samba - Oct 2008 - samba file server in active directory domain - manage acls

Hello,

I'm considering moving our windows shares (2003 domain) to a samba server,
to improve performance, setup clustering and use scheduled lvm snapshots.
However, I've not clarified how our current security policy would be applied
on this server and like to ask you some things (sorry, I'm sure they already
have been posted but there is so much on this topic to read I prefer to ask
again)

Currently, we manage security on our shares by :
* giving full control to everybody at the "share" level
* restricting rights at the "security" level

By switching to samba, we face a set of challenges :

* Joining the domain and retrieving users and groups from the windows domain
to the samba server.
As I know, this is ok and is well done with winbind

* Changes to our security policy. We will have to manage security at the
linux/samba level and this raises some questions:
- is it still possible to keep the security management at the file level (by
giving full control at the share level and thus eliminating botherings on
this side) ? I know there are some limitations when mapping posix acls to
windows one but that might be acceptable.

- I've tried to manage posix acls on ext3 via konqueror which I could find a
good alternative to windows' gui but I'd prefer a web front end. Would
you
have some nice web gui to recommend ?

Thanks in advance,

Regards,

-- 
Mikael Kermorgant

On Thu, Oct 16, 2008 at 02:18:13PM +0200, Mikael Kermorgant
wrote:
> By switching to samba, we face a set of challenges :
> 
> * Joining the domain and retrieving users and groups from the windows
domain
> to the samba server.
> As I know, this is ok and is well done with winbind
Yep, winbind will fix this.
> * Changes to our security policy. We will have to manage security at the
> linux/samba level and this raises some questions:
> - is it still possible to keep the security management at the file level
(by
> giving full control at the share level and thus eliminating botherings on
> this side) ? I know there are some limitations when mapping posix acls to
> windows one but that might be acceptable.
> 
> - I've tried to manage posix acls on ext3 via konqueror which I could
find a
> good alternative to windows' gui but I'd prefer a web front end.
Would you
> have some nice web gui to recommend ?
I don't know of any web gui to modify POSIX ACLs, mostly people ssh
in and use getfacl/setfacl directly.

If you set the options :

"dos filemode = yes"
"inherit owner = yes"

and set the setgid bit on the share directory then this will
have a similar effect to Windows "group ownership" of files,
so users in the same group as the containing directory will
have access as though they were owners.

Jeremy.

On Fri, Oct 17, 2008 at 12:56 PM, Mikael Kermorgant <
mikael.kermorgant@gmail.com> wrote:
>
>
> On Thu, Oct 16, 2008 at 7:45 PM, S?bastien Prud'homme <
> sebastien.prudhomme@gmail.com> wrote:
>
>> 2008/10/16 Mikael Kermorgant <mikael.kermorgant@gmail.com>:
>> > Hello,
>> >
>> > I'm considering moving our windows shares (2003 domain) to a
samba
>> server,
>> > to improve performance, setup clustering and use scheduled lvm
>> snapshots.
>> > However, I've not clarified how our current security policy
would be
>> applied
>> > on this server and like to ask you some things (sorry, I'm
sure they
>> already
>> > have been posted but there is so much on this topic to read I
prefer to
>> ask
>> > again)
>> >
>> > Currently, we manage security on our shares by :
>> > * giving full control to everybody at the "share" level
>> > * restricting rights at the "security" level
>> >
>> > By switching to samba, we face a set of challenges :
>> >
>> > * Changes to our security policy. We will have to manage security
at the
>> > linux/samba level and this raises some questions:
>> > - is it still possible to keep the security management at the file
level
>> (by
>> > giving full control at the share level and thus eliminating
botherings
>> on
>> > this side) ? I know there are some limitations when mapping posix
acls
>> to
>> > windows one but that might be acceptable.
>> >
>>
>> No problem if you edit Posix ACL directly. I advice not to use the
>> Security tab in Windows (when you right click on a file/directory and
>> change the Properties) to modify ACL.
>>
>> > - I've tried to manage posix acls on ext3 via konqueror which
I could
>> find a
>> > good alternative to windows' gui but I'd prefer a web
front end. Would
>> you
>> > have some nice web gui to recommend ?
>>
>> The only one i know is a Webmin module:
>> http://webmin-fsacls.sourceforge.net/en/index.html
>>
>>
Thanks for this info, I'll check how it works.

Regarding your advice not to use the security tab in windows, that's a
possibility I wasn't aware of. If I have understood how it works, you have
to mount the share under a specific letter (S: for example)  , and then you
can manage security from there. AS this would surely be the easiest solution
in our migration, could you please indicate what the drawbacks would be ?

Regards,

-- 
Mikael Kermorgant