samba - Jan 2005 - Inherit permissions question (Please help)

Any ideas ??


Kindest regards
David Wilson
_______________________________
D c D a t a
Tel +27 33 342 7003
Fax +27 33 345 4155
Cell +27 82 4147413
http://www.dcdata.co.za
support@dcdata.co.za
Powered by Linux, driven by passion !
_______________________________

"Computers are not intelligent. They only think they are."

----- Original Message ----- 
From: "David Wilson" <dave@dcdata.co.za>
To: <samba@lists.samba.org>
Sent: Sunday, January 23, 2005 6:28 PM
Subject: [Samba] Inherit permissions question

> Hi guys,
>
> Unfortunately I'm still battling with this.
> Perhaps I've missed something ?
>
> Your assistance would be greatly appreciated.
> Thanks in advance.
>
> Kindest regards
> David Wilson
> _______________________________
> D c D a t a
> Tel +27 33 342 7003
> Fax +27 33 345 4155
> Cell +27 82 4147413
> http://www.dcdata.co.za
> support@dcdata.co.za
> Powered by Linux, driven by passion !
> _______________________________
>
> ----- Original Message ----- 
> From: "David Wilson" <dave@dcdata.co.za>
> To: <samba@lists.samba.org>
> Sent: Friday, January 21, 2005 7:17 AM
> Subject: Inherit permissions question
>
>
>> Hi guys,
>>
>> How are you ?
>>
>> We have a share named [userprofile] on our Samba-3.0.9 server where
each
>> users' profile is stored.
>> Fairly often a user which is not the user that owns the profile i.e and
>> admin, needs to copy files into other users' profile folders.
>> The problem which then arises is that the user who owns the profile is 
>> unable to access the new files, due to the UNIX permissions being set
to
>> the person who copied the files into the directory.
>> I've looked through the smb.conf and found the "inherit
permissions"
>> parameter and tried it but cannot seem to get it to work ?
>>
>> In my smb.conf for the [userprofile] share I have the following:
>> [userprofile]
>> path = /data/userprofile
>> read only = no
>> guest ok = yes
>> profile acls = yes
>> browseable = no
>> csc policy = disable
>> share modes = no
>> inherit permissions = yes
>>
>> If the administrator connects to \\server\userprofile\user1 and writes
a
>> file named "test.txt" into the directory the permissions from
the
>> directory "user1" are not propagated down to the new file.
>> My permissions on the "user1" directory are set as follows:
>> drwx----- 16 user1     users     4096 2005-01-21       user1/
>>
>> The file "test.txt" gets written with the following
permissions:
>> -rw------ 16 root     Domain Admins     0 2005-01-21  07:07    
test.txt
>>
>> Any ideas on how I get samba to write it so that the owner of the
folder
>> propagates to new files written into the folder even if a domain admin 
>> writes them there ?
>>
>> Many thanks.
>>
>>
>>
>>
>> Kindest regards
>> David Wilson
>> _______________________________
>> D c D a t a
>> Tel +27 33 342 7003
>> Fax +27 33 345 4155
>> Cell +27 82 4147413
>> http://www.dcdata.co.za
>> support@dcdata.co.za
>> Powered by Linux, driven by passion !
>> _______________________________
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Wilson wrote:

|>> If the administrator connects to \\server\userprofile\user1 and
|>> writes a file named "test.txt" into the directory the
permissions
|>> from the directory "user1" are not propagated down to the
new file.
|>> My permissions on the "user1" directory are set as follows:
|>> drwx----- 16 user1     users     4096 2005-01-21       user1/
|>>
|>> The file "test.txt" gets written with the following
permissions:
|>> -rw------ 16 root     Domain Admins     0 2005-01-21  07:07    
test.txt
|>>
|>> Any ideas on how I get samba to write it so that the owner of the
|>> folder propagates to new files written into the folder even if a
|>> domain admin writes them there ?

Inherit permissions set file bits not the owner.  You might
have more luck with the 'force user' option.  But be careful
of granting more access than you intend.




cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB9P27IR7qMdg1EfYRAiuxAKCJe/tse4/vSzm/gVKReTetXR8SBACbBFt9
Z+dkBSAOYjtEuyxY8ayd4rk=W/Fd
-----END PGP SIGNATURE-----

Any other ideas ?
Pehaps this could be added as a feature to Samba ?


Kindest regards
David Wilson
_______________________________
D c D a t a
Tel +27 33 342 7003
Fax +27 33 345 4155
Cell +27 82 4147413
http://www.dcdata.co.za
support@dcdata.co.za
Powered by Linux, driven by passion !
_______________________________

"Computers are not intelligent. They only think they are."

