OMV - Nextcloud Docker - Windows User - Acces rights

  • So, I have the following constellation:

    - OMV installed as NAS with SMB/CIFS shares for when we are at home. The share is "free for all" in LAN (2 users...)

    - Nextcloud docker as solution to access the shares from away. Docker accesses the shares as my (OMV) user as this was the default user on OMV .

    - Windows and Linux machines that access the NAS in LAN.


    The problem:

    The Nextcloud Docker access the shares with my user and all the new docs and folders that it creates are visible only to this user.

    The Windows user cannot access any of these. I need to CHOWN for time to time the entire SMB share in order to level the rights...


    The question:

    How can the windows user access these docs and folders?


    Thanks!

    omv 7.4.7-1 (Sandworm) | x86_64 | Linux 6.8.12-1-pve Kernel

    plugins: omvextrasorg 7.0 | backup 7.1.4 | borgbackup 7.0.8 | compose 7.2.3 | cputemp 7.0.2 | diskstats 7.0.1-1 | kernel 7.1.2 | resetperms 7.1 | sharerootfs 7.0-1 | wol 7.0.1 | zfs 7.1.1 (I know, I know, I need a clean up...)

  • You need to force the samba users to use the same credential in that share that nextcloud is operating as.


    This is as simple as adding something along the lines of this to your extra options for that samba share setting the correct user and group to match your system. This will force the user and group to be consistent and any files copied to the share will be created with that user/group:

    force user = <desired user name>

    force group = <desired group name>


    You can also add something like this to force the permissions on the files if required, changing the permissions to match what you need:

    create mask = 6777

    directory mask = 6777

    force create mode = 6777

    force directory mode = 6777


    If you are not familiar with the permissions masks, they can be "calculated" with something like this:

    Chmod 777

  • oh thanks, that would be nice.


    I planned to look into it this weekend, but unfortunately apparmor got priority as my dockers were not functioning :(


    which is the best way to enforce this? can this be done from the openmediavault interface?

    omv 7.4.7-1 (Sandworm) | x86_64 | Linux 6.8.12-1-pve Kernel

    plugins: omvextrasorg 7.0 | backup 7.1.4 | borgbackup 7.0.8 | compose 7.2.3 | cputemp 7.0.2 | diskstats 7.0.1-1 | kernel 7.1.2 | resetperms 7.1 | sharerootfs 7.0-1 | wol 7.0.1 | zfs 7.1.1 (I know, I know, I need a clean up...)

    • Official Post

    which is the best way to enforce this? can this be done from the openmediavault interface?

    To set permissions to folders and files from the interface you can use openmediavault-resetperms [How-to] Use the openmediavault-resetperms plugin

    To set 777 as BernH said select the option Everyone - read/write

  • oh thanks, that would be nice.


    I planned to look into it this weekend, but unfortunately apparmor got priority as my dockers were not functioning :(


    which is the best way to enforce this? can this be done from the openmediavault interface?

    As I said, enter those things in the extra oprions of the samba share. That is how you enforce the permissions and owner

    • Official Post

    As I said, enter those things in the extra oprions of the samba share. That is how you enforce the permissions and owner

    You're right, my mistake, I didn't read the whole post and I thought I wanted to modify the file permissions, not samba's. :thumbup:

  • Still maybe you should check the file permissions, they take precedence over samba's.

    this is easy (in my case): i will chmod/chown the share

    omv 7.4.7-1 (Sandworm) | x86_64 | Linux 6.8.12-1-pve Kernel

    plugins: omvextrasorg 7.0 | backup 7.1.4 | borgbackup 7.0.8 | compose 7.2.3 | cputemp 7.0.2 | diskstats 7.0.1-1 | kernel 7.1.2 | resetperms 7.1 | sharerootfs 7.0-1 | wol 7.0.1 | zfs 7.1.1 (I know, I know, I need a clean up...)

  • So, I have checked Services -> SMB/CIFS -> Shares -> "my share" -> Edit -> Inherit Permissions. Should I check also Inherit AHL? (this was always so confusing for me...)

    then:

    Code
    # chown -R nobody:users /my/big/share
    # chown -R ug+rw /my/big/share 

    ... and everything seems to work fine. Creating folders from Linux or from Nextcloud Docker is registering the user as owner but the rights for the group are kept (rw). From windows new folders are created as "nobody".


    For me this is a working solution. Thank you all for the support!

    omv 7.4.7-1 (Sandworm) | x86_64 | Linux 6.8.12-1-pve Kernel

    plugins: omvextrasorg 7.0 | backup 7.1.4 | borgbackup 7.0.8 | compose 7.2.3 | cputemp 7.0.2 | diskstats 7.0.1-1 | kernel 7.1.2 | resetperms 7.1 | sharerootfs 7.0-1 | wol 7.0.1 | zfs 7.1.1 (I know, I know, I need a clean up...)

  • I find it best in OMV to not touch ACL's at all, and just j=use regular permissions, ACL's can be very powerful if you need complicated rights, but 99.9% of the time they are not needed.


    If you have the the force user and force group specified in the samba share, windows will create files and folders as the user/group you specified. The use/group have to be a normal linux/OMV user and the same one that nextcloud is operating as. Do not use any special system users/groups. Normal users start with id 1000 and group 100.


    The idea is to make windows and nextcloud behave as the same user/group.


    Nobody is not a normal user and is not part of the users group.


