How to setup samba share to be mounted as specific user?

Question

I want to create samba share to which users can connect as specific samba user. I created user, let's say henry, and I want to make storage in his home.

So I have in my /etc/samba/smb.conf:

[myshare]
  path = /home/henry
  browsable = yes
  read only = no
  guest ok = no
  create mask = 0644

Now when I connect by smbclient everything is fine. But I want to mount this share as CIFS. I can do:

sudo mount -t cifs //myserver/myshare /media/remote-share -o user=henry

But then when I try to create a file in /media/remote-share, I get permission denied :(

How should I configure it if I want everybody to have access there, but as specific user, not as guest?

Both server and client are ubuntu machines.

Did you try to stick "-o user=henry" right after "-t cifs"? The syntax for mount (and the usual practice in unixes) states that options follow the command. Perhaps -o in your command gets ignored because you placed it at the end of the command? — Anonymous, Aug 02 '09 at 20:13
No, it is not ignored. Without this I wouldn't be able to mount it, there is "guest ok = no". I can mount and see files, I just can't create new one. — amorfis, Aug 02 '09 at 20:50

score 17 · Accepted Answer · answered Aug 03 '09 at 11:25

ok, i've re-read your question and have another answer.

when you mount it in /etc/fstab or with sudo mount from the command line, you need to set the uid and gid and optionally the umask too (file_mode and dir_mode) so that local users on the client can use the share. otherwise, it will default to being owned by root and W only by root. and it probably doesn't hurt to explicitly mount it as RW.

sudo mount -t cifs //myserver/myshare /media/remote-share \
  -o rw,user=henry,uid=xxx,gid=yyy

where xxx and yyy are the local (local to the client, that is) user and group that should "own" the share when it is mounted. if it's only one local user that needs access, the gid probably doesn't matter. if multiple local users need access, then the gid has to be set and every local user who needs access has to be a member of that gid.

there are other options that may need to be set, depending on your network setup (e.g. you may need to specify the domain). see the manpage for mount.cifs(8) for more details.

BTW, see the notes about credentials file if you're mounting it from /etc/fstab. fstab is world-readable so not a good place to put passwords. a credentials file can be owned by root, mode 600.

i think both my answers are relevant. one answer deals with the server side, the other deals with the client side. good luck, hope it works for you. — cas, Aug 03 '09 at 11:55
@edwardtorvalds mount options can change over the course of 6 years. — cas, Nov 10 '15 at 11:12

score 6 · Answer 2 · answered Aug 02 '09 at 21:18

the mount command is on the client side and doesn't control what the server allows.

you need to set up the share on the server so that anyone in a particular group ("valid users = groupname") can connect to the share, and then force the connection to be as user henry ("force user = henry"), regardless of what username/password they actually logged in with.

on ubuntu, as on debian, henry probably already has his own dedicated group (adduser on debian defaults to making a group for each user), but don't use that, unless you want everyone in that group to have access to all of henry's files rather than just those in the share.

e.g. make a unix (or ldap or Active Directory) group called "henry-share-g", and add anyone who needs access to the share to that group.

then configure the share in samba to set the permissions so that files are created RW by user & group, and directories are created RWX by user & group AND setgid (so that new files/dirs are created with group 'henry-share-g').

e.g. something like this:

[myshare]
    path = /home/henry
    force security mode = 0664
    force directory security mode = 2775
    force create mode = 0664
    force directory mode = 2775
    read only = No
    browseable = Yes
    force user = henry
    force group = henry-share-g
    valid users = +henry-share-g

this example makes the files and directories world-readable as well as RW by user & group. if you don't want that, then use 0660 for files and 2770 for directories.

BTW, the above is roughly what i do on my samba server at work whenever one of the professors wants a group share for everyone in his research group to be able to use.

the only real difference is that i don't use an existing user account. I create a dedicated user in AD for the share as well as a dedicated group, because there needs to be a separation between the prof's personal files and his/her research group's files. i also set a quota for that user & group, which is separate from the user's personal quota. i.e. i'd create and use something like "henry-share-u" rather than use the existing "henry" account.

I'm afraid it doesn't work :( I created group on server, added user henry to it, configured smb.conf just like you said and still it is the same. I can put files through smbclient, but not when I mount share by "mount". And yes, I restarted samba after editing smb.conf. — amorfis, Aug 02 '09 at 22:50
I also noticed one strange thing. When I put files by smbclient, they end up with permissions rwxrw-r--. This is not what we set in smb.conf, is it? — amorfis, Aug 02 '09 at 22:56
there must be something else in your smb.conf which is affecting that share....maybe the default "[homes]" share? try either renaming the share & moving it out from under /home, or temporarily disabling the [homes] share. and look for any other settings or shares that could be over-riding the share definition. — cas, Aug 03 '09 at 00:53
the more i think about it, the more likely it seems that that's what is happening. if there is a user called henry then accessing a share called "henry" will access the one defined by [homes], regardless of any subsequent definition of a share called henry. so renaming the share to something that doesn't match a user's login should work. — cas, Aug 03 '09 at 00:57
[homes] share is commented out. (I didn't change the default here). I'll try to change share name. — amorfis, Aug 03 '09 at 09:23

score 1 · Answer 3 · answered Aug 02 '09 at 20:24

1

This depends on the passdb backend you chose in your smb.conf.

If you use the tdbsam backend (recommended by samba) and set security to user:

security = user
passdb backend = tdbsam

You can use /usr/bin/smbpasswd to add samba users:

Add a UNIX user using /usr/sbin/useradd
Add samba user using smbpasswd -L -a <user> (-L: local mode, -a: add user)
Map your users using /etc/samba/smbusers [Syntax: <unix-user> = <smb-user1> <smb-user2> <smb-userN>]

The paths may defer in your GNU/Lunux distribution.

answered Aug 02 '09 at 20:24

Manuel Faux

497
3
13

Well, I'll try it, but this way all users have to log as themselves, right? I can't give "henry" to everyone? If it is so, it doesn't help, because I want to put mount entry to /etc/fstab and have it mounted automatically for everybody. – amorfis Aug 02 '09 at 20:52
I think I don't follow your question, but you can still list »henry« in more than one line (= more than one UNIX user) in the `/etc/samba/smbusers` file. – Manuel Faux Aug 02 '09 at 22:32

How to setup samba share to be mounted as specific user?

3 Answers3