I was working with a very similiar situation recently, and basically you
just have to come to grips with the differences between Microsoft user/group
permissions and those in Unix. (i.e. there is no append permission, such as
write access but no delete access in Unix).
I came up with a couple of tricks, its hard to remember them all now, but
the commands you have to work with are: umask, chmod, chgrp and suid/sgid
(chattr,lsattr are not really needed).
So, first off I did the same as you with your file permissions, with the
directory structure owned by root and the group is the main department/group
needing access to those files. Now, in Unix whenever a user creates a file,
the created file inherits the inverse permissions of the system
"umask"
setting. I have my system umask value sent to "0022" so that Group
and
Other fields do not get write access to newly created files (4=r 2=w 1=x),
so I'm restricting the 2 (write) permissions.
But don't members of the group need write access to those files as well? -
you may ask. Yes, thats where set group id (sgid) comes into play. All
directories with the sgid bit "2---" set (easiest way: chmod g+s
filename)
say that all files created within that directory inherit the directory's
permissions. So, the directories permissions could likely be 2760 for
rwxrws--- where the s in that location means setgroupid. I sometimes get a
capital S in that location, I have no clue what that means!
Also, you don't want users to delete the directories so you can apply the
sticky bits "1---" to these (chmod +t filename). Also you could
create a
file with rwx------ permissions in the directory owned by root, so group
users would not have power to delete the directory as they cannot delete all
of the files within it. Theres something else to be said for inheriting
permissions of the parent folder, if the parent folder (share directory
name) does not have write permissions, I think then too one cannot delete
the directory residing in it.
I wish there was a way to change individual users umask values, have an
append permission bit, and other things - but thats just the way unix is.
The "force create mode" options in samba may be of help to shares as
well.
So, it's not a perfect match to windows permissions, but its mostly doable.
=) good luck.
-- per your permission below, I dont see why root needs 000 permissions?
let me know if you have any other questions,
peace
Brian
|-----Original Message-----
|From: Tiago de Oliveira Quadra [mailto:tquadra@landesigners.com.br]
|Sent: Monday, April 14, 2003 2:20 PM
|To: samba@lists.samba.org
|Subject: [Samba] samba pdc premissions problem
|
|
|
| Hello Everybody,
|
| I have samba 2.2.8a instaled on a RedHat 7.3 Gnu/Linux.
|
| I'm trying to setup a Samba as a PDC Server for Win2K/XP/98
|workstations.
| The basic stuff did very well, everybody can join and
|access the domain.
|
| But now I want the shares by departments and give only
|access to the correct users.
|
| I tried to setup a group policy between my users and shares
|doing the following:
|
| I created 2 basic groups, smbusers and smbcomputers, GID
|101 and 102 respectively and I created 6 specific groups:
|compras, contabil, diretoria, dp, engenharia and financeiro.
|
| I also created the folowing directory structure:
| /home/Netlogon set to root:smbusers and 0755.
| /home/Profiles set to root:smbusers and 0050.
| /home/Users set to root:smbusers and 0050.
| /home/Depts set to root:smbusers and 0050.
|
| on /home/Depts I have to following.
| /home/Depts/Compras set to root:compras 0070
| /home/Depts/Contabil set to root:contabil 0070
| /home/Depts/Diretoria set to root:diretoria 0070
| /home/Depts/DP set to root:dp 0070
| /home/Depts/Engenharia set to root:engenharia 0070
| /home/Depts/Financeiro set to root:financeiro 0070
|
| All Samba users primary group is one of the specific groups
|(from compras to financeiro) and secondary set to smbusers.
| Fog eg.:
| in /etc/passwd -> lcohen:x:1015:155::/home/Users/lcohen/:/bin/false
| in /etc/group -> smbusers:x:101:lcohen and engenharia:x:155:
|
| My SMB.CONF
|# Global parameters
|[global]
| workgroup = SMBDOM
| netbios name = SRV01
| server string = Servidor Linux
| interfaces = eth0
| bind interfaces only = Yes
| encrypt passwords = Yes
| update encrypted = Yes
| pam password change = Yes
| unix password sync = Yes
| time server = Yes
| keepalive = 10000
| max open files = 20000
| socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
| load printers = No
| domain admin group = @root root
| domain guest group = @nobody
| add user script = /usr/sbin/useradd -d /dev/null -g
|101 -s /bin/false -M %u
| logon script = logon.bat
| logon path = \\%L\Profiles\%u
| logon drive = H:
| logon home = \\%L\Users\%u
| domain logons = Yes
| os level = 64
| lm announce = Yes
| preferred master = Yes
| domain master = Yes
| wins support = Yes
| remote announce = 192.168.0.255
| admin users = root
|[Homes]
| comment = User Home Directory
| read only = No
| hide files = .*
|
|[Profiles]
| path = /home/Profiles
| read only = No
| hide files = .*
|
|[NetLogon]
| path = /home/Netlogon
| read only = No
| browseable = No
|
|[Departamentos]
| path = /home/Departamentos
| read only = No
| inherit permissions = yes
|
| The first time I set up the Samba everything worked fine.
|But all new files created by the users were unwriteble for
|everybody. For eg. if the user 'lcohen' create a file on
|/home/Depts/Engenharia the file become read-only right after
|it was created, even for the user lcohen.
|
| I tried to change the smb.conf by removing the 'inherit
|permissions' and putting some 'create mask' or/and 'force
|create mask'. The first time I tought it worked, but other
|users start complainning about not been able to access the
|files. When I look all the files was read-only. I tried to
|change back the configuration (after lots of tests), but it
|didn't work.
|
| Now the users only have access if I set up everything with
|mask 0777 (files and directories).
|
| Please advice,
| and sorry for my English, I hope is not that bad.
|
| Tiago Quadra
|
|