# samba share problem

## Lars B.

Hi,

i have defined the following share:

```

[IT]

comment = IT

browseable = no

public = no

valid users = @hanseadmin @hansecore

guest ok = no

write list = @hanseadmin @hansecore

force create mode = 770

force directory mode = 770

path = /daten/Mitarbeiter/IT

```

Users of the two groups 'hanseadmin' & 'hansecore' can connect, browse and delete or create files/folders.

Problems: 

1.) When a user creates a file, the files gets 774 permissions, but it should be 770.

2.)When a user creates a folder, the folder gets 775 permissions, but it should be 770.

3.) When a user creates a files, edit and saves it . He wont be able to open it again to edit it. For all files which contains data there is a "access to \file was denied" message. So its not possible to open any files for reading or writing, which contains data, although the files have the 774 permission and the users are in owning group.

The third point is realy confusing for me, because its possible to delete all files, but not to edit them.

Samba Version 3.0.14a

Thx for any help..

Lars

----------

## jmbsvicetto

Hi.

Have you looked at your umask setting? If you have umask=XX2 it would make sense that a file gets the XX4 and a dir the XX5 permissions. About your problem with users openning files, look carefully at the output of ls -l /daten/Mitarbeiter/IT and if you use ACLs getfacl /daten/Mitarbeiter/IT/*.

----------

## Lars B.

 *jmbsvicetto wrote:*   

> Hi.
> 
> Have you looked at your umask setting? If you have umask=XX2 it would make sense that a file gets the XX4 and a dir the XX5 permissions. 
> 
> 

 

Well, i havent looked at the umask settings. Is there a file which contains the default umask settings ?

In my fstab i havent found any umask param, like i have seen in examples.

 *Quote:*   

> 
> 
> About your problem with users openning files, look carefully at the output of ls -l /daten/Mitarbeiter/IT and if you use ACLs getfacl /daten/Mitarbeiter/IT/*.

 

I have looked carefully at the output of ls -l /daten/Mitarbeiter/IT and there is no permission change, when a file is created and filled with some text. For me it makes no sense that it isn't possible to edit a file which contains data, but empty files.

Thx for help

Lars

----------

## jmbsvicetto

If the permissions are exactly the same on the empty files and on the data files, then it really makes no sense. Are you sure that you're not using ACLs?

By the way, I just had a "click". If you're saying that you can create a file and then cannot edit it, remember that in Linux the permission to create a file is set on the dir and the permission to alter a file is set on the file. So compare your .../IT dir permissions with the permissions of the files.

----------

## Lars B.

 *jmbsvicetto wrote:*   

> If the permissions are exactly the same on the empty files and on the data files, then it really makes no sense. Are you sure that you're not using ACLs?

 

I have to admit that i never heard anything about ACL - after i asked google i know that this is standing for Access Control Lists

So i dont know..

The access denied msg is created by samba.. even if I set the permissions to 777 on a file i get this msg, when i want to change or open it. So I'm wondering which share property command can eliminate this issue.

Thx for help

Lars

----------

## jmbsvicetto

If you didn't know ACLs, then you're not using them. I was asking, because if you were using ACLs, one would need to look at them to determine the effective permissions. That only mattered if you had set ACLs with setfacl.

Your default umask setting is defined in /etc/profile. Each user can define their own setting on their shell configuration files.

Since you're not using ACLs and you want to grant acess to 2 different groups to the same dir, can you please post the output of ls -l /daten/Mitarbeiter/IT? Show at least the definition for ., .. and one of the files you're trying to use.

----------

## Lars B.

I have changed the umask in /etc/profile to027. After a source /etc/profile  a touch test.txt creates a file with 640 permissions. Why not with 750 ?

When i change the umask to 000, the file gets 666.

 *Quote:*   

> 
> 
> ..., can you please post the output of ls -l /daten/Mitarbeiter/IT?
> 
> 

 

```

HBSVR02 IT # ls -l

total 22924

drwxrwx---   2 oelrichs hanseadmin     4096 Jan  9 11:12 ACD

drwxrwx---  22 oelrichs hanseadmin     4096 Jan  9 11:16 Aktionen

drwxrwx---   2 oelrichs hanseadmin     4096 Jan  9 11:16 Arbeitsanweisungen

drwxrwx---   4 oelrichs hanseadmin     4096 Jan  9 15:04 CMC

drwxrwx---   4 oelrichs hanseadmin     4096 Jan  9 11:16 DB

drwxrwx---  11 oelrichs hanseadmin     4096 Jan  9 12:33 Develop

drwxrwx---  15 oelrichs hanseadmin     4096 Jan  9 11:47 Documentation

drwxrwx---   2 oelrichs hanseadmin     4096 Jan  9 11:47 Einkaufen

drwxrwx---   6 oelrichs hanseadmin     4096 Jan  9 14:05 Infrastruktur

drwxrwx---   9 oelrichs hanseadmin     4096 Jan  9 11:48 Konzepte

drwxrwx---   2 oelrichs hanseadmin     4096 Jan  9 11:48 Kundenunterlagen

drwxrwx---   2 oelrichs hanseadmin     4096 Jan  9 11:48 Logfiles

-rwxrwxr--   1 borchers hanseadmin       20 Jan 10 08:49 Neu Textdatei 2.txt

-rwxrwxr--   1 borchers hanseadmin        0 Jan 10 08:49 Neu Textdatei.txt

drwxrwx---   3 oelrichs hanseadmin     4096 Jan  9 11:48 Prakti-Suche

-rwxrwx---   1 oelrichs hanseadmin 23348810 Jan 12  2005 Rueck.pcv

drwxrwx---   4 oelrichs hanseadmin     4096 Jan  9 12:08 Software

-rwxrwx---   1 oelrichs hanseadmin    15124 Dec 13 22:58 TELEFONLISTE.ods

-rwxrwx---   1 oelrichs hanseadmin     9072 Oct 13 20:11 TELEFONLISTE.sxc

drwxrwx---   2 oelrichs hanseadmin     4096 Jan  9 12:10 Temp

```

The two files Neu Textdatei 2.txt and Neu Textdatei.txt i have just created. After i fill the Neu Textdatei 2.txt over a WinXP box with some text and saves it. I can't open it again (-access denied-).

