samba - Nov 2003 - "Inherited Permissions" vs "Force/Create Mask"

I have written to this list several times. I purchased the Officia SAMBA 3 
How-To and Reference Guide (and read much of it). But I can't get a good
answer
to my question. 

I'm trying to figure out the difference between "inherited
permissions" and
"force/create mask/directory", and other actions like "force
user" and "force
group" (it seems I don't want to use the latter). 

I have a very simple requirement. I have 6 users in a small network of 
Windows XP video editing workstations. All users must be able to read and write
to
the same shared directory (reading, modifying, and deleting each other's 
files). Plus, I want to know who wrote each file that's on the system (who
is the
true owner). 

Because I am doing video editing -- sometimes with uncompressed video over a 
gigabit network (18 MB/sec)  -- I need the very highest efficiency. So, 
whatever solution I choose it can't have a negative impact on speed. 

So far I have been able to solve my problem more or less by using
"Inherited
Permissions = yes" in my smb.conf file under my shared directory name. Is
this
the best way to do it? Or are there better solutions?

Here are the "facts" about my system. 

-- Each user has a username and password on my Linux system. 
-- Each user has the same username and password under Samba
-- Each user logs onto his/her Windows machine with the same usernames and 
passwords that they have in Linux.
-- The Shared Directory on my Linux machine is owned by the group to which 
all users belong, and the group has write permission  (rwxrw-r--) 
-- The umask for the Linux user that created the directory is 0002

With the solution I have chosen ("inherited permissions = yes), all files
and
folders that my 6 users create and write into the shared directory are listed 
as being owned by the person who created them (that's good) and by the group
to which they all belong (that's good) and the group has read and write 
permissions. 

However, in Windows XP, group members who didn't originally create a file or
directory are not listed as having FULL CONTROL. They have read and write 
permission, but not modify. I'm not sure it makes any difference in the end 
because all users seem to be able to change the names of files, read them and
delete
them. But maybe they solution I'm using isn't good or has a high impact
on
performance?  

It seems another approache could be to use "force mask" and
"create mask" and
"force directory" and "create directory". 

And as I said above, another approach would be to "force user" and
"force
group" -- but that doesn't preserve the information about who actually
created
the file. And I want to keep that if possible. 

And maybe there's a solution that doesn't involve using any special
smb.conf
variables. 

Some guidance would be appreciated. Thanks. 

Andy Liebman

AndyLiebman@aol.com wrote (Thu, 20 Nov 2003 15:21:51
EST):
> ...
> It seems another approache could be to use "force mask" and
"create
> mask" and "force directory" and "create
directory".
> 
we have quite a similar setup and the following mask directives:

create mask = 0775
directory mask = 0775

with these every new file is owned by the user who created it and belongs
to the group. the file is group writable and therefore all other users can
use it...


greetings,
Nils

This may be the setup that you have at present, but I have a share with the 
following set:

[sharename]
   path = /path/to/share
   writeable = yes
   valid users = @<group>
   force group = <group>
   directory mode = 770
   create mask = 660

Then do

# chown anyuser.groupname /path/to/share
# chmod 770 /path/to/share

Add all the users to the same group, and then any user who writes to the share 
will have their name as the owner of the file, and the group will be the 
group owner, and the permissions will allow full control of the file 
(-rw-rw----).

We have a share for each department at work here, and this seems to be working 
file for all of them - however our needs aren't as intense as yours so this 
may not be the best setup - however it does seem to work quite well so far.

Hope this is of some use,
edd

On Thursday 20 Nov 2003 8:21 pm, AndyLiebman@aol.com
wrote:
> I have written to this list several times. I purchased the Officia SAMBA 3
> How-To and Reference Guide (and read much of it). But I can't get a
good
> answer to my question.
>
> I'm trying to figure out the difference between "inherited
permissions" and
> "force/create mask/directory", and other actions like "force
user" and
> "force group" (it seems I don't want to use the latter).
>
> I have a very simple requirement. I have 6 users in a small network of
> Windows XP video editing workstations. All users must be able to read and
> write to the same shared directory (reading, modifying, and deleting each
> other's files). Plus, I want to know who wrote each file that's on
the
> system (who is the true owner).
>
> Because I am doing video editing -- sometimes with uncompressed video over
> a gigabit network (18 MB/sec)  -- I need the very highest efficiency. So,
> whatever solution I choose it can't have a negative impact on speed.
>
> So far I have been able to solve my problem more or less by using
> "Inherited Permissions = yes" in my smb.conf file under my shared
directory
> name. Is this the best way to do it? Or are there better solutions?
>
> Here are the "facts" about my system.
>
> -- Each user has a username and password on my Linux system.
> -- Each user has the same username and password under Samba
> -- Each user logs onto his/her Windows machine with the same usernames and
> passwords that they have in Linux.
> -- The Shared Directory on my Linux machine is owned by the group to which
> all users belong, and the group has write permission  (rwxrw-r--)
> -- The umask for the Linux user that created the directory is 0002
>
> With the solution I have chosen ("inherited permissions = yes), all
files
> and folders that my 6 users create and write into the shared directory are
> listed as being owned by the person who created them (that's good) and
by
> the group to which they all belong (that's good) and the group has read
and
> write permissions.
>
> However, in Windows XP, group members who didn't originally create a
file
> or directory are not listed as having FULL CONTROL. They have read and
> write permission, but not modify. I'm not sure it makes any difference
in
> the end because all users seem to be able to change the names of files,
> read them and delete them. But maybe they solution I'm using isn't
good or
> has a high impact on performance?
>
> It seems another approache could be to use "force mask" and
"create mask"
> and "force directory" and "create directory".
>
> And as I said above, another approach would be to "force user"
and "force
> group" -- but that doesn't preserve the information about who
actually
> created the file. And I want to keep that if possible.
>
> And maybe there's a solution that doesn't involve using any special
> smb.conf variables.
>
> Some guidance would be appreciated. Thanks.
>
> Andy Liebman
-- 
Edd Payne
IT Co-ordinator
University of London Union
Malet Street, London WC1E 7HY

tel: 020 7664 2060
fax: 020 7436 4604