{"id":56,"date":"2010-01-19T05:57:49","date_gmt":"2010-01-19T05:57:49","guid":{"rendered":"http:\/\/poojanwagh.opalstacked.com\/techblog\/?p=56"},"modified":"2011-02-01T04:03:06","modified_gmt":"2011-02-01T04:03:06","slug":"sharing-samba-shares-between-users","status":"publish","type":"post","link":"https:\/\/tech.poojanblog.com\/blog\/unix-linux\/sharing-samba-shares-between-users\/","title":{"rendered":"Sharing Samba shares between users"},"content":{"rendered":"<h3>Update 2<\/h3>\n<p>The path should look like so:<br \/>\n<code><br \/>\n[homes]<br \/>\n   comment = Home Directories<br \/>\n   browseable = no<br \/>\n   writable = yes<br \/>\n   path = \/tank\/Users\/%S<br \/>\n<\/code><br \/>\nNote the capital <code>%S<\/code>.<\/p>\n<h3>Update<\/h3>\n<p>I found the answer to why the <code>[home]<\/code> share definition seemed to be screwed up. Basically, according to <a href=\"http:\/\/www.samba.org\/samba\/docs\/man\/manpages-3\/smb.conf.5.html\">the smb.conf man page<\/a>, <code>%u<\/code> maps to username, while <code>%s<\/code> maps to &#8220;service&#8221;. So, when I tried to access <code>\\\\server\\Public<\/code>, the <code>[home]<\/code> directive gets matched because <code>Public<\/code> is a valid Samba user on the server. Samba then tries to figure out what directory this share should map to, and finds its definition is <code>\/tank\/Users\/%u<\/code>. Well, <code>%u<\/code> gets expanded as <code>Poojan<\/code>, so it says that <code>\\\\server\\Public<\/code> maps to <code>\/tank\/Users\/Poojan<\/code> (as does <code>\\\\server\\Poojan<\/code>). Instead, if I define the path as <code>\/tank\/Users\/%s<\/code>, the directory gets expanded to <code>\/tank\/Users\/Public<\/code>, because <code>Public<\/code> is the share being requested. And that&#8217;s what I want.<\/p>\n<h3>Original Post<\/h3>\n<p>I wanted to create per-user Samba shares on <a title=\"Freebsd + Samba with ZFS\" href=\"http:\/\/poojanwagh.opalstacked.com\/techblog\/unix-linux\/freebsd-samba-with-zfs\/\">my file server<\/a>. In addition (similar to Vista\/Windows 7 setup), I wanted to create a <code>Public<\/code> directory. I thought (rather naively) that I could just add <code>Public<\/code> as another user. I did so with the following entry in smb.conf:<!--more--><br \/>\n<code><br \/>\n[homes]<br \/>\ncomment = Home Directories<br \/>\nbrowseable = no<br \/>\nwritable = yes<br \/>\npath = \/tank\/Users\/%u<br \/>\n<\/code><br \/>\nWhat&#8217;s weird is that I could log in and access <code>\\\\server\\Public\\Documents<\/code> (for example), but what I&#8217;d see was identical to <code>\\\\server\\Poojan\\Documents[cci] ([cci]Poojan<\/code> being my username). I found a few references that said the correct incantation is:<\/p>\n<p><code><br \/>\n[homes]<br \/>\ncomment = Home Directories<br \/>\nbrowseable = no<br \/>\nwritable = yes<br \/>\npath = \/tank\/Users\/%S<br \/>\nvalid users = %S<br \/>\n<\/code><br \/>\nThis seemed to work&#8211;except I still couldn&#8217;t access the share. Apparently, the %S maps to the current user, not just any user (I still haven&#8217;t exactly figured this out).<br \/>\nUnfortunately, Windows CIFS\/SMB protocol doesn&#8217;t allow one to log in to another machine under two different credentials. So, I couldn&#8217;t (for example) connect to the server under the credentials <code>Poojan<\/code> and then access a share with the username <code>Public<\/code>. I had a few options here: I could remove the <code>valid users = %S<\/code> directive, which meant that anyone could access the shares. Or, I could rely on UNIX group permissions. I decided to go the latter route. I didn&#8217;t want (for example) my kids to delete files in this share, as it contains some important stuff that both my wife and I should have access to. (I say should, because my wife has better things to do than to look up our 2004 tax return.)