I have a share with folders belonging to diferent groups, with
restricted access depending on unix groups.
When a user creates a file inside one of this folders I want it created
with "directory group"; I think it should be possible using
"inherit
acl" but it don't work; my share configuration is:
[arees2]
path = /home/samba/arees
valid users = @users
admin users = root
read only = No
create mask = 0770
directory mask = 0770
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
My share files are:
drwxrwx--- 4 root disseny 4096 2009-03-09 12:45 disseny
drwxrwx--- 40 root informatica 4096 2009-03-10 10:30 Informatica
drwxrwx--- 14 root users 4096 2009-03-10 09:19 Plantilles
drwxrwx--- 7 root relacions 4096 2008-11-19 18:06 Relacions
drwxrwx--- 17 root secretaria 4096 2009-02-24 19:25 Secretaria
drwxrwx--- 2 root informatica 4096 2009-03-02 13:07 Web
Any hint?
Just in case it is useful, my full smb.conf as "tesparm -v" is:
[global]
dos charset = CP850
unix charset = UTF-8
display charset = LOCALE
workgroup = MEGOSG
realm netbios name = MEGSERVER
netbios aliases netbios scope server string = %h (sevidor de
fitxers)
interfaces bind interfaces only = No
security = USER
auth methods encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes
map to guest = Bad User
null passwords = No
obey pam restrictions = Yes
password server = *
smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba
passdb backend = tdbsam
algorithmic rid base = 1000
root directory guest account = nobody
enable privileges = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd chat debug = No
passwd chat timeout = 2
check password script username map password level = 0
username level = 0
unix password sync = Yes
restrict anonymous = 0
lanman auth = No
ntlm auth = Yes
client NTLMv2 auth = No
client lanman auth = Yes
client plaintext auth = No
preload modules use kerberos keytab = No
log level = 3
syslog = 0
syslog only = No
log file = /var/log/samba/log.%m
max log size = 1000
debug timestamp = Yes
debug prefix timestamp = No
debug hires timestamp = No
debug pid = No
debug uid = No
enable core files = Yes
smb ports = 445 139
large readwrite = Yes
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
disable netbios = No
reset on zero vc = No
acl compatibility = auto
defer sharing violations = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 16644
name resolve order = lmhosts host wins bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = No
unix extensions = Yes
use spnego = Yes
client signing = auto
server signing = No
client use spnego = Yes
enable asu support = No
svcctl list deadtime = 0
getwd cache = Yes
keepalive = 300
lpq cache time = 30
max smbd processes = 0
paranoid server security = Yes
max disk size = 0
max open files = 10000
open files database hash size = 10007
socket options = TCP_NODELAY
use mmap = Yes
hostname lookups = No
name cache timeout = 660
load printers = Yes
printcap cache time = 750
printcap name = cups
cups server iprint server disable spoolss = No
addport command enumports command addprinter command
deleteprinter command show add printer wizard = Yes
os2 driver map mangling method = hash2
mangle prefix = 1
max stat cache size = 1024
stat cache = Yes
machine password timeout = 604800
add user script = /usr/sbin/adduser --quiet --disabled-password
--gecos "" %u
rename user script delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
delete user from group script set primary group script add machine
script = /usr/sbin/useradd -s /bin/false/ -d
/var/lib/nobody %u
shutdown script abort shutdown script username map script logon
script = logon.cmd
logon path = \\%L\profiles\%U
logon drive = Z:
logon home = \\%N\%U
domain logons = Yes
os level = 20
lm announce = Auto
lm interval = 60
preferred master = Yes
local master = Yes
domain master = Auto
browse list = Yes
enhanced browsing = Yes
dns proxy = No
wins proxy = No
wins server wins support = No
wins hook kernel oplocks = Yes
lock spin time = 200
oplock break wait time = 0
ldap admin dn ldap delete dn = No
ldap group suffix ldap idmap suffix ldap machine suffix ldap
passwd sync = no
ldap replication sleep = 1000
ldap suffix ldap ssl ldap timeout = 15
ldap page size = 1024
ldap user suffix ldap debug level = 0
ldap debug threshold = 10
add share command change share command delete share command
