samba - Oct 2024 - Optimal File Permissions for Shared Access Between Windows and Linux

Hi Rowland,

I've been working with the ACLs, and everything looks good! It seems I 
can now proceed with your Samba configuration.

[global]
 ?? min protocol = SMB3
## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
 ?? workgroup = WORKGROUP
 ?? vfs objects = catia fruit streams_xattr acl_xattr
 ?? fruit:delete_empty_adfiles = yes
 ?? fruit:metadata = stream
 ?? fruit:nfs_aces = no
 ?? fruit:veto_appledouble = no
 ?? fruit:wipe_intentionally_left_blank_rfork = yes
 ?? map acl inherit = Yes

[NAS]
 ?? comment = RaspberryPi
 ?? path = /mnt/shared
 ?? read only = no

[DatabaseShare]
 ?? comment = Database File Share
 ?? path = /mnt/shared/partage_de_fichiers
 ?? read only = no

Here are a few examples of the ACLs:

The directory I need to share with my wife

# file: mnt/shared/partage_de_fichiers
# owner: john_johnk
# group: sharedaccess
# flags: -s-
user::rwx
group::rwx
other::---

An utility directory
file: mnt/shared/Utilitaires PC
# owner: john_johnk
# group: john_johnk
user::rwx
group::---
other::---

A db file

# file: mnt/shared/Database.kdbx
# owner: john_johnk
# group: john_johnk
user::rw-
group::---
other::---

The overall /mnt/shared
# file: mnt/shared
# owner: john_johnk
# group: sharedaccess
user::rwx
user:john_johnk:rwx
group::rwx
mask::rwx
other::---

Let me know if you need any further adjustments!

Best,
John




Le 10/21/2024 ? 10:49 AM, Rowland Penny via samba a
?crit?:
> Sorry about that, I missed that out, try this one:
>
> [global]
>   ?? workgroup = WORKGROUP
>   ?? vfs objects = catia fruit streams_xattr
>   ?? fruit:delete_empty_adfiles = yes
>   ?? fruit:metadata = stream
>   ?? fruit:nfs_aces = no
>   ?? fruit:veto_appledouble = no
>   ?? fruit:wipe_intentionally_left_blank_rfork = yes
>
> [NAS]
>   ?? comment = RaspberryPi
>   ?? path = /mnt/shared
>   ?? read only = no
>   ?? create mask = 0600
>   ?? directory mask = 0700
>
> [DatabaseShare]
>   ?? comment = Database File Share
>   ?? path = /mnt/shared/partage_de_fichiers
>   ?? read only = no
>   ?? create mask = 0660
>   ?? directory mask = 0770
>   ?? force group = sharedaccess
>   ?? force create mode = 0660
>
> The major problem people have with Samba is that they say it is hard to
configure, all those parameters to set, totally missing that mostly they are
setting defaults that do not need to be manually set.
> You also may find it easier if you also install the acl and attr packages
(they may be already installed) and use acl_xattr, so that:
>
> vfs objects = catia fruit streams_xattr
>
> Becomes:
>
> vfs objects = catia fruit streams_xattr acl_xattr
> map acl inherit = Yes
>
> Then read up on setfacl and getfacl. These will allow you to set finer
control on your directories and files.
> You would then not require the 'create', 'directory' &
'force' lines.
>
> Rowland

I thought with the ACL it would be easier but it is the same nightmare :-(


john_johnk at raspberrypi:~ $ getfacl /mnt/shared/partage_de_fichiers
getfacl: Removing leading '/' from absolute path names
# file: mnt/shared/partage_de_fichiers
# owner: john_johnk
# group: sharedaccess
# flags: -s-
user::rwx
group::rwx
other::---
default:user::rw-
default:group::rw-
default:group:sharedaccess:rw-
default:mask::rw-
default:other::---


but when I create a file from DatabaseShare ...the group is wrong and I 
have the x execution which comes from nowhere :-(


john_johnk at raspberrypi:~ $ ls -l /mnt/shared/partage_de_fichiers
total 102120

-rw-rwx---+ 1 john_johnk john_johnk?????? 73979 Oct 10? 2016 'Facture 
RAM_2.pdf'
-rw-rwx---+ 1 john_johnk john_johnk????? 125627 Dec? 2? 2021 'Facture 
Tennis RNS21.pdf'


