Here is an update on my finding for Samba configuration.
As I said before, I have various clients accessing my Samba server - including Windows, Ubuntu and Mac. However, it turned out this is not an issue on the client side - it was an issue on the Samba server side. The fact that I was able to connect to Samba share from Windows was connected to the user privileges, that particular Windows user just had all possible privileges assigned on the Linux server hosting Samba.
My smb.conf file is configured to require a Unix account in the Linux server hosting Samba for every user accessing the server ( i.e., it has "security" parameter set to "user").
So, imagine you have powerUser who should have a write access to share and readOnlyUser who has a read only access to the same share. Here is an example of such share configuration in smb.conf file:
[movies]
path = /mnt/downloads/movies
read only = yes
guest ok = no
force group = sambashare
write list = powerUser
This is a definition of a read only share with no guest users allowed, forcing the users with assigned primary group "sambashare" to access it. The powerUser has a write permission as intended.
Below I compiled a list of steps to eliminate permission related issues when clients from various OSs connect to the Samba share above:
- Make sure these user accounts created on the Linux machine hosting Samba server:
#Create powerUser and readOnlyUser and assign both to sambashare group
sudo useradd powerUser
sudo usermod -a -G sambashare powerUser
# Create readOnlyUser
sudo useradd -g sambashare readOnlyUser
# Set user passwords, make sure password used are the same as user password used on any other client machines accessing Samba.
sudo passwd powerUser
sudo passwd readOnlyUser
# Enter the same password used when account created when prompted to enter Samba password
sudo smbpasswd -L -a powerUser
sudo smbpasswd -L -a readOnlyUser
# Activate both user accounts in Samba
sudo smbpasswd -L -e powerUser
sudo smbpasswd -L -e readOnlyUser
- Configure a file security of the Samba share folder:
# Make a share directory for movies Samba share:
/mnt/downloads$ sudo mkdir movies
# Assign ownership of this folder to powerUser
/mnt/downloads$ sudo chown powerUser movies
# Assign group ownership of this folder to sambashare group
/mnt/downloads$sudo chgrp –R sambashare movies
# Set the permissions on the Samba share folder for owner (powerUser) of this folder to read/write/execute and for sambashare group (readOnlyUser) to read/execute only
/mnt/downloads$ chmod 750 movies
# Set a group sticky bit on Samba share folder, so new files created by powerUser has a sambashare group ownership assigned - i.e., can be accessed by sambashare group (readOnlyUser)
/mnt/downloads$ sudo chmod g+s movies
- Test users can access a folder content on Linux server, before trying to access a Samba share. This step would eliminate a lot of time troubleshooting users not being able to access a Samba share by making sure the Linux permission to shared folder are set correctly:
# Login as readOnlyUser from the user account used to setup users
su readOnlyUser
# Validate readOnlyUser has access to Samba share folder
cd /mnt/downloads/movies
ls -al
- Add a share configuration to /etc/samba/smb.conf as stated above:
[movies]
path = /mnt/downloads/movies
read only = yes
guest ok = no
force group = sambashare
write list = powerUser
sudo restart smbd
- Access Samba share from any of your client machines.
It should work from any OS client (e.g., Windows, Mac or Ubuntu) the same way you configure access to any other Windows share for example. No need to enter any passwords while you configure the share access - you login to client machine, and access the share. All authentication is completed behind the scene.