eventlog list config file preload lock directory pid directory =
/var/run/samba
utmp directory wtmp directory utmp = No
default service message command get quota command set quota
command remote announce remote browse sync socket address = 0.0.0.0
homedir map = auto.home
afs username map afs token lifetime = 604800
log nt token command time offset = 0
NIS homedir = No
usershare allow guests = Yes
usershare max shares = 100
usershare owner only = Yes
usershare path = /var/lib/samba/usershares
usershare prefix allow list usershare prefix deny list usershare
template share panic action = /usr/share/samba/panic-action %d
host msdfs = No
passdb expand explicit = No
idmap domains idmap backend idmap alloc backend idmap cache time
= 900
idmap negative cache time = 120
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind separator = \
winbind cache time = 300
winbind enum users = No
winbind enum groups = No
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = Yes
winbind nss info = template
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
comment path username invalid users valid users admin
users = @admin, @sistemes
read list write list printer admin force user force group
read only = Yes
acl check permissions = Yes
acl group control = No
acl map full control = Yes
create mask = 0744
force create mode = 00
security mask = 0777
force security mode = 00
directory mask = 0755
force directory mode = 00
directory security mask = 0777
force directory security mode = 00
force unknown acl user = No
inherit permissions = No
inherit acls = No
inherit owner = No
guest only = No
administrative share = No
guest ok = No
only user = No
hosts allow hosts deny allocation roundup size = 1048576
aio read size = 0
aio write size = 0
aio write behind ea support = No
nt acl support = Yes
profile acls = No
map acl inherit = No
afs share = No
block size = 1024
change notify = Yes
directory name cache size = 100
kernel change notify = Yes
max connections = 0
min print space = 0
strict allocate = No
strict sync = No
sync always = No
use sendfile = No
write cache size = 0
max reported print jobs = 0
max print jobs = 1000
printable = No
printing = cups
cups options print command lpq command = %p
lprm command lppause command lpresume command queuepause command
queueresume command printer name use client driver = No
default devmode = Yes
force printername = No
printjob username = %U
default case = lower
case sensitive = Auto
preserve case = Yes
short preserve case = Yes
mangling char = ~
hide dot files = Yes
hide special files = No
hide unreadable = Yes
hide unwriteable files = No
delete veto files = No
veto files hide files veto oplock files map archive = Yes
map hidden = No
map system = No
map readonly = yes
mangled names = Yes
mangled map store dos attributes = No
dmapi support = No
browseable = Yes
blocking locks = Yes
csc policy = manual
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = Auto
share modes = Yes
dfree cache time = 0
dfree command copy include preexec preexec close = No
postexec root preexec root preexec close = No
root postexec available = Yes
volume fstype = NTFS
set directory = No
wide links = Yes
follow symlinks = Yes
dont descend magic script magic output delete readonly = No
dos filemode = No
dos filetimes = Yes
dos filetime resolution = No
fake directory create times = No
vfs objects msdfs root = No
msdfs proxy
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0700
directory mask = 0700
browseable = No
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
valid users = %U
admin users = root
guest ok = Yes
share modes = No
[profiles]
comment = Users profiles
path = /home/samba/profiles
valid users = %U, %S, @users
read only = No
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[sistema]
path = /
valid users = root, @sistemes
admin users = root, @sistemes
force user = root
force group = root
read only = No
[arees2]
path = /home/samba/arees
valid users = @users
admin users = root
read only = No
create mask = 0770
directory mask = 0770
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
--
<http://www.escoltesiguies.cat>*Llu?s Forns - T?cnic Inform?tic *
*Servei d'Inform?tica*
*Minyons Escoltes i Guies de Catalunya (MEG)*
*Tel?fon:* 93 590 27 00
*Fax:* 93 590 04 92
*www.escoltesiguies.cat*
No m'imprimeixis si no ?s necessari. Protegim el medi ambient.