I can open the empty file "Neu Textdatei.txt".

```

HBSVR02 Mitarbeiter # ls -l

total 92

....

drwxrwxrwx  17 root hanseadmin 4096 Jan 10 08:49 IT

....

```

Well normaly this directory should have 770.. will change this, when the problem is fixed.

Maybe i made a mistake in the samba config:

```

HBSVR02 Mitarbeiter # cat /etc/samba/smb.conf

[global]

workgroup = Arbeitsgruppe

server string = HBSVR02 %v

printcap name = cups

printing = cups

load printers = yes

log file = /var/log/samba/log.%m

max log size = 100

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

interfaces = lo eth0

bind interfaces only = yes

hosts allow = 127.0.0.1 212.6.148.

security = users

read raw = no

level2 oplocks = yes

guest ok = no

vfs object = vscan-clamav

vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

# shares

.....

[IT]

comment = IT

browseable = no

public = no

writeable = yes

valid users = @hanseadmin @hansecore

guest ok = no

write list = @hanseadmin @hansecore

force create mode = 770

force directory mode = 770

path = /daten/Mitarbeiter/IT

.....

```

Thx for help

Lars

----------

## jmbsvicetto

 *Lars B. wrote:*   

> I have changed the umask in /etc/profile to027. After a source /etc/profile  a touch test.txt creates a file with 640 permissions. Why not with 750 ?
> 
> When i change the umask to 000, the file gets 666.

 

Linux creates files by default without the execute bit, thus you get the 640 and 660 permissions. When you create a dir it will give the execute bit and you will get the 750 or 770 permissions.

 *Lars B. wrote:*   

> 
> 
>  *Quote:*   
> 
> ..., can you please post the output of ls -l /daten/Mitarbeiter/IT?
> ...

 

Well, that explains your problem. If you change your dir permissions to 770, your users won't be able to create empty files. They won't even be able to access the dir. You should check that your windows user is really a member of one of the groups you have given access to the share.

By the way, how are you using group membership? Have you created your users and groups under Linux? Or are you trying to use NT or AD users and groups? Are you trying to use winbindP

----------

## Lars B.

 *jmbsvicetto wrote:*   

> Well, that explains your problem. If you change your dir permissions to 770, your users won't be able to create empty files. They won't even be able to access the dir. You should check that your windows user is really a member of one of the groups you have given access to the share.
> 
> 

  The users who will connect to this share are either in the hanseadmin or the hansecore group. Therefore its possible as a member of these groups to connect to the share or delete and create files.

So even when the directory mask is 770, this is possible. The only problem is, that no member of these groups can't open files which contain data or execute any .exe file.

Maybe my example was bad, to set it to 777.

Other users want be albe to connect or do anything @ this share.

Or did i missunderstood this config ?

 *Quote:*   

>  Have you created your users and groups under Linux? Or are you trying to use NT or AD users and groups? Are you trying to use winbindP

 

I have created users and groups under linux and then added them one by one to the samba users. The users who try to access the share at the moment have hanseadmin as their primary group.

Thx for help

Lars

----------

## jmbsvicetto

The theory behind your reasoning seems correct.

However, have you tried setting the dir permissions to 770? I believe that will make it impossible for your users to access the share. If that is the case, then there is something definitely wrong with your group membership. This action will help identify the source of the problem and let you direct your attention to it. If your users can still access the share and create empty files, then the problem lies somewhere else.

----------

## Lars B.

 *jmbsvicetto wrote:*   

> The theory behind your reasoning seems correct.
> 
> However, have you tried setting the dir permissions to 770? 

 

Yes, i have and it's still the same  :Sad: 

Thx for any help

Lars B.

----------

## jmbsvicetto

I assume from your last post that after changing the .../IT dir permissions to 0770 your users can still create files, delete them and edit empty files, but that they still can't open non-empty files. Is that so?

If that is the case, then my previous reasoning doesn't apply. I've searched the web to confirm my interpretation of valid users and write list, which seems to be correct, and I've still to discover an error in the extract of your smb.conf file.

As such, I don't have any particularly "clever" suggestion, but I would still ask you to try using the following configuration for your share.

```
[IT]

comment = IT

browseable = no

public = no

writeable = yes

valid users = @hanseadmin @hansecore

guest ok = no

create mode = 770

directory mode = 770

path = /daten/Mitarbeiter/IT
```

Does it work?

Oh, if you're not aware, you have the two following on-line books on the SAMBA mirrors:

http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/

http://us4.samba.org/samba/docs/man/Samba-Guide/

If you want to help the project, you can always buy the books at http://www.amazon.com - the docs page is available at http://us4.samba.org/samba/docs/ .

Since you're still using the 3.0.14a release of Samba, have you tried updating to a more recent version? The latest is 3.0.21a.

----------

## Lars B.

It's still not working. I tried it with your suggestion. The only viewable change between force create mode = 770 and create mode = 770 is that

the permissions on fresh created files change from 774 to 750, this was why i used the force option.

Indeed it's better to set the share to writeable =yes  as to make a writeliste, which contains the same users, who are in the valid users list

At the earlier test this not be able to write or read from files which contains data error hasn't occured, because i only have tested to create or delete files with some users and not to edit or view them.

I wil try to update the samba version like you suggested.

Thx for help

Lars

----------

