# Samba: Users' files upload as read-only



## mallen324 (Sep 9, 2011)

Wow, this server here (or my lack of knowledge on it) is starting to annoy me.

Whenever a user is working from home and connects via WinSCP or FileZilla and uploads a file, it uploads as read only. I don't really know where to start with this. 

FreeBSD 8.1
Samba 3.4


----------



## shitson (Sep 9, 2011)

Are they accessing these files then via Samba? - Need more info!


----------



## mallen324 (Sep 9, 2011)

Yeah Im sorry. So they upload them via Winscp or filezilla from outside the network, then someone here will go to edit it via samba (a mapped network drive on WinXP) via a different username. So user X (part of group X) uploads it, then user Y (part of group X) opens it from inside the network via samba.


----------



## shitson (Sep 10, 2011)

Okay i kind of understand what is going on. The problem is, when users are uploading the files they are owned by the users (i.e If i upload a file as user jml123 it is owned by user jml123 group jml123). When the other user via Windows XP and another login is trying to access and change these files the conflict is occurring because these files are not owned by this user. Thus read is possible - write is not. 

Can you further explain what this setup is used for, maybe a better solution or fix is possible


----------



## kisscool-fr (Sep 10, 2011)

What is your samba config ?


----------



## mallen324 (Sep 13, 2011)

All it is is excel files really. There's ExcelFileA, on the server. UserX, part of GroupX logs into the server via FileZilla or WinSCP, downloads ExcelFileA. They edit it a little bit, and upload it back. Sometimes, the server (depending on the username) won't allow an overwrite so UserX will delete the old one off the server and reupload ExcelFileA. The overwrite thing's another thread for me to make, though. Now, UserY, part of GroupX is in the office. UserX opens ExcelFileA and it is now read-only. 

Do you want my smb.conf?


```
#======================= Global Settings =====================================
[global]

# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
   workgroup = SPRINGFIELD
   netbios name = HOMER

# server string is the equivalent of the NT Description field
   server string = Samba Server

# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the Samba-HOWTO-Collection for details.
   security = user

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
   hosts allow = 192.168.0. 127.

   name resolve order = wins bcast hosts
  time server = Yes
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   load printers = yes

# you may wish to override the location of the printcap file
;   printcap name = /etc/printcap

# on SystemV system setting printcap name to lpstat should allow
# you to automatically obtain a printer list from the SystemV spool
# system
;   printcap name = lpstat

# It should not be necessary to specify the print system type unless
# it is non-standard. Currently supported print systems include:
# bsd, cups, sysv, plp, lprng, aix, hpux, qnx
#   printing = cups

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
;  guest account = pcguest

# this tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba34/log.%m
   log level = 3

# Put a capping on the size of the log files (in Kb).
   max log size = 50

# Use password server option only with security = server
# The argument list may include:
#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#   password server = *
;   password server = <NT-Server-Name>

# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
;   realm = MY_REALM

# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
   passdb backend = ldapsam
   ldapsam:trusted = yes

ldap admin dn = "cn=Manager,dc=*****,dc=com"
#ldap server = 75.*.*.*
ldap ssl = no
#ldap port = 389
#encrypt passwords = yes
passdb backend = ldapsam:"ldap://75.*.*.* ldap://***.****.com"
ldap suffix = "dc=*****,dc=com"
#pam password change = no
ldap user suffix = ou=people
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
#       this line.  The included file is read at that point.
;   include = /usr/local/etc/smb.conf.%m

# Most people will find that this option gives better performance.
# See the chapter 'Samba performance issues' in the Samba HOWTO Collection
# and the manual pages for details.
# You may want to add the following on a Linux system:
;   socket options = SO_RCVBUF=8192 SO_SNDBUF=8192

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
;   interfaces = 192.168.12.2/24 192.168.13.2/24

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
   local master = yes

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
   os level = 65

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
   domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
   preferred master = auto

# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
   domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
# run a specific logon batch file per username
;   logon script = %U.bat

# Where to store roving profiles (only for Win95 and WinNT)
#        %L substitutes for this servers netbios name, %U is username
#        You must uncomment the [Profiles] share below
   logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\***\%U\winprofile

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
   wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
#       Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one  WINS Server on the network. The default is NO.
   wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
   dns proxy = no

# Charset settings
;   display charset = koi8-r
;   unix charset = koi8-r
;   dos charset = cp866

# Use extended attributes to store file modes
;    store dos attributes = yes
;    map hidden = no
;    map system = no
;    map archive = no

# Use inherited ACLs for directories
    nt acl support = yes
    inherit acls = yes
    map acl inherit = yes

# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
  add user script = /usr/local/sbin/smbldap-useradd -m %u
  add group script = /usr/local/sbin/smbldap-groupadd -p %g
  add machine script = /usr/local/sbin/smbldap-useradd -w %u
  delete user script = /usr/local/sbin/smbldap-userdel %u
  delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g
  delete group script = /usr/local/sbin/smbldap-groupdel %g


#============================ Share Definitions ==============================
[homes]
   comment = Home Directories
   browseable = no
   writable = yes

# Un-comment the following and create the netlogon directory for Domain Logons
 [netlogon]
   comment = Network Logon Service
   path = /usr/local/samba/lib/netlogon
   guest ok = yes
   writable = no
   share modes = no


# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
[Profiles]
    path = /usr/local/samba/profiles
    browseable = no
    guest ok = yes


# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
   comment = All Printers
   path = /var/spool/samba34
   browseable = no
# Set public = yes to allow user 'guest account' to print
   guest ok = no
   writable = no
   printable = yes

# This one is useful for people to share files
;[tmp]
;   comment = Temporary file space
;   path = /tmp
;   read only = no
;   public = yes

# A publicly accessible directory, but read only, except for people in
# the "staff" group
[public]
   comment = Public Stuff
   path = /home/share/public
   public = yes
   writable = yes
   printable = no
#write list = @prime

[install]
  comment = Software Installs
  path = /home/share/install
  writable = yes
  guest ok = no

[files]
  comment = PRIME Files
  path = /home/
  writable = yes
  guest ok = no
```


