samba - Dec 1999 - Approach to permissions, UNIX usernames, and UNIX groups ..

Samba users--

I have a question I wanted to throw out to the general public.  When
dealing with reasonably large numbers of users (120+, in this case),
how do most of you handle your UNIX permissions, usernames, and groups
in corralation to your SAMBA?

Basically, I have a number of Windows 95/98 clients that authenticate
against a Novell server, as well as Apple clients.  Recently, I got
myself
a nice, new Linux box (with a sizeable RAID array) running SAMBA.
Novell
is currently serving up files; I want to move the responsibility of file
serving to my Linux machine.

With Novell, it's simple to take a subdirectory and assign it
permissions--
Bob, Al, and Tom can read and write to this directory.  No one else can 
access it.  With Linux, it seems a bit trickier.  This is where I'm
looking
for input.

I need to create a directory structure reasonably deep (3-5 directories
off of the main RAID mount point, with 5-10 directories under that, with
another 3-10 directories under those).

The best approach I have come up with so far is to create a group
specifically for each subdirectory, and put .. say .. Bob, Al, and Tom
in
it.  Then I make sure the directory is owned by root.group, and could
utilize
the "force create mode" and "force group" directives in my
smb.conf to
create
the files as rwxrwx--- and assigned to the group with respect to the
subdirectory it is in.  The only problem is, this means I have to manage
over
100+ groups with 100+ SAMBA shares, and it seems there has to be a
better way,
and I'm just not seeing it.

Is there a way to tell SAMBA to assign files being written to the group 
of the subdirectory the file is being written to?  Is there a better way
altgother to approach this (I hope there is =).

Any insight or webpage references on approaches to medium-to-large-scale
fileserving with SAMBA on a network are appreciated.  Thanks.

JAson wrote to samba@samba.org:
...
> Is there a way to tell SAMBA to assign files being written to the group 
> of the subdirectory the file is being written to?  Is there a better way
> altgother to approach this (I hope there is =).
Although it is quite difficult to emulate the behavior of a Novell
server under a Linux system, the problem above should be solved by
setting the SGID-Bit on the directories (chmod g+s <dirname>). Starting
from then, all ne created files will get the group ownership of the
directory (NOT the rights ! you will have to set them in the nessecary
way seperatly).
This feature is not a feature of Samba, but of the underlying file
system (so you have to do this under Linux on the filesystem itself).
But it will do the job and I have been using it successfuly for a month.

Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: michael.szengel.vcf
Type: text/x-vcard
Size: 301 bytes
Desc: Card for Michael Szengel
Url :
http://lists.samba.org/archive/samba/attachments/19991206/d9387fc7/michael.szengel.vcf

On 1999-12-06 19:42:22 +1100, Michael Szengel wrote:
> JAson wrote to samba@samba.org:
> ..
> > Is there a way to tell SAMBA to assign files being written to the
> > group of the subdirectory the file is being written to? Is there a
> > better way altgother to approach this (I hope there is =).
>
> Although it is quite difficult to emulate the behavior of a Novell
> server under a Linux system, the problem above should be solved
> by setting the SGID-Bit on the directories (chmod g+s <dirname>).
> Starting from then, all ne created files will get the group ownership
> of the directory
On Linux you can also get this behaviour on all directories by mounting
the file system with the "bsdgroups" option. No need to set setgid
bits
on a gazillion of directories.
> (NOT the rights ! you will have to set them in the nessecary
> way seperatly).
You could get this behaviour by setting a default ACL on the directory.
Unfortunately none of the ACL implementations for Linux are
"production-ready" yet (AFAIK), so this is only useful for people
running Solaris or IRIX.

	hp

-- 
   _  | Peter J. Holzer             | Nobody should ever have to be
|_|_) | Sysadmin WSR / Obmann LUGA  | ashamed if they have a secret love
| |   | hjp@wsr.ac.at               | for writing computer programs that
__/   | http://wsrx.wsr.ac.at/~hjp/ | actually work.  -- Donald E. Knuth
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 371 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/19991206/16679139/attachment.bin

Re:
> I have a question I wanted to throw out to the general public.  When
> dealing with reasonably large numbers of users (120+, in this case),
> how do most of you handle your UNIX permissions, usernames, and groups
> in corralation to your SAMBA?
> 
> I need to create a directory structure reasonably deep (3-5 directories
> off of the main RAID mount point, with 5-10 directories under that, with
> another 3-10 directories under those).
> 
> The best approach I have come up with so far is to create a group
> specifically for each subdirectory, and put .. say .. Bob, Al, and Tom
> in
> it.  Then I make sure the directory is owned by root.group, and could
> utilize
> the "force create mode" and "force group" directives in
my smb.conf to
> create
> the files as rwxrwx--- and assigned to the group with respect to the
> subdirectory it is in.  The only problem is, this means I have to manage
> over
> 100+ groups with 100+ SAMBA shares, and it seems there has to be a
> better way,
> and I'm just not seeing it.
> 
> Is there a way to tell SAMBA to assign files being written to the group 
> of the subdirectory the file is being written to?  Is there a better way
> altgother to approach this (I hope there is =).
> 
> Any insight or webpage references on approaches to medium-to-large-scale
> fileserving with SAMBA on a network are appreciated.  Thanks.
We have 19,000 registered UNIX users, of which some 7,000 (rapidly
increasing) are currently Samba-ised onto our Solaris 2.x fileservers. 

Many UNIX flavours interpret the SETGID bit on a directory to mean "when
creating a new file/directory in here, use the group-owner of this
directory (rather than group-owner of the process)".  So if your data
falls neatly into having dir<n>/subtree<n> all owned by group
<n>, then
this SETGID should meet your ownership requirement.  Note that this
functionality, if there, is within that flavour of UNIX itself: it cannot
be controlled from Samba.

We have a patch which takes this a stage further.  It was discussed back
in September on the "samba-technical" list, and met with favourable
response from the Samba team.  But, alas, things have gone very quiet
since then...

This patch, provisionally called "inherit mode", takes the mode of the
directory and applies all its bits to new subdirs, and its rw bits to new
files.  (This "inherit mode" smb.conf parameter overrides even those
parameters entitled "force ..."):

See:
   http://www.dur.ac.uk/~samba/inherit-206.diff

for the 2.0.6 patch; substitute 204 or 203 if you run 2.0.4 or 2.0.3
(sorry, no 2.0.5). 

And if you like it, gently encourage the Samba Team to include it in
future releases of Samba.

Hope that helps.

--

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/~dcl0tdl            South Road            :
:                                           Durham                :
:  Phone: +44 191 374 2882                  U.K.                  :