chmod g+s <dirname>> -----Original Message----- > From: samba-bounces+andrew.masterson=nuvistaenergy.com@lists.samba.org > [mailto:samba-bounces+andrew.masterson=nuvistaenergy.com@lists.samba.org] On > Behalf Of Llu?s Forns > Sent: Tuesday, March 10, 2009 5:22 AM > To: samba@lists.samba.org > Subject: [Samba] inherit group on new files/directories > > I have a share with folders belonging to diferent groups, with > restricted access depending on unix groups. > When a user creates a file inside one of this folders I want it created > with "directory group"; I think it should be possible using "inherit > acl" but it don't work; my share configuration is: > > [arees2] > path = /home/samba/arees > valid users = @users > admin users = root > read only = No > create mask = 0770 > directory mask = 0770 > inherit permissions = Yes > inherit acls = Yes > inherit owner = Yes > > My share files are: > drwxrwx--- 4 root disseny 4096 2009-03-09 12:45 disseny > drwxrwx--- 40 root informatica 4096 2009-03-10 10:30 Informatica > drwxrwx--- 14 root users 4096 2009-03-10 09:19 Plantilles > drwxrwx--- 7 root relacions 4096 2008-11-19 18:06 Relacions > drwxrwx--- 17 root secretaria 4096 2009-02-24 19:25 Secretaria > drwxrwx--- 2 root informatica 4096 2009-03-02 13:07 Web > > > Any hint? > > Just in case it is useful, my full smb.conf as "tesparm -v" is: > > [global] > dos charset = CP850 > unix charset = UTF-8 > display charset = LOCALE > workgroup = MEGOSG > realm > netbios name = MEGSERVER > netbios aliases > netbios scope > server string = %h (sevidor de fitxers) > interfaces > bind interfaces only = No > security = USER > auth methods > encrypt passwords = Yes > update encrypted = No > client schannel = Auto > server schannel = Auto > allow trusted domains = Yes > map to guest = Bad User > null passwords = No > obey pam restrictions = Yes > password server = * > smb passwd file = /etc/samba/smbpasswd > private dir = /etc/samba > passdb backend = tdbsam > algorithmic rid base = 1000 > root directory > guest account = nobody > enable privileges = Yes > pam password change = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > passwd chat debug = No > passwd chat timeout = 2 > check password script > username map > password level = 0 > username level = 0 > unix password sync = Yes > restrict anonymous = 0 > lanman auth = No > ntlm auth = Yes > client NTLMv2 auth = No > client lanman auth = Yes > client plaintext auth = No > preload modules > use kerberos keytab = No > log level = 3 > syslog = 0 > syslog only = No > log file = /var/log/samba/log.%m > max log size = 1000 > debug timestamp = Yes > debug prefix timestamp = No > debug hires timestamp = No > debug pid = No > debug uid = No > enable core files = Yes > smb ports = 445 139 > large readwrite = Yes > max protocol = NT1 > min protocol = CORE > read bmpx = No > read raw = Yes > write raw = Yes > disable netbios = No > reset on zero vc = No > acl compatibility = auto > defer sharing violations = Yes > nt pipe support = Yes > nt status support = Yes > announce version = 4.9 > announce as = NT > max mux = 50 > max xmit = 16644 > name resolve order = lmhosts host wins bcast > max ttl = 259200 > max wins ttl = 518400 > min wins ttl = 21600 > time server = No > unix extensions = Yes > use spnego = Yes > client signing = auto > server signing = No > client use spnego = Yes > enable asu support = No > svcctl list > deadtime = 0 > getwd cache = Yes > keepalive = 300 > lpq cache time = 30 > max smbd processes = 0 > paranoid server security = Yes > max disk size = 0 > max open files = 10000 > open files database hash size = 10007 > socket options = TCP_NODELAY > use mmap = Yes > hostname lookups = No > name cache timeout = 660 > load printers = Yes > printcap cache time = 750 > printcap name = cups > cups server > iprint server > disable spoolss = No > addport command > enumports command > addprinter command > deleteprinter command > show add printer wizard = Yes > os2 driver map > mangling method = hash2 > mangle prefix = 1 > max stat cache size = 1024 > stat cache = Yes > machine password timeout = 604800 > add user script = /usr/sbin/adduser --quiet --disabled-password > --gecos "" %u > rename user script > delete user script = /usr/sbin/userdel -r %u > add group script = /usr/sbin/groupadd %g > delete group script = /usr/sbin/groupdel %g > add user to group script = /usr/sbin/usermod -G %g %u > delete user from group script > set primary group script > add machine script = /usr/sbin/useradd -s /bin/false/ -d > /var/lib/nobody %u > shutdown script > abort shutdown script > username map script > logon script = logon.cmd > logon path = \\%L\profiles\%U > logon drive = Z: > logon home = \\%N\%U > domain logons = Yes > os level = 20 > lm announce = Auto > lm interval = 60 > preferred master = Yes > local master = Yes > domain master = Auto > browse list = Yes > enhanced browsing = Yes > dns proxy = No > wins proxy = No > wins server > wins support = No > wins hook > kernel oplocks = Yes > lock spin time = 200 > oplock break wait time = 0 > ldap admin dn > ldap delete dn = No > ldap group suffix > ldap idmap suffix > ldap machine suffix > ldap passwd sync = no > ldap replication sleep = 1000 > ldap suffix > ldap ssl > ldap timeout = 15 > ldap page size = 1024 > ldap user suffix > ldap debug level = 0 > ldap