Sunday, September 23, 2007

Samba share access control

Recently I found a problem with my existing settings of Samba share: every time after I edit and save a file in the share from Windows client, the UNIX file permission will also be changed in Samba server. And that's not desired.

After I read this article about Samba share access control, I found the solution is on the "security mask" setting, which controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file. Another userful setting is "force create mode", which specifies a set of UNIX-mode bit permissions that will always be set on a file created by Samba.

So I added security mask = 0000 and force create mode = 0774 (rwxrwxr--) into my smb.conf configuration file under the the Share definitions section. Now Windows will no longer be able to change the UNIX permissions on a file. And the new share definition looks like below:

[homes]
comment = Home Directories
browseable = no
writable = yes
inherit permissions=no
security mask = 0000
force create mode = 0774

Specify force user= for better sharing a folder
[sysbak]
valid users=@admin
force user = apache
force group = admin

Set the following in the global section if MS Office often saves/writes to the samba shares:
strict sync = Yes
sync always = Yes
oplocks = No
level2 oplocks = No