Samba / NC file permission

Hello,

I have a folder as external source in my nextcloud.
This folder is also via Samba reachable.

I have sometimes the problem with the file permission.

What I want to have:
Samba:

  • only valid user, no connect without authentification

my sambs config:
[Projekte]
comment = nextCloud Projekte
path = /media/Projekte
valid users = user1, root
force user = www-data
force group = www-data
browseable = yes
writeable = yes
admin users = www-data
public = yes
create mask = 0777
directory mask = 0777

But sometimes i need to set a file to owner root, to change ist via Windows share.

Which file permission is correct, for:

  • nextcloud have full access
  • valid Samba user have full access, when create or modify files

Thank you!

If the folder is external storage, then you shouldn’t need to force user to www-data, just let the user1 own the data, and mount the folder as that user.

You don’t need to add root as a valid user either, root has access anyway.

Are you on Linux and the external storage on a Linux file system? In that case you might want to force permissions to something sensible for Linux.

Here’s a definition I use:

[Files]
    comment = My stuff
    path = /media/files
    # Two users, only one can write
    valid users = user1, user2
    public = no
    writable = no
    write list = user1
    available = yes
    browsable = yes
    # Masks forces off all unset bits (AND)
    create mask = 640
    directory mask = 750
    # Force modes forces on all set bits (OR)
    force create mode = 640
    force directory mode = 750
    # Name mangling
    case sensitive = yes
    default case = lower
    preserve case = yes
    short preserve case = no
    mangled names = no

In Nextcloud I mount the folder as user1 for user1 and as user2 for user2 - then user1 can write and user2 can only read…

And if I access the files in Linux it’s the same - user1 can write and user2can only read.

Hello,

thank you … but I added the folder on my Ubuntu server local … so not via SMB.
I thought it is faster, as when nextcloud use the data via SMB.

Is this in my case a problem? Did I need to mount the external storage as SMB?

You’re right - it’s faster if added as local storage :slight_smile:
And in that case you’re right that the files should be owned by www-data.

You probably already read the admin guide:
https://docs.nextcloud.com/server/19/admin_manual/configuration_files/external_storage/local.html

What you did makes sense now - the external storage should be owned by www-data, and therefore you need to force the Samba user like you do.

But the files will not be available locally, outside of Nextcloud or Samba then, I would assume? With the file owner being www-data, I assume the access goes through the database, and in that case, if you change files directly then the database will get out of sync.

I think what you end up with is that you can differentiate between users in Nextcloud (some have no access, some have read and some have read+write), and in Samba you can do the same - by not adding a user to “valid users” you deny access, then by setting “writeable” to no all valid users will have read only as default, and lastly, if you add users to “write list” then they will get write access.

This way you can give users none, read and read+write access in both Nextcloud and Samba. But none can access the files locally, outside of Samba or Nextcloud.

If you change files directly the database will get out of sync, and you must use the occ file:scanscan command to scan the files and update the database:
https://docs.nextcloud.com/server/16/admin_manual/configuration_server/occ_command.html#scan

Something like this I think:

sudo -u www-data php /var/www/html/nextcloud/occ files:scan --path /media/Projekte