Samba and Group permission

Martin Duclos tchitow-PkbjNfxxIARBDgjK7y7TUQ at public.gmane.org
Fri Oct 22 21:55:07 UTC 2004


smb.conf:

[MyShare]
    comment = My Share Name
    browseable = yes
    path = /data/path
    printable = no
    public = no
    writable = yes
    create mode = 0770
    inherit permissions = Yes
    inherit acls = Yes

filesystem and kernel supports Posix ACL (XFS in this case)

ACL settings:

host# getfacl /data/path
# file: /data/path
# owner: user1
# group: users
user::rwx
group::r-x
group:sharemain-write:rwx
group:sharemain-read:r-x
group:others-read:r-x
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:sharemain-write:rwx
default:group:sharemain-read:r-x
default:group:others-read:r-x
default:mask::rwx
default:other::---

host# ls -ld /data/path
drwxrws---+ 11 user1    users    4096 Oct  4 08:53 /data/path/
[Notice the '+' on the permissions?  That means ACL is in use on that dir]

The acl defaults cause all new files created to have those permissions,
and multiple users are members of either sharemain-write, sharemain-read
or others-read in this case where the ones in share-write can write to
the files which are set writable by that group, the read group can read
those files, and some subset of dirs and files are also added for group
others-read.  You can add as many groups and individual users to each
file and dir as you want, and you can set defaults for dirs that apply to
all newly created subdirs and files which then inherit the setting (and
setfacl can propegate settings similar to chmod with recursive option
too or you can pass info get getfacl to setfacl to copy the permissions
of a dir to a set of files and dirs.)

Overall this gives much finer control over samba shares since you can
make any dir read/write, read only or not accessable to different users
without having to create a group for each file or dir with a certain
user combination with one unix group per combination (which is just too
hard to maintain).

In windows the acl groups even appear in windows as groups so you
can see which groups have access to a file from windows, and to some
extent even control it the same way you would with groups and users on
a windows server.

Lennart Sorensen


I'll try defining my problem again... I have a linux server with samba 
installed on it. I have created a group in /etc/group let's say user ME  and 
HIM for group FULLACCESS. I also have user SOMEONEELSE. Now, I want user 
SOMEONEELSE to have access to files in a directory called MEDIA but just for 
read. For this purpose, I will have to change the other's perms to r--. No 
problem there. Now, I want to have users ME and HIM from group FULLACCESS to 
have read-write access to the files in directory MEDIA so I set the group of 
the directory to MEDIA. I then change the the group mode to rwx. Now, on my 
other linux box, using NIS, I log on with user ME. I try mounting the samba 
share MEDIA. The problem is that I do not have write permissions to this 
directory. WHY? I am part of a group that has write permissions to the 
directoy. I do not own said file. It would appear that the "other" 
permissions are applied in this case since samba doesn't seem to honor the 
fact that the user is part of multiple groups. I've also tried setting the 
smb.conf file with the folowing:

[media]
    comment = The media
    valid users = @FULLACCESS
    writable = yes
    path = /home/media

but that didn't seem to work either. I don't understand why samba would 
behave like this! Can anyone tell me how I can get samba to honor the other 
groups users belong to? Or is it something else I'm not looking at?

Martin


--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list