samba - Oct 2024 - Optimal File Permissions for Shared Access Between Windows and Linux

On Sun, 20 Oct 2024 00:15:32 +0200
Jonathan Szalavecz <john_johnk at hotmail.com> wrote:
> Hi Rowland,
> 
> Thank you for your feedback, and I apologize for misunderstanding
> your question earlier. Here?s the output of my command:
> 
> ```bash
> |john_johnk at raspberrypi: $ df -T /mnt/shared/ Filesystem Type
> 1K-blocks Used Available Use% Mounted on /dev/sdb1 ext4 1921694992
> 224061888 1599942632 13% /mnt/shared |
> 
> ```
> 
> Regarding your suggested configuration, I'm not entirely sure I 
> understand it. I need access to the entire |/mnt/shared| (NAS), while
> my wife should only have read and write access to 
> |/mnt/shared/partage_de_fichiers|. Shouldn't there be both a 
> |DatabaseShare| and a |NAS| share in the smb.conf? Please let me know
> if I'm missing something.
> 
> Best regards,
> 
> Jonathan
> 
Sorry about that, I missed that out, try this one:

[global]
 ?? workgroup = WORKGROUP
 ?? vfs objects = catia fruit streams_xattr
 ?? fruit:delete_empty_adfiles = yes
 ?? fruit:metadata = stream
 ?? fruit:nfs_aces = no
 ?? fruit:veto_appledouble = no
 ?? fruit:wipe_intentionally_left_blank_rfork = yes

[NAS]
 ?? comment = RaspberryPi
 ?? path = /mnt/shared
 ?? read only = no
 ?? create mask = 0600
 ?? directory mask = 0700

[DatabaseShare]
 ?? comment = Database File Share
 ?? path = /mnt/shared/partage_de_fichiers
 ?? read only = no
 ?? create mask = 0660
 ?? directory mask = 0770
 ?? force group = sharedaccess
 ?? force create mode = 0660

The major problem people have with Samba is that they say it is hard to
configure, all those parameters to set, totally missing that mostly they are
setting defaults that do not need to be manually set.
You also may find it easier if you also install the acl and attr packages (they
may be already installed) and use acl_xattr, so that:

vfs objects = catia fruit streams_xattr

Becomes:

vfs objects = catia fruit streams_xattr acl_xattr
map acl inherit = Yes

Then read up on setfacl and getfacl. These will allow you to set finer control
on your directories and files.
You would then not require the 'create', 'directory' &
'force' lines.

Rowland

Hi Rowland,

Thank you for your guidance! I wanted to let you know that I already had 
the |acl| and |attr| packages installed.

I'm currently working on configuring my ACLs correctly so that the 
|sharedaccess| group can traverse |/mnt/shared| without having read or 
write permissions. This way, they can access the 
|/mnt/shared/partage_de_fichiers| directory.

I appreciate your help and any further advice you might have!

Best regards,
Jonathan

Le 10/21/2024 ? 10:49 AM, Rowland Penny via samba a
?crit?:
> On Sun, 20 Oct 2024 00:15:32 +0200
> Jonathan Szalavecz<john_johnk at hotmail.com> wrote:
>
>> Hi Rowland,
>>
>> Thank you for your feedback, and I apologize for misunderstanding
>> your question earlier. Here?s the output of my command:
>>
>> ```bash
>> |john_johnk at raspberrypi: $ df -T /mnt/shared/ Filesystem Type
>> 1K-blocks Used Available Use% Mounted on /dev/sdb1 ext4 1921694992
>> 224061888 1599942632 13% /mnt/shared |
>>
>> ```
>>
>> Regarding your suggested configuration, I'm not entirely sure I
>> understand it. I need access to the entire |/mnt/shared| (NAS), while
>> my wife should only have read and write access to
>> |/mnt/shared/partage_de_fichiers|. Shouldn't there be both a
>> |DatabaseShare| and a |NAS| share in the smb.conf? Please let me know
>> if I'm missing something.
>>
>> Best regards,
>>
>> Jonathan
>>
> Sorry about that, I missed that out, try this one:
>
> [global]
>   ?? workgroup = WORKGROUP
>   ?? vfs objects = catia fruit streams_xattr
>   ?? fruit:delete_empty_adfiles = yes
>   ?? fruit:metadata = stream
>   ?? fruit:nfs_aces = no
>   ?? fruit:veto_appledouble = no
>   ?? fruit:wipe_intentionally_left_blank_rfork = yes
>
> [NAS]
>   ?? comment = RaspberryPi
>   ?? path = /mnt/shared
>   ?? read only = no
>   ?? create mask = 0600
>   ?? directory mask = 0700
>
> [DatabaseShare]
>   ?? comment = Database File Share
>   ?? path = /mnt/shared/partage_de_fichiers
>   ?? read only = no
>   ?? create mask = 0660
>   ?? directory mask = 0770
>   ?? force group = sharedaccess
>   ?? force create mode = 0660
>
> The major problem people have with Samba is that they say it is hard to
configure, all those parameters to set, totally missing that mostly they are
setting defaults that do not need to be manually set.
> You also may find it easier if you also install the acl and attr packages
(they may be already installed) and use acl_xattr, so that:
>
> vfs objects = catia fruit streams_xattr
>
> Becomes:
>
> vfs objects = catia fruit streams_xattr acl_xattr
> map acl inherit = Yes
>
> Then read up on setfacl and getfacl. These will allow you to set finer
control on your directories and files.
> You would then not require the 'create', 'directory' &
'force' lines.
>
> Rowland
>
>

