Samba4 - users cannot modify files in samba mount

More samba 4 woes. I've ugraded to Slackware-64 14.1 and samba 4.1.0. I had to make some changes to the smb.conf file to get mounts without userID or password. Now, users can create files on the share, but can't modify existing files having a different user. For example, on Linux:

> ls -l EventsCalendar.jsp OpenWith.reg
-rw-rw---- 1 mfoley ohprs 4638 2015-05-28 14:24 EventsCalendar.jsp
-rw-rw---- 1 ohprso ohprs  144 2015-06-08 10:48 OpenWith.reg

The Windows user dragged the OpenWith.reg file to the mapped drive, no problem. But the user cannot edit the EventsCalendar.jsp, even though it is group writable. If I change the owner to ohprso, the Windows user can then edit EventsCalendar.jsp - on Linux, users with ohprso group membership can edit the file.

Need to figure out how to get Samba to pay attention to the group permissions.

netbios name = WEBSERVER
   workgroup = WORKGROUP

   security = user
   map to guest = Bad User
   hosts allow = 192.168.0. 127.
guest account = guest
   passdb backend = tdbsam

comment = OHPRS Website download files
path = /srv/tomcat/webapps/ohprs
public = yes
guest ok = yes
guest only = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
directory mask = 0771

Open in new window

User guest is mapped to user ohprso, /etc/passwd:

ohprso:x:1001:301:OHPRS Web User:/srv/tomcat/webapps/ohprs/downloads:/bin/bash
guest:x:1001:301:Samba guest account:/dev/null:/bin/false

Any ideas?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel McAllisterPresident, IT4SOHO, LLCCommented:
This must be a Linux Filesystem Permission error. By being able to create new files, you're already demonstrating that the Samba settings are correct (or at least valid) for R/W access.

At the top of the share, ensure that the "forced" user has full permissions by changing ownership of all files in that tree to that user. (Or, alternatively - and better - determine the default group being used and change group ownership and permissions accordingly).

So here's the easiest way:
 - connect to the share from a client system and create a new dummy file
 - login on the samba server (Linux) and gain root privileges
 - cd to the location of the new file and execute the command:
ls -l [filename]
 - cd to the top of the share
 - execute the following commands (to change ownership):
chown -R [OWNER NAME] .
chmod -R u+rw .
find . -type d -exec chmod u+x '{}' \;
- alternatively, use these commands to change groups:
chgrp -R [GROUP NAME] .
chmod -R g+rw .
find . -type d -exec chmod g+sx '{}' \;

1) Do NOT force add EXECUTE permission to regular files in the Linux system -- you don't want or need to be able to EXECUTE those shared files on the Linux server itself. Read & Write are all you need for the shared files. However, you DO need to ensure your users have EXECUTE permission on the FOLDERS. [This is Linux internals - and beyond the scope of this answer. Just trust me, it must be there.]
2) The use of GROUPS is better because you can more easily force the group membership as files are created -- that's the s part of the chmod command for groups. [Again, the details of what setgid does goes beyond your issue.]

To clean up, you should remove the temp file you created.

I hope this helps.


PS: You are probably wondering WHY this change -- at some point, the numeric USERID your system is using for the shared files must have changed (re-install?) -- since the numeric UID or GID are not longer a match to your users, they no longer have access. Turn on access for the right user account, and voila! they have access!
MarkAuthor Commented:
At the top of the share, ensure that the "forced" user has full permissions by changing ownership of all files in that tree to that user.
Dan: thanks for your detailed response. The problem is, I did what you suggested, at least the first part. I dragged the file OpenWith.reg (which simply happened to be laying around on the Windows workstation desktop) to the mapped share and it created it there with user/group: ohprso.ohprs. This is correct as you can see from my /etc/passwd entries for ohprso and guest in my initial posting. user ID 1001 is that same ID I had with the previous system. Group 301 is 'ohprs' /etc/group:


Yes, I could solve this problem by doing as you suggested and changing all the files in that directory hierarchy to be owned by ohprso, but I really don't want to do that. Linux users access that directory for making jsp program updates (which the Windows users don't really do) and for creating new jsp programs. These files get created using the Linux user's ID -- which is what I want. As you can see from the /etc/group entry for ohprs, linux user mfoley is a member of that group and can update any file as long as it has group rw permission.

As you can see from the `ls -l` in my initial posting, these files do have group rw. So, no issues at all when accessing from Linux.

The problem is that Samba should also let the Windows user update files that are g+rw and are in group ohprs -- which the Samba user[s] are. So it appears that Samba is not honoring the group permissions.

This is only true since I a) changed to Samba 4.1.0 and b) modified the smb.conf file to add:

security = user
map to guest = Bad User

I did that because the Samba 3.5.8 worked with the following, which didn't work under Samaber 4.1.0

security share

So, there must be a way to get Samba 4.0.1 to honor the Linux group permission?
MarkAuthor Commented:
I fixed the problem by upgrading to samba 4.1.17. Apparently there was a bug in 4.1.0.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MarkAuthor Commented:
Thanks to it4soho for the detailed response
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.