mjhjmtu

I have a path on a Linux machine (Debian 8) which I want to share with Samba 4 to Windows computers (Win7 and 8 in a domain). In my smb.conf I did the following:

[myshare]
path = /path/to/share
writeable = yes
browseable = yes
guest ok = yes
public = yes

I have perfect read access from Windows. But in order to have write access, I need to do chmod -R 777 /path/to/share in order to be able to write to it from Windows.

What I want is write access from Windows after I provide the Linux credentials of the Linux owner of /path/to/share.

I already tried:

[myshare]
path = /path/to/share
writeable = yes
browseable = yes

Then Windows asks for credentials, but no matter what I enter, it's always denied.

What is the correct way to gain write access to Samba shares from a Windows domain computer without granting 777?

I recommend to create a dedicated user for that share and specify it in force user.

Create a user (shareuser for example) and set the owner of everything in the share folder to that user:

adduser --system shareuser
chown -R shareuser /path/to/share

Then add force user and permission mask settings in smb.conf:

[myshare]
path = /path/to/share
writeable = yes
browseable = yes
public = yes
create mask = 0644
directory mask = 0755
force user = shareuser

Note that guest ok is a synonym for public.

In the share settings in smb.conf, you'll need to specify the names of users and/or groups that are allowed to write to the share, using a write list = ... line.

Example:

[myshare]
...
write list = my_linux_username

Then you'll need to use the smbpasswd command to set up a password to authenticate my_linux_username for Samba:

sudo smbpasswd -a my_linux_username

This step is necessary because the standard system passwords in /etc/shadow are hashed in algorithms that are incompatible with the password hash algorithms used in the SMB protocol. When a client sends a SMB authentication packet, it includes a hashed password. It can only be compared to another password hash that uses the same algorithm.

(Very, very old instructions from the previous millennium may recommend disabling password encryption in Samba, and using certain registry hacks to allow Windows to emit unencrypted passwords to the network. This advice is obsolete: those registry hacks may no longer work in current versions of Windows, and allow anyone who can monitor your network traffic to trivially capture your password.)

There's one more thing you may have to do client-side. When your Windows client system is joined to an Active Directory domain and you're logged in with an AD account, it automatically prefixes all unqualified usernames with the name of the AD domain of the user, i.e. you will be authenticating as AD_DOMAINyour_username, not just your_username.

If you are logged in with a local account (or your client system is not joined to an AD domain), Windows may automatically prefix the username with the client hostname unless you specify another domain name.

To successfully log in to a stand-alone Samba server from a stand-alone Windows client, you may have to specify your username as SAMBA_SERVER_HOSTNAMEyour_username.

Otherwise Samba will see the username as WINDOWS_CLIENT_HOSTNAMEyour_username, conclude that it has no way to verify any users belonging to domain named WINDOWS_CLIENT_HOSTNAME, and will reject the login.

(Newer versions of Samba may have a built-in check for this specific situation, and they might allow you access nevertheless. But this is basically how SMB authentication works "under the hood", and if you need to deal with old versions of Samba, it might be useful still.)