[The following is my understanding from doco and experiments - hosts Solaris 2.5.1 and Samba 1.9.18p3, client NT 4.0 - please re-use if wanted] Samba presents a DOS file permissions view to users. That is they can set the following attributes for files: Archive, Hidden and Readonly. As an ordinary user on NT 4.0 System attribute is not accessible. These attributes map as follows onto the following default Unix permissions - note owner and group will depend on how connected to Samba and any "force user" and "force group" directives. Also as far as I can tell the Hidden attribute has no effect on Unix permissions and is never reported back even if set. Finally the permissions for directories (or folders) seems to be immutable. Attributes Type Unix permissions none file -rw-rw-rw- Archive file -rwxrw-rw- ReadOnly file -r--r--r-- Archive+ReadOnly file -r-xr--r-- any directory drwxrwsrwx These permissions are the logically ANDed with "create mask" for files and "directory mask" for directories. Finally thet are logically ORed with "force create mask" for files and "force directory create mask" for directories. The only control as user at a NT Workstation has is to make files read only. [Now for my questions:] A: Is the above correct? B: Is there any other mechanism for a user to change the permissions of their files? I realise that this has a lot to do with differeing filesystem semantics. Also I would be content with a little add on helper program for NT or what ever to affect the UNIX permissions of their files mounted from SAMBA. The rationale is that the SAMBA directives do not cover all I would wish - eg Users here have Web pages that must be globally readable, but most other files should not be so. -- ----------------------------------------------------------------------------- | Peter Polkinghorne, Computer Centre, Brunel University, Uxbridge, UB8 3PH,| | Peter.Polkinghorne@brunel.ac.uk +44 1895 274000 x2561 UK | -----------------------------------------------------------------------------
Hi all (and Peter), Answering your question A, No. Details below. (I don't have access to NT as a client, but I do know a good deal about Samba permissions).>Samba presents a DOS file permissions view to users. That is they can set the >following attributes for files: Archive, Hidden and Readonly. As an ordinary >user on NT 4.0 System attribute is not accessible.'System' attribute is also provided by Samba. Definately settable on WfWg3.11.>These attributes map as follows onto the following default Unix permissions - >note owner and group will depend on how connected to Samba and any "force >user" and "force group" directives. Also as far as I can tell the Hidden >attribute has no effect on Unix permissions and is never reported back even if >set. Finally the permissions for directories (or folders) seems to be >immutable.Hidden attribute is only reported (and set) if the smb.conf parameter 'map hidden' is turned on. 'map system' is also required if you wish to mimic Systenm attribute behaviour.>Attributes Type Unix permissions > >none file -rw-rw-rw- >Archive file -rwxrw-rw- >ReadOnly file -r--r--r-- >Archive+ReadOnly file -r-xr--r--System and Hidden flip the Group and Other 'Execute' bits (and report on them too). Also with 'hide dot files', any .dot file (e.g. .cshrc) is flagged as hidden too (irrespective of the 'map hidden' setting I believe). This mapping is not two way (e.g. a user setting the 'hidden' attribute on a file will _not_ cause it to have a '.' prepended to the file name.) So, Archive, System and Hidden all work in the same way, mapping onto an Execute bit in UNIX. (Archive is on by default, System and Hidden are off).>any directory drwxrwsrwxNope. Set Group-On-Execute is NOT set for directories by default. You'd have to use a 'force' to get it set.>These permissions are the logically ANDed with "create mask" for files and >"directory mask" for directories.Indeed, although 'create mask' is iteslf ORed with 0600 (or so) to ensure that you don't remove UNIX read permission from the file (This seems overkill to me) Also 'directory mask' is ORed with 0700 (or so) to ensure read and execute (for user) cannot be removed (very sensible of course). (This ORing is done in a macro somewhere IIRC)>Finally thet are logically ORed with "force create mask" for files and "force >directory create mask" for directories.Yup.>The only control as user at a NT Workstation has is to make files read only.Can't comment. (Definately NOT true for WfWg3.11 File Manager)>A: Is the above correct?(see above)>B: Is there any other mechanism for a user to change the permissions of their >files?The one suggestion I have seen is 'magic script', which allows you to have a file executed by Samba upon close. Stick the relevant 'chmod' commands in there (not forgetting to use UNIX End-Of-Line semantics) and away you go!>The rationale is that the SAMBA directives do not cover all I would wish - eg >Users here have Web pages that must be globally readable, but most other files >should not be so.Hmm. Tricky within a single share. I guess you can't provide a separate share for each user's web pages? Mac Assistant Systems Adminstrator @nibsc.ac.uk dmccann@nibsc.ac.uk Work: +44 1707 654753 x285 Everything else: +44 956 237670 (anytime)
Hello, My main problem is that I can't change the read-only attribute on a directory (not a file) included in a Samba share from the properties dialog box on any Windows workstation. There is not even an error message, but depending of the OS (98, ME, NT4, 2K...), when I click on Apply, either the tick goes, or when I reopen the dialog box, the tick has gone. I checked the permissions and the directory (security) mask, my configuration file is basic and I tried several versions of Samba. (2.2.3a, 2.2.4). Of course, the user which connects has correct Unix permissions. Here is my whole smb.conf file: [global] workgroup = ALCIDIAN encrypt passwords = yes [homes] comment = Home Directories browseable = no writable = yes create mask = 0700 directory mask = 0700 I would be very grateful if anyone could help me. Regards, S?bastien Valsemey.