Hi.
I had the same problem but I needed ACLs for groups.
Setting the rights of 'normal' UNIX group to '---' caused the
effective
access rights of the ACL groups to be set to '---'.
Therefore I set the right of the top directory to
chown root:root DIR
chmod 2770 DIR (sticky bit for group)
Newly created directories belong the group 'root' and not the group the
user that is connected to the share. Don't use 'force group = root'
as the
users then connect to the share with group = root.
I don't use 'inherit permissions = yes' as the UNIX bits are
responsible
for archive bit / readonly bit. And everytime you save an existing file the
permissions are updated.
I use default ACL entries to inherit the needed permissions and don't want
samba to change the permissions.
I agree with you that there's improved support for ACLs needed.
Quota checks UNIX user, group and other. Not entries in ACLs.
-----Original Message-----
From: Pierre Dehaen [SMTP:dehaen@milano.drever.be]
Sent: Tuesday, August 13, 2002 6:16 PM
To: samba@lists.samba.org
Subject: [Samba] ACL: need additional samba option ?
Hi All,
I need to setup the following rights behavior trhough samba and I'm
currently
stuck after lots of unsuccessful tests. Maybe one of you has an idea or a
solution to this problem...
Here it comes:
- A share must be available only to some users belonging to the
"project"
group.
That's easy:
valid users = @project
- There are several administrator-created directories in the share
corresponding to the departments of the company. Only some users must
have access to each directory, in read only mode for some, in read/write
mode for others.
We cannot use the unix groups because of the limitation saying a user may
only be member of 15 (or 16 I don't remember) groups. So I started playing
with ACLs: each user with read or read/write access has an ACL on those
top directories and a default entry also (default:user:john:r-x for
instance).
The mask and default mask (ACL) are set to rwx.
- Under these top directories, read only users must be able to read all
files,
and read/write users must be able to create files and subdirectories. When
a
file/sdir is created by a user, only that user should be able to modify or
delete
the file/sdir unless additional rights are given by him/her through the
windows
permissions.
The solution now:
- I created acls on the top directories, including default entries:
# ls -ld topdir
drwx------+ 7 root other 512 Aug 13 16:00 topdir/
# getfacl topdir
# file: topdir
# owner: peter
# group: noaccess
user::rwx
user:john:rwx
user:johnny:rwx
user:jack:r-x
group::---
mask:rwx
other:---
[and the same entries with default: as prefix]
Note that I set the group to "noaccess" to make sure it will not
interfere
with
the user specific rights.
- I set the following options on the samba share:
read only = no
inherit permissions = yes
inherit acls = yes
force group = noaccess
Note that default entries should not be very useful here because I used the
samba options "inherit".
This works when john creates a file -rights are inherited- but I don't know
how
to set the rights of all users but the owner to "read only" maximum
because
for now they will get the same rights as on the parent directory.
And this doesn't work when john creates a subdirectory because the mask is
set to "---" and the effective perms are null too !
- Note that I tested also without the inherit options. I hoped the
"default:"
would do but then another problem comes: the mask is set based on the
permissions of the group...
- So I'm stuck now ! I think the solution would be to have two more samba
options:
force file acl mask = r-x
force directory acl mask = rwx
I'm sorry for having been so long. Well, if you're still here,
you're maybe
interested...
Thank in advance for any help,
Pierre
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba