Creating a Samba Share and Configuring an Access Control List for a Shared Directory Under Linux

Often administrators would like to configure a Samba share that enables users to have the same access to any files within the share.  Without some additional configuration, directories and files created by one user will not have the r/w permissions for other users that have access to that same share.

The end goal is to have a Samba share in which any new files are created with r/w permissions for a specific group to which all of the members of the share belong.

The first step is to determine whether the current running kernel supports ACL.  To do this we check the configuration file that was used to build the kernel, looking for config keys that contain the string ‘POSIX_ACL’.

Determine the version of your current kernel

# uname -a
Linux leviathan 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

Then grep the config file for your kernel

# grep POSIX_ACL /boot/config-2.6.32-358.2.1.el6.x86_64
CONFIG_EXT2_FS_POSIX_ACL=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_JFFS2_FS_POSIX_ACL=y

If the configuration for the filesystem type that you are using on the disk on which you want to configure the share indicates ‘y’, then you can continue to the next step.  If not, you will need to recompile your kernel with ACL support.

Next, check the configuration entry in /etc/fstab for the filesystem that we want to use.

/dev/sda1               /usr/local2/            ext3    defaults        1 2

In this case, our filesystem is not yet configured to use acl as it is not noted after the ‘defaults’ option.

Edit /etc/fstab and change that option to read ‘defaults,acl’ as follows:

/dev/sda1               /usr/local2/            ext3    defaults,acl        1 2

Unmount, and then re-mount the filesystem.

Next, ensure that you already have a group configured for the users in question and that those users belong to that group.  For this example our group will be ‘sharegroup’

Then, create the directory that you want to share via Samba and set the permissins and acl for it.

# mkdir /usr/local2/share

Change the group ownership, permissions, and set the sgid flag.

# chgrp sharegroup /usr/local2/share

# chmod g+w share

# chmod g+x share

# chmod g+s share

Now we set the acl for the directory.  The following sets the default group to ‘sharegroup’ with permissions of ‘rwx’.

# setfacl -m d:g:sharegroup:rwx share/

The last thing to do is to set up the share in Samba.  Edit /etc/samba/smb.conf

[share]
        comment =  Shared Directory
        path = /usr/local2/share
        valid users = user1 user2
        browseable = yes
        writeable = yes
        create mask = 2664
        directory mask = 2775

The key configurations are the create and directory mask which will ensure that files are created with the proper group permissions to enable all of the users the desired access.

Restart samba and you are finished.

If you copy an existing directory into the share directory you will need to modify the permissions so that it is available to all of the users who have access to that share.

Add sgid permissions to all of the sub directories:

# find ./new_dir -type d -exec chmod g+s {} \;

Add executable permissions for the group to all of the sub directories:

# find ./new_dir -type d -exec chmod g+x {} \;

Add write permissions to all files and directories in the new dir:

# chmod -R g+w ./new_dir

Leave a Reply