I have been playing with samba for a short time. I am not a programmer but a I have some questions on if acls within samba are possible, regardless of acl's in the file system or kernel. In samba now, you can have read list or write list and say this user and/or group has write and/or this user and/or group has read only. This is a scaled down version of an acl. What if they created a folder called acl's and had one file called no access, one file called read, write, change, and full. An entry inside these files could look similar to: /data = @domain admin, john, steve /data/accounting = @domain admin, @accounting, bob if these entries were in the change file then samba would restrict him accordingly. I have been trying to get acl's to work and it has been difficult to work. I have been thinking that maybe samba could do this for us without having to count on other pieces of software. I am only asking so please dont take this the wrong way. If it is possible I would like to help make it happen. I am not sure how I can help because I am not a programmer, but if there is anything I will be willing to pitch in.
--- David.Grudek@anixter.com wrote:> In samba now, you can > have read list or write list and say this user > and/or group has write > and/or this user and/or group has read only. This > is a scaled down > version of an acl. What if they created a folder > called acl's and had one > file called no access, one file called read, write, > change, and full. An > entry inside these files could look similar to: > /data = @domain admin, john, steve > /data/accounting = @domain admin, @accounting, bob > > if these entries were in the change file then samba > would restrict him > accordingly. I have been trying to get acl's to > work and it has been > difficult to work. I have been thinking that maybe > samba could do this > for us without having to count on other pieces of > software.Hi David, I'm just a system engineer/admin, not a programmer either, but from what I've seen, Samba uses User Group Other permissions, which map to normal UGO Unix permissions stored in the file on the filesystem. These basic permissions are sufficient for many uses, as you can put many users in a group to access a directory or file. Unix basically uses this everywhere, as it's quite flexible. When you're using the acl patches for EXT2/3 (from acl.bestbits.at) or you use a filesystem with native ACL support like XFS, and you compile Samba --with-acl-support, you get full NT ACL support, where you'll see several groups accessing a file with different permissions. We're using this on several servers. You must remember to remount your filesystems with the acl option, and put it in your fstab. Either way, Samba relies on the file system to store these settings. This is exactly the same as in the NT world. You might have a FAT partition share where the only permissions are share-level permissions (similar to read/write lists in smb.conf). If you have an NTFS share, file permissions are stored on the file system and combine with share-level permissions. For more instructions on adding POSIX ACL support, search marc.theaimsgroup.com for similar instructions I'd given about this to other Samba users. I learned most of what I know now from "Teach Yourself Samba in 24 Hours," a Sam's book, but I just found out there's a new O'Reilly "Using Samba" out this month which should contain more current and perhaps more thorough information. Also, check out acl.bestbits.at. Good luck, /dev/idal __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com
> Date: Wed, 12 Feb 2003 14:34:56 -0600 > From: David.Grudek@anixter.com > To: samba@lists.samba.org > Subject: [Samba] samba acl's > Message-ID: <OFAA1D48DE.57CEA457-ON86256CCB.0061B639-86256CCB.0070B5B6@anixter.com> > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Precedence: list > Message: 20 > > I have been playing with samba for a short time. I am not a programmer > but a I have some questions on if acls within samba are possible, > regardless of acl's in the file system or kernel. In samba now, you can > have read list or write list and say this user and/or group has write > and/or this user and/or group has read only. This is a scaled down > version of an acl. What if they created a folder called acl's and had one > file called no access, one file called read, write, change, and full. An > entry inside these files could look similar to: > /data = @domain admin, john, steve > /data/accounting = @domain admin, @accounting, bob > > if these entries were in the change file then samba would restrict him > accordingly. I have been trying to get acl's to work and it has been > difficult to work. I have been thinking that maybe samba could do this > for us without having to count on other pieces of software. I am only > asking so please dont take this the wrong way. If it is possible I would > like to help make it happen. I am not sure how I can help because I am > not a programmer, but if there is anything I will be willing to pitch in.File permissions and ACLs are best stored by the filesystem, since then you are guaranteed to get the same behaviour via different services (smb vs ftp vs http vs local access vs nfs). If you want ACLs working easily out the box, use Mandrake 9.0. Either add the acl option to ext2/ext3 filesystems in your /etc/fstab, or use XFS. AFAIK, SuSE also supports ACLs out-the-box. Buchan -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7