Samba and Group permission

Fri Oct 22 20:32:10 UTC 2004

On Fri, Oct 22, 2004 at 11:39:30AM -0400, Martin Duclos wrote:
> Martin Duclos wrote:
> 
> >Hi All,
> >
> >I am running a samba 3.0.4-1 server.  I want to create groups so that I 
> >can control which user has access to which file. SO, I create a new group 
> >by editing the /etc/group file. I add the users which are to belong to 
> >that group. I modify the group permission on the files I want the users of 
> >said group to have access to. One of the client machines is a linux 
> >machine (but I suspect the same problem will show up on a win machine). 
> >What I'm seeing is that the owner of the share only has it's deafult group 
> >associated with it. I've been reading through the samba docs and man pages 
> >but I haven't found a solution yet. There must be some way to have a user 
> >be part of multiple groups and have samba respect those - or is it just 
> >wishful thinking? Any ideas?
> >
> >Thanks
> >
> >Martin Duclos
> >
> >
> >--
> >The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
> >TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> >How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
> 
> Try using ACL
> 
> http://www.bluelightning.org/linux/samba_acl_howto/
> 
> I fail to see how this how to would help. I've read all of it and I haven't 
> seen anything that directly relates to this problem with an explanation and 
> how to fix it. Any ideas as to how I can solve my problem?

smb.conf: 

[MyShare]
   comment = My Share Name
   browseable = yes
   path = /data/path
   printable = no
   public = no
   writable = yes
   create mode = 0770
   inherit permissions = Yes
   inherit acls = Yes

filesystem and kernel supports Posix ACL (XFS in this case)

ACL settings:

host# getfacl /data/path
# file: /data/path
# owner: user1
# group: users
user::rwx
group::r-x
group:sharemain-write:rwx
group:sharemain-read:r-x
group:others-read:r-x
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:sharemain-write:rwx
default:group:sharemain-read:r-x
default:group:others-read:r-x
default:mask::rwx
default:other::---

host# ls -ld /data/path
drwxrws---+ 11 user1    users    4096 Oct  4 08:53 /data/path/
[Notice the '+' on the permissions?  That means ACL is in use on that dir]

The acl defaults cause all new files created to have those permissions,
and multiple users are members of either sharemain-write, sharemain-read
or others-read in this case where the ones in share-write can write to
the files which are set writable by that group, the read group can read
those files, and some subset of dirs and files are also added for group
others-read.  You can add as many groups and individual users to each
file and dir as you want, and you can set defaults for dirs that apply to
all newly created subdirs and files which then inherit the setting (and
setfacl can propegate settings similar to chmod with recursive option
too or you can pass info get getfacl to setfacl to copy the permissions
of a dir to a set of files and dirs.)

Overall this gives much finer control over samba shares since you can
make any dir read/write, read only or not accessable to different users
without having to create a group for each file or dir with a certain
user combination with one unix group per combination (which is just too
hard to maintain).

In windows the acl groups even appear in windows as groups so you
can see which groups have access to a file from windows, and to some
extent even control it the same way you would with groups and users on
a windows server.

Lennart Sorensen
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml