Samba/Filesystem Permissions Help

Matt Snell mattds at gmail.com
Tue Oct 2 14:57:29 EDT 2007 

Hi all,

I'm attempting to set up a samba server at home (Debian Etch if it matters).
It will have both Windows and Linux machines accessing the shares for read
and write.  It seemed to be working perfectly until I attempted to CIFS mount
one of the shares at the command line.  Below is the setup I've worked out
and where I'm having problems.  If anyone could help, I'd REALLY appreciate
it.  

Please keep in mind that I'm not a total newb, but I'm still newbish. :)

Note: The server has many shares and they're all set up the same way, for the
sake of simplicity I'm only using one share as an example.



Server Config: 

Assume that the user "matt" is in "smbusers" on the server and has a valid
Linux and Samba username/password set.

Directory Permissions: I've set the sgid bit on the dir so that the group is
always set to "smbusers" and that group will always have rw access (suid/sgid
is new to me, correct me if I'm wrong in my thinking).  I want everyone in
"smbusers" to be able to add or delete at will. 

$ ls -la
drwxr-xr-x  8 root smbusers 4096 2007-09-27 20:29 ./
drwxr-xr-x  5 root root     4096 2007-09-27 18:50 ../
drwsrwsr-x  6 root smbusers 4096 2007-10-01 20:18 xfer/

Samba Config:  I've included the global settings and the share settings
below.  I force all files created by samba to have the group "smbusers" set.
Setting the sgid bit on the directory didn't seem to do that in my
testing/playing.

[global]
server string = %h (Samba %v)
obey pam restrictions = Yes
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
panic action = /usr/share/samba/panic-action %d
invalid users = root
hosts allow = 192.168.1.

[xfer]
comment = Temporary Data
path = /var/lib/samba/shares/xfer
valid users = g6ftp, @smbusers
force group = smbusers
read only = No
create mask = 0664
directory mask = 0775



Client Config:

The user "matt" exists on the client, there is no smbusers group (maybe there
should be?).  I mount the share using the command below:

mount -t cifs //cerberus/xfer /media/xfer -o user=matt

and that results in the permissions below on the mount point:

drwsrwsr-x  6 root         1002     0 2007-10-01 20:18 xfer

So the mount is picking up the directory permissions and ownership set on the
server (1002 is the gid of the server's smbusers group).  In my reading, I've
found that this is desired.  It's certainly NOT desired if I want the "matt"
account to be able to write to the mount.  I've tried supplying uid=matt as
an option to the mount command and it makes no difference.  The only fix I've
found is to tell the samba client NOT to check permissions by providing
"noperm" as a mount option.  

Note: This isn't an issue when writing to the share using Windows or mounting
it via Gnome.  I'm able to hit the share, create and delete at will using
either gui.

So my questions are:

1. How can I mount this share on my client with the ability to modify files
using the mount command?

2. If the solution is to use "noperm", what's the other solution?  Noperm
(according to the man for mount.cifs) can expose files on the mount to other
users.  While that's not an issue at my house, I'm still not comfortable with
it and would prefer to learn the more gooder way to do this.  If I'm just
being paranoid and noperm is commonly used, just lemmee know.

3. In my testing, I've found that if I create the smbusers group on the
client with the same gid as the smbusers group on the server that I can just
mount and go.  Is that the right fix?  It just seems to me that in a
situation where you had several clients that would be less than ideal and
tough to administer.  Of course if you had several clients, maybe you'd be
running a domain and this wouldn't be as much of an issue?


-- 
M@
http://linuxneophyte.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20071002/12dbb4c3/attachment.bin

More information about the gnhlug-discuss mailing list