AndyLiebman@aol.com
2003-Nov-20 20:21 UTC
[Samba] "Inherited Permissions" vs "Force/Create Mask"
I have written to this list several times. I purchased the Officia SAMBA 3 How-To and Reference Guide (and read much of it). But I can't get a good answer to my question. I'm trying to figure out the difference between "inherited permissions" and "force/create mask/directory", and other actions like "force user" and "force group" (it seems I don't want to use the latter). I have a very simple requirement. I have 6 users in a small network of Windows XP video editing workstations. All users must be able to read and write to the same shared directory (reading, modifying, and deleting each other's files). Plus, I want to know who wrote each file that's on the system (who is the true owner). Because I am doing video editing -- sometimes with uncompressed video over a gigabit network (18 MB/sec) -- I need the very highest efficiency. So, whatever solution I choose it can't have a negative impact on speed. So far I have been able to solve my problem more or less by using "Inherited Permissions = yes" in my smb.conf file under my shared directory name. Is this the best way to do it? Or are there better solutions? Here are the "facts" about my system. -- Each user has a username and password on my Linux system. -- Each user has the same username and password under Samba -- Each user logs onto his/her Windows machine with the same usernames and passwords that they have in Linux. -- The Shared Directory on my Linux machine is owned by the group to which all users belong, and the group has write permission (rwxrw-r--) -- The umask for the Linux user that created the directory is 0002 With the solution I have chosen ("inherited permissions = yes), all files and folders that my 6 users create and write into the shared directory are listed as being owned by the person who created them (that's good) and by the group to which they all belong (that's good) and the group has read and write permissions. However, in Windows XP, group members who didn't originally create a file or directory are not listed as having FULL CONTROL. They have read and write permission, but not modify. I'm not sure it makes any difference in the end because all users seem to be able to change the names of files, read them and delete them. But maybe they solution I'm using isn't good or has a high impact on performance? It seems another approache could be to use "force mask" and "create mask" and "force directory" and "create directory". And as I said above, another approach would be to "force user" and "force group" -- but that doesn't preserve the information about who actually created the file. And I want to keep that if possible. And maybe there's a solution that doesn't involve using any special smb.conf variables. Some guidance would be appreciated. Thanks. Andy Liebman
Nils Kalchhauser
2003-Nov-21 10:00 UTC
[Samba] "Inherited Permissions" vs "Force/Create Mask"
AndyLiebman@aol.com wrote (Thu, 20 Nov 2003 15:21:51 EST):> ... > It seems another approache could be to use "force mask" and "create > mask" and "force directory" and "create directory". >we have quite a similar setup and the following mask directives: create mask = 0775 directory mask = 0775 with these every new file is owned by the user who created it and belongs to the group. the file is group writable and therefore all other users can use it... greetings, Nils
This may be the setup that you have at present, but I have a share with the following set: [sharename] path = /path/to/share writeable = yes valid users = @<group> force group = <group> directory mode = 770 create mask = 660 Then do # chown anyuser.groupname /path/to/share # chmod 770 /path/to/share Add all the users to the same group, and then any user who writes to the share will have their name as the owner of the file, and the group will be the group owner, and the permissions will allow full control of the file (-rw-rw----). We have a share for each department at work here, and this seems to be working file for all of them - however our needs aren't as intense as yours so this may not be the best setup - however it does seem to work quite well so far. Hope this is of some use, edd On Thursday 20 Nov 2003 8:21 pm, AndyLiebman@aol.com wrote:> I have written to this list several times. I purchased the Officia SAMBA 3 > How-To and Reference Guide (and read much of it). But I can't get a good > answer to my question. > > I'm trying to figure out the difference between "inherited permissions" and > "force/create mask/directory", and other actions like "force user" and > "force group" (it seems I don't want to use the latter). > > I have a very simple requirement. I have 6 users in a small network of > Windows XP video editing workstations. All users must be able to read and > write to the same shared directory (reading, modifying, and deleting each > other's files). Plus, I want to know who wrote each file that's on the > system (who is the true owner). > > Because I am doing video editing -- sometimes with uncompressed video over > a gigabit network (18 MB/sec) -- I need the very highest efficiency. So, > whatever solution I choose it can't have a negative impact on speed. > > So far I have been able to solve my problem more or less by using > "Inherited Permissions = yes" in my smb.conf file under my shared directory > name. Is this the best way to do it? Or are there better solutions? > > Here are the "facts" about my system. > > -- Each user has a username and password on my Linux system. > -- Each user has the same username and password under Samba > -- Each user logs onto his/her Windows machine with the same usernames and > passwords that they have in Linux. > -- The Shared Directory on my Linux machine is owned by the group to which > all users belong, and the group has write permission (rwxrw-r--) > -- The umask for the Linux user that created the directory is 0002 > > With the solution I have chosen ("inherited permissions = yes), all files > and folders that my 6 users create and write into the shared directory are > listed as being owned by the person who created them (that's good) and by > the group to which they all belong (that's good) and the group has read and > write permissions. > > However, in Windows XP, group members who didn't originally create a file > or directory are not listed as having FULL CONTROL. They have read and > write permission, but not modify. I'm not sure it makes any difference in > the end because all users seem to be able to change the names of files, > read them and delete them. But maybe they solution I'm using isn't good or > has a high impact on performance? > > It seems another approache could be to use "force mask" and "create mask" > and "force directory" and "create directory". > > And as I said above, another approach would be to "force user" and "force > group" -- but that doesn't preserve the information about who actually > created the file. And I want to keep that if possible. > > And maybe there's a solution that doesn't involve using any special > smb.conf variables. > > Some guidance would be appreciated. Thanks. > > Andy Liebman-- Edd Payne IT Co-ordinator University of London Union Malet Street, London WC1E 7HY tel: 020 7664 2060 fax: 020 7436 4604