Linux share to Windows XP machine via VPN

Andrej Pirman
Andrej Pirman used Ask the Experts™
on
Hi,

I have huge problems with one customer, which has:
- SUSE 10 Linux server, version 2.6.16
- 5 Windows XP and Win7 clients

SHARING folders is pain in the ass, really.

For example, all users on SUSE are members of the group "users" and "share".
Shared folders on SUSE are owned by "root" and group "users"...
...BUT only first level of shared folders is visible. If Windows user clicks on any folder, permission denied!
To enable users to browse down to folder structure, I must enable OWNER, GROUP and OTHERS full permissions on all folders. If I omit OTHERS, noone can browse.

TODAY's PROBLEM:
I added user "user8" to SUSE under "Users and groups".
I put it to be memeber of "users", "share" and many other groups.

Then on Windows XP I created case-sensitive "user8" with password under users.
Tried:

      net use \\suse-server\shares\common-files /USER:user8

but no joy :(
Also tried adding my existing Windows XP login username and password to SUSE  as a new user, under "users" group...but still cannot browse folders below common folder.

Whatever I do...permisison denied.
I can only see first \SHARES folder, but cannot browse deeper.

Any idea what am I missing?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dave HoweSoftware and Hardware Engineer

Commented:
You probably need to use smbpasswd to add the users to the smbpassword database (assuming you are using one; its the default for suse, but if you use the samba server applet in the Network Services part of yast2, you can define use of an LDAP or even MySQL db for the lookups.)

Author

Commented:
Thanx, DavwHowe, but this is kinda rocket-science for me (I am windows geek).

What I don't get:
Under "Users and Groups" in YAST I defined "user8" and his primary group. Then this GROUP is also primary group under FOLDER permissions. From "windows geek" perspective this should work.

Ok, but now you say (and I was afraid to hear this) that I need to use "smbpasswd" from commandline. Ok, I did that:

     smbpasswd -a user8
     Password:
     Password:

What now?
Nothing changed by doing so. How will "smbpasswd" know, that this user must have access privileges to specific folder?

Sorry for dumb questions, but it's confusing to me, and I actually do not know what I am doing - some stuff from commandline, others via mouse click...I am actually more familliar with Debian derivates, but still an amateur :)
President, IT4SOHO, LLC
Commented:
I think I know what's going on here...

A) Having all files owned by root essentially forces all access to be determined by GROUP rights.
B) When you created your users, you used the useradd program, and my guess is had them added to the "users" group. That meant that each user belonged to his/her OWN group (by default), PLUS the users group.
C) When users created new folders, they (by default) belonged to the user and their DEFAULT group -- to which no one else belongs.
D) As a result, only the user who created the folder can get into it...

The fix can be done multiple ways -- but IMHO the EASIEST will be to force all new files and folders to be created with the USERS group by default (instead of the user's own default group).
To do that, log into the server, gain root privilege, and run the following command from the TOP of the shared folder tree:
chgroup -R users .
find . -type f -exec chmod 760 '{}' \;
find . -type d -exec chmod 2770 '{}' \; 

Open in new window

What this does is:
1) all files in the share are first changed to the group users
2) all regular files are then given group read/write permissions (execute is not appropriate, unless they have shell accounts)
3) all folders are given full permissions for owner & group -- but the SGID bit is also set so that any new file or folder created in any of them will belong the the group users. (Aside: execute is NECESSARY for folders so you can traverse into them)

You could also change the default group for each user, and attack this in many other ways, but this one will last...

Now it IS possible that group permissions on new files could be turned off by default -- if that is the case, a change within SAMBA is in order... but lets wait and see there...

I hope it helps!

Dan
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Dave HoweSoftware and Hardware Engineer
Commented:
samba is a compatability layer - it pretends to be a nt4 domain controller to windows clients, and offers file shares based on user credentials. for this, it uses its own user/pass scheme, but the permissions map to the linux-level permissions on the files. the username must match the user's linux account name, but the password may be different (this is actually a good thing - you can set them up with a "windows" password, but prevent them from logging into the linux environment as a local user)

once a user has logged into samba (and this is done the same as logging into a native windows share, with the domain name defined in the samba gui in yast2) then they should get whatever permissions their native linux user would get - this is based upon the linux model, so the world permissions affect all users (including "guest" - the account failed authentications is assigned), each file has a "group" and a set of "group" permissions (and any user can be a member of any group) and an "owner", who is a specific user, and permissions at this level too. there are more fine detailed permission sets available too, but few admins go to that depth (read the getfacl and setfacl manual pages on your suse linux server for further detail if you are interested in those)

but the takehomes from this are
a) samba has its own password system, but uses the unix usename system
b) unix permissions apply to files even as accessed via samba
c) there is a "bad login" mapping in the config that specifies what failed logins access
d) you may need to force login (mapping a drive from xp with domain/user and password explicitly set) to get per-user granular permissions.
Dave HoweSoftware and Hardware Engineer

Commented:
oh, and there are extensive learning resources for Samba available at http://www.samba.org/samba/docs/ - including a full copy of the official o'reilly book on the subject :)

Author

Commented:
Great, guyz!
Maybe I am step further, but I still miss one step: how to access to the folder, which is owned by group "users" with user "user8", which is member of "users" group?

I did run the 3 steps suggested on shared root folder, and I noticed only GID checkbox became active. But still I cannot access any folder from my Windows machine, except if I set full permissions for OTHERS.

Author

Commented:
...actually, when modify permissions and set FULL permissions for OTHERS on folder:
- these changes are not propagated to the directory tree, but are only valid for NEW folders I create. these new folders or files are owned by "nobody", if that helps
- also, I cannot check recursive checkbox when changing permissions, because this checkbox is grayed out

Author

Commented:
Workaround for temporary functionality,  I set in one traversing folder just EXECUTE bit for OTHERS, so anybody can traverse it, and in most important folder for user8, which is below this one, I did this:

find . -type f -exec chmod 776 '{}' \;
find . -type d -exec chmod 2775 '{}' \;

So user8 cannot see:

   \\shares\main-folder\

but he can type directly:
 
  \\shares\main-folder\IMPORTANT-FOLDER

and see all its content, and edit files etc.

Maybe I should read some documentation, but hey...I work with Linuz servers once or twice a year, so even if I learn something, I forget it before I could use it next time.
thanx, guyz!

Commented:
please post your samba conf file

Author

Commented:
Thanx for now, guyz! My problem is not solved entirely, but actually I did not want to dig into root of the problem, but rather bring it to some usable level - which I did with your help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial