Trouble creating an accessible Samba share on a separate data partition
I am attempting to create a standalone Samba file server with user-level security for shared directories residing on a separate data partition. The problem is that some users cannot access shares on that partition even though they have full group rwx permissions.
My initial thought was to create a network share at /srv/shares but that is not on the correct partition, so I have been attempting to create a share of a directory on the data partition (nwk-data) currently mounted at /media/bill. This has not been successful.
I have considered editing fstab to mount the data partition nwk-data to /srv but am not certain that would matter: Shares created for testing purposes at various mount points above, at, and below the data partition's mount point succeed or fail depending on whether they are on that partition.
Configuration:
Samba 4.3 on Ubuntu Desktop 16.04
Two users (bill, debra) and one group (sambausers, of which bill and debra are members).
Three volumes: (a) backup HDD; (b) system volume; (c) data volume. Data volume has three partitions: sdc1 [reserved], sdc2 [reserved], sdc3 [nwk-data]; all three are mounted to /media/bill. [nwk-data] is the data partition.
Ownership for /media is root:sambausers (chown -R root:sambausers /media).
Permissions for /media are rwx for owner and group (chmod -R 770 /media).
Two client laptops. Each is Windows 7 and each has accounts/users Bill and Debra.
Passwords are identical for each user on all three machines (server and two laptops).
The main share is [users] at /media/bill/nwk-data/users (root:sambausers) (rwx for owner and group).
/media is shared [media] for test purposes (root:sambausers) (rwx for owner and group).
/media/bill is shared [bill] for test purposes (root:sambausers) (rwx for owner and group).
/media/bill/nwk-data is shared [nwk-data] for test purposes (root:sambausers) (rwx for owner and group).
Additional share [test] created for test purposes at /srv/shares (root:sambausers) (rwx for owner and group).
Additional share [bshare] created for test purposes at /media/bshare (root:sambausers) (rwx for owner and group).
What works:
- Bill can access all shares from both laptops using his credentials.
- Debra can access all shares from both laptops using Bill's credentials.
- Debra can access [test], [bshare], and [media] from both laptops using her credentials.
What doesn't work:
- Debra can't access [bill], [nwk-data], or [users] or any of the latter's subdirectories from either laptop using her credentials.
I have tinkered for three days with the smb.conf file, ownership, and permissions with no effect.
The problem seems to be in getting access to subdirectories of /media. I'm not sure what the hangup is. It might be an ACL issue although I know nothing of this topic. Any thoughts about what the issue might be, and even better how to fix it, would be greatly appreciated.
1 Answer
Wow. Some questions are better suited to the Ubuntu forum and this is one of them since we need to have a dialog about this.
All of this chown'ing and chmod'ing of /media and /media/bill circumvented all of the default security measures Linux put in place for these directories. /media/bill has a special permissions setting applied to it - at least it did. Had you looked at the normal permissions "ls -dl /media/bill" first it wouldn't look like even bill would have traverse access because owner=group=root and the permissions would be drwxr-x---+. The key here is the "+" at the end. That signifies that special permissions are in place. The way to find these permissions is with this command:
getfacl -t /media/billIt would have shown that only bill has the right to traverse the /media/bill directory to get to what is under it where he would be subject to it's permissions. Not sure what it looks like now with all your permissions changes.
If you created a share at /media/bill/nwk-data/users you only have two options - normally:
[1] Use the option force user = bill in the share definition. This will make Debra look like bill to the server so that she can traverse the /media/bill folder.
[2] Mount the partition somewhere else: one level up at /media/nwk-data, /srv/mwk-data, anywhere but unser /media/bill would have worked.
Were this on the forum I would have some questions like what filesystem is mounted at /media/bill/nwk-data and how is the share configured in smb.conf.
EDIT: /media/$USER is set up by the system for every local user. It's purpose is to provide a parent directory for all non-permanent partitions or devices that a user may want to connect to his system.
When for example the user inserts an external USB disk to his machine the system will automatically mount it to /media/$USER/LABEL. The reason for the "special" permissions on /media/$USER is to insure that this device is accessible only to the user who attaches it and no one else. That user has permissions to traverse the /media/$USER directory ( cross the directory ) to get to the /LABEL directory. At that point he is restricted by the permissions of the /LABEL directory.
You can share something under these conditions but you will have to use the "force user" suggestion. Changing permissions on /media/$USER defeats it's purpose. And changing permissions of the system folder /media is just not done.
For an internal partition it's best to mount it somewhere other than under /media/$USER.
5