    Use normal users that you create in OMV’s users section, and use the uid and gid of that normal user as the puid and pgid for nextcloud.

  • how do I force windows to use a specific user? I only need to chown it with this user and then it will use the mask of the share?

    omv 7.4.7-1 (Sandworm) | x86_64 | Linux 6.8.12-1-pve Kernel

    plugins: omvextrasorg 7.0 | backup 7.1.4 | borgbackup 7.0.8 | compose 7.2.3 | cputemp 7.0.2 | diskstats 7.0.1-1 | kernel 7.1.2 | resetperms 7.1 | sharerootfs 7.0-1 | wol 7.0.1 | zfs 7.1.1 (I know, I know, I need a clean up...)

    • Official Post

    When you access a shared folder from Windows, it asks for your credentials. You just have to enter the username and password that have access to that folder on your server. And click the "Remember" box, so you don't have to do it every time.

  • i connect without credentials... as mentioned share is in LAN "free for all" :)

    omv 7.4.7-1 (Sandworm) | x86_64 | Linux 6.8.12-1-pve Kernel

    plugins: omvextrasorg 7.0 | backup 7.1.4 | borgbackup 7.0.8 | compose 7.2.3 | cputemp 7.0.2 | diskstats 7.0.1-1 | kernel 7.1.2 | resetperms 7.1 | sharerootfs 7.0-1 | wol 7.0.1 | zfs 7.1.1 (I know, I know, I need a clean up...)

    • Official Post

    share is in LAN "free for all"

    So the user accessing the resource should be indifferent. Why do you want to force it to be a specific one?

  • i do not. I just want he to have rights to modify what the "linux user" and the "docker user" have saved/created :)

    omv 7.4.7-1 (Sandworm) | x86_64 | Linux 6.8.12-1-pve Kernel

    plugins: omvextrasorg 7.0 | backup 7.1.4 | borgbackup 7.0.8 | compose 7.2.3 | cputemp 7.0.2 | diskstats 7.0.1-1 | kernel 7.1.2 | resetperms 7.1 | sharerootfs 7.0-1 | wol 7.0.1 | zfs 7.1.1 (I know, I know, I need a clean up...)

    Edited once, last by beje_at ().

    • Official Post

    Ok, going back to the beginning, I think I see what the problem is with this thread. If I'm not mistaken you are trying to access the Nextcloud database via samba. This is the error.


    Your user is the user who uses the container. Nextcloud appropriates all the files in your database, it is the normal operation of Nextcloud, therefore your user (who is the one who manages the container) is the owner of those files. Nextcloud is not designed to share these files over the network. If you change the permissions of those files, something probably won't work right.


    What I would do (and do on my server) is the following:

    - Create a shared folder on your server and move all your Nextcloud data to it. With standard permissions for the users you want and shared as you see fit.

    - Within Nextcloud install the shared storage plugin.

    - From that plugin look for your shared samba folder on your server so that Nextcloud "sees" it and can use it.


    In this situation the files are no longer in the Nextcloud database, so Nextcloud will not take ownership of them. But you will be able to use them inside Nextcloud as if they were inside the Nextcloud database.

    Outside Nextcloud you will have a shared folder shared with samba and with standard permissions. You should no longer have trouble managing them without permission interference from Nextcloud.

  • You obviously have not tried the extra samba options. The instructions I gave on entering option in the "extra options" section of a samba share forces that share to make it's files as the specified user and group. This is how you force windows to operate as that user, as is evident by the "force" in the options.


    For example: if nextcloud is making it files as user2:group2, but you are logged in as user1:group1 or even logged in without credentials, if you have the force user and force group as user2:group2 (the same ones nextcloud is operating as), all files will be created by windows as that user2:group2.


    This is essentially making linux chown the files when they are being made, instead of you having to manually do it.


    It's how I run my nextcloud, it's how I run my media shuttle. If's how I run any samba share where I need to control ownership, and it is what those samba options are for.

    • Official Post

    You should not modify Nextcloud database files from outside of Nextcloud. This will cause a malfunction in Nextcloud.

    If you insist on going that way, you will run into other problems.

  • You should not modify Nextcloud database files from outside of Nextcloud. This will cause a malfunction in Nextcloud.

    If you insist on going that way, you will run into other problems.

    Correct, nextcoud, because of the ownership restrictions, does not like having files modified outside of it's interface. The force user and force group options of samba are part of the "semi official" work around (I say semi officail because nextcloud does have a check filesystem for changes option you can put in the config.php), but files changed have to then be scanned into the database using the occ files:scan options particularly if they are larger files that are not finished writing when nextcloud checks for changes, but it does not fix the ownership issues, which is what the samba extra options will do.


    In the several nextcloud servers I run, I have schedules occ file scans, the filesystem check option in it config.php and the forced samba user/group.


    I almost never have to touch anything manually.

    • Official Post

    Correct, nextcoud, because of the ownership restrictions, does not like having files modified outside of it's interface. The force user and force group options of samba are part of the "semi official" work around (I say semi officail because nextcloud does have a check filesystem for changes option you can put in the config.php), but files changed have to then be scanned into the database using the occ files:scan options particularly if they are larger files that are not finished writing when nextcloud checks for changes, but it does not fix the ownership issues, which is what the samba extra options will do.

    That's what I meant when I said other problems. If you know what you are doing you can solve it, but it is much easier to use external storage in Nextcloud. With that you have the problem solved.

    I try to make things simple.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!