----------



## kisscool-fr (Sep 13, 2011)

Ok 

What share is concerned by the problem ? 

You seem to have a ftp server too, which is it and what is the config ?


----------



## mallen324 (Sep 14, 2011)

mallen324 said:
			
		

> All it is is excel files really. There's ExcelFileA, on the server. UserX, part of GroupX logs into the server via FileZilla or WinSCP, downloads ExcelFileA. They edit it a little bit, and upload it back. Sometimes, the server (depending on the username) won't allow an overwrite so UserX will delete the old one off the server and reupload ExcelFileA. The overwrite thing's another thread for me to make, though. Now, UserY, part of GroupX is in the office. UserX opens ExcelFileA and it is now read-only.



Ill just keep this example going. UserX is connecting via sftp when they reupload the file back to the server. UserY, in the office is connecting via the samba share "files" as a WinXP's mapped network drive. Is there some sort of ftp config file I should post?


----------



## shitson (Sep 15, 2011)

Would you mind giving us a dir listing of the shared directory and also a listing of it's contents


```
ls -ld /dir/name
```


```
ls -l /dir/name
```


----------



## mallen324 (Sep 16, 2011)

Id rather not post the whole shared directory online. The permissions are 777, if thats what you are wondering. That's another thing that baffles me, such loose restrictions and I have these problems.


----------



## mix_room (Sep 19, 2011)

I strongly doubt that you have 777 permissions on the files which were UPLOADED via sftp. 

Check the default permissions set by the sftp-server. They are most likely something like 644. All you then need to do is set your sftp-server to properly set the rights when doing an upload. 

Perhaps something like this in /etc/ssh/sshd_config

```
Match group GroupX
     ForceCommand    internal-sftp -u 007
```

Even if you don't list the whole contents of the shared directory, edit the listing, replace sensitive names with things like FILE0001.XLS so that people who want to help you can see what you are doing. Otherwise helping your is like driving a car blindfolded.


----------