debug threshold = 10 > add share command > change share command > delete share command > eventlog list > config file > preload > lock directory > pid directory = /var/run/samba > utmp directory > wtmp directory > utmp = No > default service > message command > get quota command > set quota command > remote announce > remote browse sync > socket address = 0.0.0.0 > homedir map = auto.home > afs username map > afs token lifetime = 604800 > log nt token command > time offset = 0 > NIS homedir = No > usershare allow guests = Yes > usershare max shares = 100 > usershare owner only = Yes > usershare path = /var/lib/samba/usershares > usershare prefix allow list > usershare prefix deny list > usershare template share > panic action = /usr/share/samba/panic-action %d > host msdfs = No > passdb expand explicit = No > idmap domains > idmap backend > idmap alloc backend > idmap cache time = 900 > idmap negative cache time = 120 > idmap uid = 10000-20000 > idmap gid = 10000-20000 > template homedir = /home/%D/%U > template shell = /bin/bash > winbind separator = \ > winbind cache time = 300 > winbind enum users = No > winbind enum groups = No > winbind use default domain = No > winbind trusted domains only = No > winbind nested groups = Yes > winbind nss info = template > winbind refresh tickets = No > winbind offline logon = No > winbind normalize names = No > comment > path > username > invalid users > valid users > admin users = @admin, @sistemes > read list > write list > printer admin > force user > force group > read only = Yes > acl check permissions = Yes > acl group control = No > acl map full control = Yes > create mask = 0744 > force create mode = 00 > security mask = 0777 > force security mode = 00 > directory mask = 0755 > force directory mode = 00 > directory security mask = 0777 > force directory security mode = 00 > force unknown acl user = No > inherit permissions = No > inherit acls = No > inherit owner = No > guest only = No > administrative share = No > guest ok = No > only user = No > hosts allow > hosts deny > allocation roundup size = 1048576 > aio read size = 0 > aio write size = 0 > aio write behind > ea support = No > nt acl support = Yes > profile acls = No > map acl inherit = No > afs share = No > block size = 1024 > change notify = Yes > directory name cache size = 100 > kernel change notify = Yes > max connections = 0 > min print space = 0 > strict allocate = No > strict sync = No > sync always = No > use sendfile = No > write cache size = 0 > max reported print jobs = 0 > max print jobs = 1000 > printable = No > printing = cups > cups options > print command > lpq command = %p > lprm command > lppause command > lpresume command > queuepause command > queueresume command > printer name > use client driver = No > default devmode = Yes > force printername = No > printjob username = %U > default case = lower > case sensitive = Auto > preserve case = Yes > short preserve case = Yes > mangling char = ~ > hide dot files = Yes > hide special files = No > hide unreadable = Yes > hide unwriteable files = No > delete veto files = No > veto files > hide files > veto oplock files > map archive = Yes > map hidden = No > map system = No > map readonly = yes > mangled names = Yes > mangled map > store dos attributes = No > dmapi support = No > browseable = Yes > blocking locks = Yes > csc policy = manual > fake oplocks = No > locking = Yes > oplocks = Yes > level2 oplocks = Yes > oplock contention limit = 2 > posix locking = Yes > strict locking = Auto > share modes = Yes > dfree cache time = 0 > dfree command > copy > include > preexec > preexec close = No > postexec > root preexec > root preexec close = No > root postexec > available = Yes > volume > fstype = NTFS > set directory = No > wide links = Yes > follow symlinks = Yes > dont descend > magic script > magic output > delete readonly = No > dos filemode = No > dos filetimes = Yes > dos filetime resolution = No > fake directory create times = No > vfs objects > msdfs root = No > msdfs proxy > > [homes] > comment = Home Directories > valid users = %S > read only = No > create mask = 0700 > directory mask = 0700 > browseable = No > > [netlogon] > comment = Network Logon Service > path = /home/samba/netlogon > valid users = %U > admin users = root > guest ok = Yes > share modes = No > > [profiles] > comment = Users profiles > path = /home/samba/profiles > valid users = %U, %S, @users > read only = No > > [printers] > comment = All Printers > path = /var/spool/samba > create mask = 0700 > printable = Yes > browseable = No > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > > [sistema] > path = / > valid users = root, @sistemes > admin users = root, @sistemes > force user = root > force group = root > read only = No > > [arees2] > path = /home/samba/arees > valid users = @users > admin users = root > read only = No > create mask = 0770 > directory mask = 0770 > inherit permissions = Yes > inherit acls = Yes > inherit owner = Yes > > > -- > > > <http://www.escoltesiguies.cat>*Llu?s Forns - T?cnic Inform?tic * > *Servei d'Inform?tica* > > *Minyons Escoltes i Guies de Catalunya (MEG)* > *Tel?fon:* 93 590 27 00 > *Fax:* 93 590 04 92 > *www.escoltesiguies.cat* > > No m'imprimeixis si no ?s necessari. Protegim el medi ambient. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba