How to create a Samba share that is writable from Windows without 777 permissions?

permissions windows samba chmod shared-folders
346,529

Solution 1

I recommend to create a dedicated user for that share and specify it in force user(see docs).

Create a user (shareuser for example) and set the owner of everything in the share folder to that user:

adduser --system shareuser
chown -R shareuser /path/to/share

Then add force user and permission mask settings in smb.conf:

[myshare]
path = /path/to/share
writeable = yes
browseable = yes
public = yes
create mask = 0644
directory mask = 0755
force user = shareuser

Note that guest ok is a synonym for public.

Solution 2

In the share settings in smb.conf, you'll need to specify the names of users and/or groups that are allowed to write to the share, using a write list = ... line.

Example: 

[myshare]
...
write list = my_linux_username

Then you'll need to use the smbpasswd command to set up a password to authenticate my_linux_username for Samba:

sudo smbpasswd -a my_linux_username

This step is necessary because the standard system passwords in /etc/shadow are hashed in algorithms that are incompatible with the password hash algorithms used in the SMB protocol. When a client sends a SMB authentication packet, it includes a hashed password. It can only be compared to another password hash that uses the same algorithm.

(Very, very old instructions from the previous millennium may recommend disabling password encryption in Samba, and using certain registry hacks to allow Windows to emit unencrypted passwords to the network. This advice is obsolete: those registry hacks may no longer work in current versions of Windows, and allow anyone who can monitor your network traffic to trivially capture your password.)

There's one more thing you may have to do client-side. When your Windows client system is joined to an Active Directory domain and you're logged in with an AD account, it automatically prefixes all unqualified usernames with the name of the AD domain of the user, i.e. you will be authenticating as AD_DOMAIN\your_username, not just your_username.

If you are logged in with a local account (or your client system is not joined to an AD domain), Windows may automatically prefix the username with the client hostname unless you specify another domain name.

To successfully log in to a stand-alone Samba server from a stand-alone Windows client, you may have to specify your username as SAMBA_SERVER_HOSTNAME\your_username.

Otherwise Samba will see the username as WINDOWS_CLIENT_HOSTNAME\your_username, conclude that it has no way to verify any users belonging to domain named WINDOWS_CLIENT_HOSTNAME, and will reject the login.

(Newer versions of Samba may have a built-in check for this specific situation, and they might allow you access nevertheless. But this is basically how SMB authentication works "under the hood", and if you need to deal with old versions of Samba, it might be useful still.)

Solution 3

Basic working setup in my case (using SAMBA guest feature, /myfolder access rights suitable for [your_SAMBA-Unix_share_user_account]):

[global]
guest account = [your_SAMBA-Unix_share_user_account]

[mymfolder]
path = /myfolder
browseable = yes
read only =no
guest ok =yes

Is important to disconnect any other mapped drives in Windows machine to this SAMBA server as it appears that it is not allowed to have more than single logged on user at a time.

Solution 4

I was looking for this because I was in a hurry and didn't even had time to focus on creating users and so...

Just had to take out the data of a debian 9 machine as soon as possible and this was the fastest way I tought of, if you want to avoid skipping commands you can also do this but it is obviously not recommended unless you're in a hurry. 

[mymfolder]
path = /mymfolder
writeable = yes
browseable = yes
public = yes
create mask = 0777
directory mask = 0777
force user = root
Share:
346,529

Related videos on Youtube

Skyler
Author by

Skyler

Just some user who has some questions.

Updated on September 18, 2022

Comments

  • Skyler
    Skyler over 1 year

    I have a path on a Linux machine (Debian 8) which I want to share with Samba 4 to Windows computers (Win7 and 8 in a domain). In my smb.conf I did the following:

    [myshare]
path = /path/to/share
writeable = yes
browseable = yes
guest ok = yes
public = yes

    I have perfect read access from Windows. But in order to have write access, I need to do chmod -R 777 /path/to/share in order to be able to write to it from Windows.

    What I want is write access from Windows after I provide the Linux credentials of the Linux owner of /path/to/share.

    I already tried:

    [myshare]
path = /path/to/share
writeable = yes
browseable = yes

    Then Windows asks for credentials, but no matter what I enter, it's always denied.

    What is the correct way to gain write access to Samba shares from a Windows domain computer without granting 777 permissions?

  • firepol
    firepol over 7 years
    I had a similar problem and all google searches showed the dirty way to simply use 777. I wanted 775 for my shared folder and I wanted files to be created using my linux "defaultUser", I used also public = yes. Folder was 775, create and dir mask was 775 but in Windows it was not writable and I could not get why. Adding force user = defaultUser did the job for me.
  • Mark Kramer
    Mark Kramer almost 7 years
    I can't get this to work, any time I try to share the directory, I just get a window telling me I need to give "others" write permission in order to share the directory.
  • Mark Kramer
    Mark Kramer almost 7 years
    I got it, the problem was the location of smb.conf. Google and even sambas documentation said the file should be at /usr/local/samba/lib but actually it is in /etc/samba
  • RobertL
    RobertL over 5 years
    @MarkKramer It's a good idea to follow the documents included in your specific Linux distribution because many distros re-organize the files to fit the Linux Foundation's FHS (Filesystem Hierarchy Standard). I recommend reading and searching the docs delivered with your distro because google's not always the best answer, for example you may get info for a different version of the software. Best Regards.
  • ctorx
    ctorx over 4 years
    And if you go this route you can restrict by host using the "hosts allow" option. See: samba.org/samba/docs/server_security.html
  • Admin
    Admin about 4 years
    Why is a dedicated share user recommended exactly?
  • Tim Davis
    Tim Davis almost 4 years
    \username also works in windows . with only one backslash
  • Clive Long
    Clive Long over 2 years
    This approach worked for me where nothing else I read or tried had. Thanks.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to allow Windows pc to modify Linux files over Samba server without allowing full 777 access?
Accessing Windows shares of a passwordless user using Samba
Here's my smb.conf file. Whats wrong with it?
chmod 777 on a home network
Permissions fail to change, even using sudo nautilus
Best practice for shared directory on server (samba windows 10 clients)
Why can't I get to a shared folder from Windows
Unable to get execute bit on Samba share working with Windows 7 client
Permission on shared folder are correct but files can't be saved
Samba share read only for guests, read write for authenticated users