Samba – permission denied when share in another users home directory

permissionssamba

I have the two users equah and hoster on my machine.

I created a samba share test1 in /home/equah, which is accessible by user equah without any problem.

I also created the share test2 in /smbtest and changed ownership to user equah, which is accessible by equah too.

But when I create the share test3 in /home/hoster/sharetest and try to connect, nautilus prompts with Failed to mount Windows share: Permission denied, which is what i would like to get working.

ls -l shows the following details on the described directories:

drwx------ 14 equah equah 4096 Sep  8 20:09 /home/equah
drwxr-xr-x 2 equah equah 4096 Sep  8 20:33 /smbtest
drwxrwxrwx 3 equah equah 4096 Sep  8 20:44 /home/hoster/sharetest
drwx------ 19 hoster hoster 4096 Sep  8 20:20 /home/hoster

I also saw, that Access Control System applied permissions on the hoster home directory, which I removed to see if this was the error, but without any success.

I currently use a fresh Arch Linux installation with samba 4.8.5-1.

My samba configuration (/etc/samba/smb.conf) contains:

[global]
   workgroup = EQGROUP
   server string = eq-host samba server
   server role = standalone server
   log file = /var/log/samba/%m.log
   max log size = 50
   dns proxy = no 

[test1]
   comment = test
   path = /home/equah
   valid users = equah

[test2]
   comment = test
   path = /smbtest
   valid users = equah

[test3] # <== Not Working ?
   comment = test
   path = /home/hoster/sharetest
   valid users = equah

My toughs are, that some permission settings might prevent the logged in samba user from accessing content of a directory from which any parent directory is owned by another user. Tough creating a share in /home/hoster/sharetest/test and changing ownership of both sharetest/test to equah, does also not work to share only the test folder

Best Answer

You've got a classic ownership/permissions problem here. You've told SAMBA to allow access to /home/hoster/sharetest only to equah but your underlying filesystem permissions deny access to that user (drwx------ 19 hoster hoster 4096 Sep 8 20:20 /home/hoster).

Allow equah access to the directory and it should be ok

chmod a+x /home/hoster

Or force the access by equah to be performed by hoster

# add to smb.conf share definition
force user = hoster

In general this kind of problem can be diagnosed using log level = 3 and looking in the SAMBA server log files.

Related Solutions

Reading cifs share fails with permission denied – cifs samba directory permission denied

FYI, I got some help from Red Hat...the problem was SELinux restricting permissions. I don't need the control offered by SELinux, so I just disabled it by editing /etc/selinux/config and restarting.

Method for users to change Samba password

Giving them all access to the same dummy account doesn't sound smart. Even if you lock it down to have access to nothing BUT smbpasswd they could still change eachother's passwords. And there's always possibility of a malicious privilege escalation attack.

Essentially what it sounds like you want is to allow them to run ONLY the smbpasswd command from their own user account while still having an equivalent to a nologin account.

This can be accomplished with the use of the "ForceCommand" option in your sshd_config.

Try this:

Grant each user with a Samba account membership to the same group. For our example let's say "sambaOnly":
```
#From Root
groupadd sambaOnly
usermod -a -G sambaOnly Joe
```

Next, we want to change our sshd_config file to have the following:

#From Root
cat << EOF >> /etc/ssh/sshd_config
Match Group sambaOnly
    ForceCommand smbpasswd
EOF

Presto. From my understanding (and brief testing) this means when they login via SSH they will automatically have the smbpasswd command run and they will be prompted accordingly. They will never get the chance to have shell access. After the command completes they are automatically disconnected, again never getting a chance to have shell access.

I am not 100% sure this removes all access to the machine remotely. For example, if you are running a different SSH server on the same machine that doesn't ForceCommand them, then they could login via that depending on its access control config.

Also, if they have the opportunity for physical access to a terminal they can login.

However, I think for most situations this is fairly strong access control.

Best Answer

Related Solutions

Reading cifs share fails with permission denied – cifs samba directory permission denied

Method for users to change Samba password

Related Question