Samba Shares

[Jadokus]

Hello,

i have set up a new installation of nas4free and replaced a freenas-system. My team with their Windows10-maschines should have full permissions on the share "kundendaten". They and myself are members of the group "mitarbeiter".
The filesystem is UFS and i mountet it with the owner "marcus" (me) and group "mitarbeiter", the permission-set is 770.

The problem is, that i want to set permissions 0770, but i get 0730, the group is not allowed to read.
I searched the internet hours and hours and tried a lot of things, but nothing worked.

Do you have a solution for me?

Thank you very much
Marcus

My smb4.conf:

[global]
server role = standalone
encrypt passwords = yes
netbios name = mynas
workgroup = ARBEITSGRUPPE
server string =
security = user
max protocol = SMB3
client max protocol = SMB3
dns proxy = no
# Settings to enhance performance:
strict locking = no
read raw = yes
write raw = yes
oplocks = yes
max xmit = 65535
deadtime = 15
getwd cache = yes
socket options = TCP_NODELAY SO_SNDBUF=128480 SO_RCVBUF=128480
# End of performance section
unix charset = UTF-8
local master = yes
domain master = yes
preferred master = yes
os level = 35
time server = yes
guest account = ftp
map to guest = Never
max log size = 100
syslog only = yes
syslog = 1
load printers = no
printing = bsd
printcap cache time = 0
printcap name = /dev/null
disable spoolss = yes
log level = 1
dos charset = CP852
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
passdb backend = tdbsam
idmap config * : backend = tdb
idmap config * : range = 10000-39999
aio read size = 1024
aio write size = 1024
username level = 3

[Kundendaten]
comment = Kundendaten
path = /mnt/mynas/kundendaten/
writeable = yes
printable = no
veto files = /.snap/.sujournal/
hide dot files = yes
guest ok = no
vfs objects = shadow_copy2 aio_pthread
shadow:format = auto-%Y%m%d-%H%M%S
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:localtime = yes
create mask = 0770
directory mask = 0770
force create mode = 0770
force directory mode = 0770
force group = mitarbeiter
inherit permissions = no
oplocks = no
valid users = mitarbeiter

[Onichan]

I actually have never tried to enforce permissions using Samba, I always configure it on the filesystem and just set Samba to inherit.

I'm guessing kundendaten is a dataset? What are the permissions set on the dataset itself? Check under Disks>ZFS>Datasets then click the wrench for kundendaten and at the bottom it has Access Restrictions. Make sure the owner and group are set properly and under Mode check all 3 fro Owner and Group and uncheck all 3 for Others.

[Jadokus]

Hello Onichan, thank you for your answer. No, Kundendaten isn't a dataset. It is a share. My Disks ->ZFS->Datasets is empty.
Do you know, if i can transfer a share in a ZFS-Dataset without loosing my files?
Thank you very much.

Marcus

[JoseMR]

Hello have you tried to manually set the permissions and tested?
if not, then try:

Code: Select all

# chmod -R 0770 /mnt/mynas/kundendaten
and
# chown -R marcus:mitarbeiter /mnt/mynas/kundendaten

Also add "marcus" to be member of Primary Group "mitarbeiter" on Additional group you may want to add "admin" and "wheel" under Access|Users, then restart Samba under Services|CIFS/SMB|Settings and test.

On the share transfer to ZFS dataset, you need to setup a ZFS disk fisrt then copy the files from the old USF disk/share to the new dataset, alternatively you can backup the files to any other computer on the network, then restore from backup.

[Jadokus]

Hello JoseMR,

yes, i did chmod and chown too. It seems now to work, if i (marcus) create a file or directory. But if a member of the group does the same thing, i am not alowed to read the files (rwx-wx---) and not allowed to do anything on the directories (rwx------).
But on the share "kundendaten" i set

create mask = 0770
directory mask = 0770
force create mode = 0770
force directory mode = 0770

Why is the system ignoring that? Why is the behavior of files and directories not equal?

Thank you very much.

[floyd]

I need the that following rights will be applied only using graphic interface if it is possible:

I have 2 folders and few users / groups of users. Everything is listed in the following text.

Existing folders (contains photos, videos and music):
media-archive
media-new

Users:
me
wife
son
user1
user2
visitor1
root (system administrator)

Groups (listed with belonging users):
mediaRW : me, wife
mediaR : me, wife, son, user1, user2

I need that two groups have different permissions over the folder "media-new", so group "mediaRW" have all rwx permissions and group "mediaR" have only r-x permissions (so not able to delete, but only can see and execute files)
Owner of this folder should be only root user. Other users (not listed, including guest) shall have --- permission (no access).

For folder "media-archive" it should be easy, only user "me" should have all permissions, and group "mediar" could read and execute files.
it should be something as:
owner me rwx
group mediar r-x
other ---

So, user "visitor" or "guest" (system defined guest account) should be never able to see the files.

And, of course, uPnP devices (as those folders contains multimedia data) should access to both folders (w/o right to change something).

Thank you in advance and I will appreciate any answer.

As I am very new in Nas4Free, if it is not possible to solve only using graphic user interface, it will be helpful to give me some guides what to find in Nas4Free

[Onichan]

You can't have two group permissions applied to files using *nix permissions. You could have the group permission be you and your wife with write then the everybody permission be the mediaR, but since you also want a guest account with no access then your forced to use ACLs. I haven't messed with ACLs so I can't help you there.

[floyd]

Is it possible to make two data pools and do something on this way? (just to divide folders media-archive and media-new to different pools with different permissions?

[Onichan]

You mean two datasets, I don't see how it would work with what you want. The problem is you want 2 accounts to have write access and 3 other to have read access then everybody else to have no access, which would require 2 different group settings and a everybody else setting.

You said you want other users to have no access, you know if you set the Map to guest as never then only accounts you have created yourself in Access|Users will count as valid users to SMB. Meaning for mediaR you could have owner as root with permission 7, then whatever group your account is in as the group permission and set to 7, then have the other set to 5. Allowing you and your wife write permissions and the user1 group with read permissions, but other accounts to include builtin ones (except root) wouldn't have access.

If you were planning to make a guest account yourself then that wouldn't work. The only option then is to make yourself the owner with write permissions then the user1 group have read permission then the everybody else with no access and just share your account with your wife.