap name = /etc/printcap
	#obtain list of printers automatically on SystemV
;	printcap name = lpstat
;	printing = cups

# --------------------------- Filesystem Options ---------------------------
#
# The following options can be uncommented if the filesystem supports
# Extended Attributes and they are enabled (usually by the mount option
# user_xattr). Thess options will let the admin store the DOS attributes
# in an EA and make samba not mess with the permission bits.
#
# Note: these options can also be set just per share, setting them in global
# makes them the default for all shares

;	map archive = no
;	map hidden = no
;	map read only = no
;	map system = no
;	store dos attributes = yes


#============================ Share Definitions ==============================

[homes]
	browseable = no
	comment = Your Personal Folder
	writable = yes
;	valid users = %S
;	valid users = MYDOMAIN\%S

[printers]
	comment = All Printers
	path = /var/spool/samba
	browseable = no
	guest ok = no
	writable = no
	printable = yes

# Un-comment the following and create the netlogon directory for Domain Logons
;	[netlogon]
;	comment = Network Logon Service
;	path = /var/lib/samba/netlogon
;	guest ok = yes
;	writable = no
;	share modes = no


# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;	[Profiles]
;	path = /var/lib/samba/profiles
;	browseable = no
;	guest ok = yes


# A publicly accessible directory, but read only, except for people in
# the "staff" group
;	[public]
;	comment = Public Stuff
;	path = /home/samba
;	public = yes
;	writable = yes
;	printable = no
;	write list = +staff


[corpfiles]
	locking = no
	writeable = yes
	path = /home/corpfiles
	write list = @bf-corpfiles
	force group = bf-corpfiles
	valid users = @bf-corpfiles
	create mode = 777
	oplocks = false
	level2 oplocks = false
	posix locking = no 
	directory mode = 777

[webfiles]
	writeable = yes
	valid users = @bf-webfiles
	path = /home/webfiles

[trainfiles]
	writeable = yes
	valid users = @bf-trainfiles
	path = /home/trainfiles

[ftp]
	writeable = yes
	valid users = @bf-ftp
	path = /home/ftp

Open in new window

0
 
Christopher Raymond MendozaCommented:
Hello nlhess2003,

What distro do you use?
0
 
nlhess2003Author Commented:
CentOS Linux 5.6, Samba version 3.0.33-3.29.el5_5.1  
0
 
Christopher Raymond MendozaCommented:
Hello nlhess2003,

Apologies for the late reply.

We use the same distro for a few years now. Will first try to find users who use those files. Will get back to you as soon as I can.
0
 
nlhess2003Author Commented:
The solutions partially works. Does not fully fix the issue.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.