<br \/>\nSo, I created the following entry:<\/p>\n<p><code><br \/>\n[Public]<br \/>\ncomment = Public (user-wide) directories<br \/>\nbrowseable = yes<br \/>\nwriteable = no<br \/>\npath = \/tank\/Users\/Public<br \/>\nwrite list = Poojan, Wife<br \/>\ncreate mask = 0770<br \/>\ndirectory mask = 0770<br \/>\n<\/code><br \/>\nWhat&#8217;s weird is that I still couldn&#8217;t access the share. As it turned out, the <code>[home]<\/code> section took precedence. In order to stop the <code>[home]<\/code> directive from mapping a share to <code>\/tank\/Users\/%S<\/code>, I had to delete the Samba user Public:<br \/>\n<code><br \/>\nsmbpasswd -x Public<br \/>\n<\/code><br \/>\nIt wasn&#8217;t enough to disable (<code>smbpasswd -d<\/code>) the <code>Public<\/code> user. Another thing I found (on FreeBSD at least) is that if you delete the UNIX user, you can&#8217;t then delete the Samba user; <code>smbpasswd<\/code> complains that the user database is corrupt because the Samba user exists but the UNIX user does not.<br \/>\nAs far as the UNIX groups, etc., I created a UNIX group called <code>Users<\/code> to house the entire family. The UNIX directory <code>\/tank\/Users\/Public<\/code> has the group set to <code>Users<\/code>. So, only members of the group can read\/write (at the UNIX) level, and only the wife and I can write at the Samba level.<\/p>\n<div class='wp_likes' id='wp_likes_post-56'><a class='like' href=\"javascript:wp_likes.like(56);\" title='' ><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/tech.poojanblog.com\/blog\/wp-content\/plugins\/wp-likes\/images\/like.png\" alt='' border='0'\/><\/a><span class='text'>Be the first to like.<\/span><\/p>\n<div class='like' ><a href=\"javascript:wp_likes.like(56);\">Like<\/a><\/div>\n<div class='unlike' ><a href=\"javascript:wp_likes.unlike(56);\">Unlike<\/a><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>As far as the UNIX groups, etc., I created a UNIX group called [cci]Users[\/cci] to house the entire family. The UNIX directory [cci]\/tank\/Users\/Public[\/cci] has the group set to [cci]Users[\/cci]. So, only members of the group can read\/write (at the UNIX) level, and only the wife and I can write at the Samba level.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[10],"tags":[12,14,13],"class_list":["post-56","post","type-post","status-publish","format-standard","hentry","category-unix-linux","tag-freebsd","tag-permissions","tag-samba"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/tech.poojanblog.com\/blog\/wp-json\/wp\/v2\/posts\/56","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tech.poojanblog.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.poojanblog.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.poojanblog.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.poojanblog.com\/blog\/wp-json\/wp\/v2\/comments?post=56"}],"version-history":[{"count":6,"href":"https:\/\/tech.poojanblog.com\/blog\/wp-json\/wp\/v2\/posts\/56\/revisions"}],"predecessor-version":[{"id":443,"href":"https:\/\/tech.poojanblog.com\/blog\/wp-json\/wp\/v2\/posts\/56\/revisions\/443"}],"wp:attachment":[{"href":"https:\/\/tech.poojanblog.com\/blog\/wp-json\/wp\/v2\/media?parent=56"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.poojanblog.com\/blog\/wp-json\/wp\/v2\/categories?post=56"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.poojanblog.com\/blog\/wp-json\/wp\/v2\/tags?post=56"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}