Hi Rowland,

I've been working with the ACLs, and everything looks good! It seems I 
can now proceed with your Samba configuration.

[global]
 ?? min protocol = SMB3
## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
 ?? workgroup = WORKGROUP
 ?? vfs objects = catia fruit streams_xattr acl_xattr
 ?? fruit:delete_empty_adfiles = yes
 ?? fruit:metadata = stream
 ?? fruit:nfs_aces = no
 ?? fruit:veto_appledouble = no
 ?? fruit:wipe_intentionally_left_blank_rfork = yes
 ?? map acl inherit = Yes

[NAS]
 ?? comment = RaspberryPi
 ?? path = /mnt/shared
 ?? read only = no

[DatabaseShare]
 ?? comment = Database File Share
 ?? path = /mnt/shared/partage_de_fichiers
 ?? read only = no

Here are a few examples of the ACLs:

The directory I need to share with my wife

# file: mnt/shared/partage_de_fichiers
# owner: john_johnk
# group: sharedaccess
# flags: -s-
user::rwx
group::rwx
other::---

An utility directory
file: mnt/shared/Utilitaires PC
# owner: john_johnk
# group: john_johnk
user::rwx
group::---
other::---

A db file

# file: mnt/shared/Database.kdbx
# owner: john_johnk
# group: john_johnk
user::rw-
group::---
other::---

The overall /mnt/shared
# file: mnt/shared
# owner: john_johnk
# group: sharedaccess
user::rwx
user:john_johnk:rwx
group::rwx
mask::rwx
other::---

Let me know if you need any further adjustments!

Best,
John




Le 10/21/2024 ? 10:49 AM, Rowland Penny via samba a
?crit?:
> Sorry about that, I missed that out, try this one:
>
> [global]
>   ?? workgroup = WORKGROUP
>   ?? vfs objects = catia fruit streams_xattr
>   ?? fruit:delete_empty_adfiles = yes
>   ?? fruit:metadata = stream
>   ?? fruit:nfs_aces = no
>   ?? fruit:veto_appledouble = no
>   ?? fruit:wipe_intentionally_left_blank_rfork = yes
>
> [NAS]
>   ?? comment = RaspberryPi
>   ?? path = /mnt/shared
>   ?? read only = no
>   ?? create mask = 0600
>   ?? directory mask = 0700
>
> [DatabaseShare]
>   ?? comment = Database File Share
>   ?? path = /mnt/shared/partage_de_fichiers
>   ?? read only = no
>   ?? create mask = 0660
>   ?? directory mask = 0770
>   ?? force group = sharedaccess
>   ?? force create mode = 0660
>
> The major problem people have with Samba is that they say it is hard to
configure, all those parameters to set, totally missing that mostly they are
setting defaults that do not need to be manually set.
> You also may find it easier if you also install the acl and attr packages
(they may be already installed) and use acl_xattr, so that:
>
> vfs objects = catia fruit streams_xattr
>
> Becomes:
>
> vfs objects = catia fruit streams_xattr acl_xattr
> map acl inherit = Yes
>
> Then read up on setfacl and getfacl. These will allow you to set finer
control on your directories and files.
> You would then not require the 'create', 'directory' &
'force' lines.
>
> Rowland