SMB Permissions issues with secondary groups?

  • Hello,


    I'm trying to add the correct permissions to smb shares, but I don't know if what I'm doing is the correct way to do it, because it doesn't work:


    I have the directory "data" with this privileges:


    and this pertissions:



    here are the users:


    on ssh the user lucky, has access to everything on the "data" directory, but it doesn't work with the samba share.


    Samba share:


    what am I doing wrong?

  • You explicitly deny group media, but lucky is in group media.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

  • Didn't notice that, thanks.

    now I have another issue:



    in this case lucky is in users group, but I add him ACL read/write, why can't I delete or create files/directories?

    shouldn't ACL bypass linux ownership?

  • I really don't understand how the permissions work.
    I've already checked the manual for the permissions but I can't do what I want (maybe is not possible)


    so I reset all the permissions and ACLs (with the plugin for that)

    I deleted all users and I've just created 2 users:

    I've created a Sharefolder data


    and added the share folder to SMB:


    As I understood the permissions, If in the privileges I put "no access" to an user/group, in the SMB share the user shouldn't have access to the share.


    Thank you for your help

  • can you explain in words, what you are trying to achieve?

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

  • can you explain in words, what you are trying to achieve?

    So I have a directory with all my stuff (data) inside I have multiple folders which I want to give access to some users, but I don't want to all of users have access to all the folders inside "data" only some folders.

    For example the user ivan can have access to everything inside "data", but the user media, only can have access to the media folder inside "data".


    Is it possible?

  • For this you will have to use ACLs / file permissions.

    Why don't you create shared folders per group?

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

  • Here you go: (Proposed Solution: different shared folders):

    1. Create group groupA
    2. Create group groupB
    3. Create group groupAB
    4. Create user userA and make him part of groups groupA, groupAB, users
    5. Create user userB and make him part of group groupB, graoupAB, users
    6. Shared Folder for A
      1. Create a shared folder forA
      2. Give Read/Write privileges an shared folder forA to groupA
      3. Set permissions to shared folder forA to root:rwx, groupA: rwx, other:none
    7. Shared folder for B
      1. Create a shared folder forB
      2. Give Read/Write privileges an shared folder forB to groupB
      3. Set permissions to shared folder forB to root:rwx, groupB: rwx, other:none
    8. Shared folder for A and B
      1. Create a shared folder forAB
      2. Give Read/Write privileges an shared folder forAB to groupA and groupB
      3. Set permissions to shared folder forAB to root:rwx, groupAB: rwx, other:none


    Now try to access the shares from Windows:


    and with permissions:

    1. Create a shared folder test
    2. Give privileges on shared foldertest to groupAB (or individual users)
    3. Make the smb share inherit ACLs
    4. ssh to the server and cd to the shared folder
    5. Create directories and change ACLs (deny access to the foreign directories)
    Code
    pi@multipi:/srv/dev-disk-by-uuid-35a399f3-d76c-4544-b93d-d308f758a377/test $ mkdir directoryForA
    pi@multipi:/srv/dev-disk-by-uuid-35a399f3-d76c-4544-b93d-d308f758a377/test $ mkdir directoryForB
    pi@multipi:/srv/dev-disk-by-uuid-35a399f3-d76c-4544-b93d-d308f758a377/test $ setfacl -m u:userA:--- directoryForB
    pi@multipi:/srv/dev-disk-by-uuid-35a399f3-d76c-4544-b93d-d308f758a377/test $ setfacl -m u:userB:--- directoryForA

    Test it:

    Unfortunately Windows will not deny entering the directory, but will deny directory listing and file/directory creation.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!