Le 10/24/2024 ? 12:08 AM, Jonathan Szalavecz via samba a
?crit?:
> Hi Rowland,
>
> I've been working with the ACLs, and everything looks good! It seems I 
> can now proceed with your Samba configuration.
>
> [global]
> ?? min protocol = SMB3
> ## Browsing/Identification ###
>
> # Change this to the workgroup/NT-domain name your Samba server will 
> part of
> ?? workgroup = WORKGROUP
> ?? vfs objects = catia fruit streams_xattr acl_xattr
> ?? fruit:delete_empty_adfiles = yes
> ?? fruit:metadata = stream
> ?? fruit:nfs_aces = no
> ?? fruit:veto_appledouble = no
> ?? fruit:wipe_intentionally_left_blank_rfork = yes
> ?? map acl inherit = Yes
>
> [NAS]
> ?? comment = RaspberryPi
> ?? path = /mnt/shared
> ?? read only = no
>
> [DatabaseShare]
> ?? comment = Database File Share
> ?? path = /mnt/shared/partage_de_fichiers
> ?? read only = no
>
> Here are a few examples of the ACLs:
>
> The directory I need to share with my wife
>
> # file: mnt/shared/partage_de_fichiers
> # owner: john_johnk
> # group: sharedaccess
> # flags: -s-
> user::rwx
> group::rwx
> other::---
>
> An utility directory
> file: mnt/shared/Utilitaires PC
> # owner: john_johnk
> # group: john_johnk
> user::rwx
> group::---
> other::---
>
> A db file
>
> # file: mnt/shared/Database.kdbx
> # owner: john_johnk
> # group: john_johnk
> user::rw-
> group::---
> other::---
>
> The overall /mnt/shared
> # file: mnt/shared
> # owner: john_johnk
> # group: sharedaccess
> user::rwx
> user:john_johnk:rwx
> group::rwx
> mask::rwx
> other::---
>
> Let me know if you need any further adjustments!
>
> Best,
> John
>
>
>
>
> Le 10/21/2024 ? 10:49 AM, Rowland Penny via samba a ?crit?:
>> Sorry about that, I missed that out, try this one:
>>
>> [global]
>> ? ?? workgroup = WORKGROUP
>> ? ?? vfs objects = catia fruit streams_xattr
>> ? ?? fruit:delete_empty_adfiles = yes
>> ? ?? fruit:metadata = stream
>> ? ?? fruit:nfs_aces = no
>> ? ?? fruit:veto_appledouble = no
>> ? ?? fruit:wipe_intentionally_left_blank_rfork = yes
>>
>> [NAS]
>> ? ?? comment = RaspberryPi
>> ? ?? path = /mnt/shared
>> ? ?? read only = no
>> ? ?? create mask = 0600
>> ? ?? directory mask = 0700
>>
>> [DatabaseShare]
>> ? ?? comment = Database File Share
>> ? ?? path = /mnt/shared/partage_de_fichiers
>> ? ?? read only = no
>> ? ?? create mask = 0660
>> ? ?? directory mask = 0770
>> ? ?? force group = sharedaccess
>> ? ?? force create mode = 0660
>>
>> The major problem people have with Samba is that they say it is hard 
>> to configure, all those parameters to set, totally missing that 
>> mostly they are setting defaults that do not need to be manually set.
>> You also may find it easier if you also install the acl and attr 
>> packages (they may be already installed) and use acl_xattr, so that:
>>
>> vfs objects = catia fruit streams_xattr
>>
>> Becomes:
>>
>> vfs objects = catia fruit streams_xattr acl_xattr
>> map acl inherit = Yes
>>
>> Then read up on setfacl and getfacl. These will allow you to set 
>> finer control on your directories and files.
>> You would then not require the 'create', 'directory'
& 'force' lines.
>>
>> Rowland