----- Original Message ----- 
From: "David Wilson" <dave@dcdata.co.za>
To: <samba@lists.samba.org>; "Gerald (Jerry) Carter"
<jerry@samba.org>;
"Thomas Reiss" <thomas@mypoint.franken.de>
Sent: Tuesday, January 25, 2005 2:03 PM
Subject: Re: [Samba] Inherit permissions question (Please help)

> Hi Thomas,
>
> Thank you for your reply and the information.
> Will the "s"-Bit cause all new files that are written by a
"Domain Admin"
> to the user1/ folder to be owned by "user1" ?
>
> My problem is that "Domain Admins" can write to users'
folders in the
> [userprofile] share but then the respective user who owns the folder
can't
> access the new data in it.
> The "inherit permisions" would solve my problem except that it
does not
> allow user/group ownership to be passed down onto files.
> Any ideas ? :)
>
> Thank you for your help so far.
>
> Kindest regards
> David Wilson
> _______________________________
> D c D a t a
> Tel +27 33 342 7003
> Fax +27 33 345 4155
> Cell +27 82 4147413
> http://www.dcdata.co.za
> support@dcdata.co.za
> Powered by Linux, driven by passion !
> _______________________________
>
> "Computers are not intelligent. They only think they are."
>
> ----- Original Message ----- 
> From: "Thomas Reiss" <thomas@mypoint.franken.de>
> To: <samba@lists.samba.org>; "Gerald (Jerry) Carter"
<jerry@samba.org>
> Sent: Tuesday, January 25, 2005 9:56 AM
> Subject: Re: [Samba] Inherit permissions question (Please help)
>
>
>> Hallo David Wilson,
>>
>>> If the administrator(root) had to write a file (test.txt) to the
user1
>>> folder and I had "inherit permissions" turned on, then
file would be
>>> written as:
>>> rwx------ 16 root     Domain Admins     0 2005-01-21  07:07    
test.txt
>>> Unfortunately I need "user1" to own the file, just like
it's parent
>>> directory, which is as follows:
>>> drwx----- 16 user1     users     4096 2005-01-21       user1/
>>
>> I thing it makes Life easyer when you change the Group Owner to
"Domain
>> Admins" and set the "s"-Bit and the Permissions to 770
on the userx/
>> Directorys.
>> So every "Domain Admin" can write files on the directorys.
>>
>> Try this (or do this on a higher Directory Level):
>>
>> drwxrws-- 16 user1     Domain Admins     4096 2005-01-21       user1/
>>
>> Hope it helps.
>> Greetings
>> Thomas
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

Hi Thomas,

Thank you for your reply and for the information and ideas.

I think your option would work ok, but as you said a bit hairy with a lot of 
users. :) We have about 700 users that we are running off this Samba box so 
it would be a bit of a mission to keep maintained.

Mmmmm... I wonder what else I could try ?
Perhaps it would easier if I configure ACL support and just set the 
permissions manually each time a new file is copied to the users' areas by a
Domain Admin ?


Kindest regards
David Wilson
_______________________________
D c D a t a
Tel +27 33 342 7003
Fax +27 33 345 4155
Cell +27 82 4147413
http://www.dcdata.co.za
support@dcdata.co.za
Powered by Linux, driven by passion !
_______________________________

"Computers are not intelligent. They only think they are."

----- Original Message ----- 
From: "Thomas Reiss" <thomas@mypoint.franken.de>
To: "David Wilson" <dave@dcdata.co.za>
Sent: Wednesday, January 26, 2005 7:42 PM
Subject: Re: [Samba] Inherit permissions question (Please help)

> Hallo David Wilson,
>
>> Hi Thomas,
>>
>> Thank you for your reply and the information.
>> Will the "s"-Bit cause all new files that are written by a
"Domain Admin"
>> to the user1/ folder to be owned by "user1" ?
>
> No, cause only that the Group was always "Domain Admin".
>
>>
>> My problem is that "Domain Admins" can write to users'
folders in the
>> [userprofile] share but then the respective user who owns the folder 
>> can't
>> access the new data in it.
>> The "inherit permisions" would solve my problem except that
it does not
>> allow user/group ownership to be passed down onto files.
>> Any ideas ? :)
>
> hmm, can you set the "s"-Bit on the UID with chmod u+s user1/ ?
> Ok it make a test....hmm seems not funktional.
>
> I see in the Section of "inherit permissions" in "man
smb.conf":
> ------------------------
> Note that the setuid bit is never set via inheritance (the  code
>               explicitly prohibits this)
> -----------------------
>
> Hmmm...i think the only way is to make a group "user1" and add
the
> respective "Admin"-User to this Group and set the Permission to
770 and
> the Group to "user1-Group" of user1/ Folder.
> Additional add the "s"-bit to the Group and set "inherit
permissions > yes" in smb.conf.
>
> But, this would be hairy on 2000 Users....
>
> Greetings
> Thomas
>
>