Hello, I have a share [/projects] with multiple directories inside, each created for purpose of different projects. On Win2K I was able to specify users who were allowed to access particular directories and in some cases particular files (in case there is any secret file I was allowing access only to one person responsible for the project). I was wondering if it is possible to switch all server to Linux running 'samba' ? At the moment I don't think it is possible due to lack of proper ACLs. I need something controlling access to particular files/directories with specific user oriented access rights. Linux by default doesn't have any support of ACLs so it's not possible to do it from the system in any efficient and reasonable way (I don't know any stable enough ACLs solutions for Linux). What do you all think about it ? I believe samba should separate access control from Linux file system and implement advanced ACL functions. Best Regards, M.B.
On Tue, 29 Apr 2003, Marek Bialoglowy wrote:> Hello, > > I have a share [/projects] with multiple directories inside, each created > for purpose of different projects. On Win2K I was able to specify users who > were allowed to access particular directories and in some cases particular > files (in case there is any secret file I was allowing access only to one > person responsible for the project). I was wondering if it is possible to > switch all server to Linux running 'samba' ? At the moment I don't think it > is possible due to lack of proper ACLs. I need something controlling access > to particular files/directories with specific user oriented access rights. > Linux by default doesn't have any support of ACLs so it's not possible to do > it from the system in any efficient and reasonable way (I don't know any > stable enough ACLs solutions for Linux). > > What do you all think about it ? I believe samba should separate access > control from Linux file system and implement advanced ACL functions.Marek, Your request seems so logical and the samba-team's apparent failure to deliver this seems deficient and cruel! Please rest assured that we are well aware of the issues and that we aim to deliver what our users need and want. Linux/Unix does not have support for MS Windows NT styled ACLs. Even with POSIX ACLs we have issues as there is no 1:1 mapping of MS Windows NT to POSIX functionality. That means that in implementing ACLs we have to make trade-offs. You can use normal Unix/Linux user and group access controls to restrict user access to files and directories. You can set fully functional ACLs on shares (done using the NT4 Server Manager, or through the Win2K MSC toolset). This one is now being documented in the new Samba-HOWTO-Collection that will ship with Samba-3.0.0. What we are still trying to identify is how much of a limitation we really have today. Granted that it would be nice to be able to set all permissions using NT ACLs through the MS Windows File Manager, but is that the ONLY way that is acceptable to our users? In fact, from a Unix/Linux administrator's perspective is that the MOST efficient way to do it? If you want "Proper ACLs" then you will need to make certain that the underlying file system has them. Samba can invent yet more overhead. Samba can make things more complex than they are. We CAN create a separate database for EVERY file on the system and set ACLs in it. But that would become a completely unmanagable nightmare at best, and more likely a total disaster. ACLs information has to be stored somewhere! If not in the file system itself then in a separate database. If in a separate database then HOW do we keep that database current with the files in the filesystem as Unix/Linux users re-arrange files without using the MS Windows tools. So if the lack of "Proper ACLs" is a real road block for you, may I ask are you willing to take up your needs with those who are responsible for the file systems that Samba sits on top of? If not, what do you want us to do to make sure that your needs are met? - John T. -- John H Terpstra Email: jht@samba.org
Hello,> I personally use the the unix group permission. If you are familiar > with UNIX permissions then it is really easy.Well, it could be quite hard to use if files have very specific access rights. Lets say I have 4 groups. hrd (users: mark, john) finance (users: mary, ben) managers (users: david, daniel) cs (users: steve, diana) and now the access rights in share [/projects] /projects/one hrd: rw finance: r managers.david: rw all others: forbidden purpose: I want HRD to work on that project together with managers. Finance should be able to view the progress but not modify anything. /projects/two managers: rw finance.ben: rw hrd.mark: r all others: forbidden purpose: managers are working on that project with 'ben' from finance. Other ppl in finance shouldn't have access to this work because it is quite sensitive project. Mark from HRD is also involved in that project but only to review some parts of it. /projects/three finance: rw managers: rw cs.steve: rw cs.diana: r all others: forbidden === file /projects/three/final-report.doc (managers: rw, finance.mary: r, others: forbidden) purpose: all groups are working on that projects, but customer care employee diana does not have need to modify anything. The final report for the project is prepared by managers and mary from finance shoudl review if the numers are correct. Other ppl should not have access to the final report. If we have 50 projects and everywhere different access rights then I believe it is very hard to configure it under linux (if possible). Under win2k it is pretty simple. If I am right maybe 'samba' and Linux is not good solution for such highly controled shares, even if in simplier environment it works perfect. Best Regards, M.B.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> Date: Tue, 29 Apr 2003 10:07:48 -0700 > From: "Norman Zhang" <nzhang@arkon-group.com> > To: <samba@lists.samba.org> > Subject: Re: [Samba] ACLs and file/directory access permissions > Message-ID: <000401c30e71$dd330eb0$0716a8c0@2d052> > References: <040501c30e64$c7ede140$6f00a8c0@ultor> > <Pine.LNX.4.50.0304291543160.17441-100000@dp.samba.org> > <049101c30e6d$802e06b0$6f00a8c0@ultor> > <Pine.LNX.4.50.0304291640050.17441-100000@dp.samba.org> > Content-Type: text/plain; > charset="iso-8859-1" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Precedence: list > Message: 26 > > Just to clarify. Mandrake 9.1 does not support ACL out of the box. It was > supported in 8.2, 9.0 but not 9.1. See > http://marc.theaimsgroup.com/?l=mandrake-cooker and search for acl.Yet. You should be able to have working ACLs on 9.1 using the kernel from 9.0. If your hardware requires a more recent kernel, there will hopefully be updates for the 9.1 kernel that will have working ACLs, at least on XFS. You will note that there is a patch for the current cooker kernel to support XFS ACLs. At present, 9.0 out-the-box with updates is probably a better choice for samba serving than 9.1 out-the-box. Regards, Buchan - -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+r6A3rJK6UGDSBKcRAtiNAKDCtm7SmTfwOr4Q2qrqJvznrXLE+wCeL//4 LCkLwRK41S20cMBwvfmQBp0=5rcx -----END PGP SIGNATURE-----