Rod
2011-Mar-17 14:25 UTC
[Samba] Shared directory contained within another shared directory
Hello,
I have Samba server running version 3.0.33-3.29.el5_5.1. The Samba
server is a member server of a Windows 2003 domain. Winbind provides
authentication.
We have a physical directory named hr that is shared as "hr" and is
accessible to the HR department. A subdirectory of the hr directory
named hrshared is shared as "hrshared" and should be accessible to
specific users that are not part of the HR department. File system
permissions for the hr directory are set for the domain admin as owner
and the HR department security group (in AD) as the group. The file
system permissions for the hrshared subdirectory are set for domain
admin as owner and the security group that has the people that need
access to the hrshared share. With permissions set as they are, users
who are not part of the HR group are unable to access the hrshared
folder. I'm assuming this is because the hrshared subdirectory is
inheriting permissions from the parent hr directory.
Here's the share specifications in smb.conf
[hr]
comment = Human Resources
valid users = "@DOMAIN+Personnel"
path = /shared/depts/hr
guest ok = no
read only = no
create mask = 6770
force create mode = 6770
directory mask = 6770
force directory mode = 6770
[shared_hr]
comment = Human Resources Shared information with supervisors
valid users = @DOMAIN+Personnel @"DOMAIN+Domain Admins"
@"DOMAIN+hr_readonly"
path = /shared/depts/hr/hrshared
guest ok = no
writable = yes
read list = @"DOMAIN+hr_readonly"
create mask = 6770
force create mode = 6770
directory mask = 6770
force directory mode = 6770
Is there a way to properly share a subdirectory that has different
permissions than the parent directory?
Any help is appreciated. Thanks.
Rod
Santiago DIEZ
2011-Mar-17 14:45 UTC
[Samba] Shared directory contained within another shared directory
I also thought about doing the same thing. I tested it but never actually did it. In my humble opinion, your config (mostly same as mine) would work without a problem. Cheers --- *Santiago DIEZ Directeur **Portable: +33 6 37 90 81 98 Bureau: +33 9 70 44 77 87* *32 boulevard de Strasbourg, 75010 Paris*
Chris Weiss
2011-Mar-17 14:50 UTC
[Samba] Shared directory contained within another shared directory
On Thu, Mar 17, 2011 at 9:25 AM, Rod <securitybasics at gmail.com> wrote:> and the HR department security group (in AD) as the group. ?The file > system permissions for the hrshared subdirectory are set for domain > admin as owner and the security group that has the people that need > access to the hrshared share. With permissions set as they are, users > who are not part of the HR group are unable to access the hrshared > folder. I'm assuming this is because the hrshared subdirectory is > inheriting permissions from the parent hr directory.yes, filesystem permissions do override any share level permissions in the conf. you'll need to adjust hrshared permissions as needed.
Daniel Müller
2011-Mar-17 14:52 UTC
[Samba] Shared directory contained within another shared directory
Hello,
why subdirectory!? Just make two simple shares for each group.
Bind them together with dfs
Ex-tree: +human-resources
|
+--hr
|
+--hr_readonly
[global]
Host msdfs=yes
[human-resources]
path = /shared/depts/dfsroot
msdfs root = yes
[hr]
comment = Human Resources
valid users = "@DOMAIN+Personnel"
path = /shared/depts/hr
guest ok = no
read only = no
create mask = 6770
force create mode = 6770
directory mask = 6770
force directory mode = 6770
[shared_hr]
comment = Human Resources Shared information with supervisors
valid users = @DOMAIN+Personnel @"DOMAIN+Domain Admins"
@"DOMAIN+hr_readonly"
path = /shared/depts/hrshared
guest ok = no
writable = yes
read list = @"DOMAIN+hr_readonly"
create mask = 6770
force create mode = 6770
directory mask = 6770
force directory mode = 6770
In /shared/depts/dfsroot as root
Ln -s msdfs:yourserver\\hr hr
Ln -s msdfs;yourserver\\shared_hr shared_hr
-----------------------------------------------
EDV Daniel M?ller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 T?bingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Urspr?ngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
Im
Auftrag von Rod
Gesendet: Donnerstag, 17. M?rz 2011 15:26
An: samba at lists.samba.org
Betreff: [Samba] Shared directory contained within another shared directory
Hello,
I have Samba server running version 3.0.33-3.29.el5_5.1. The Samba
server is a member server of a Windows 2003 domain. Winbind provides
authentication.
We have a physical directory named hr that is shared as "hr" and is
accessible to the HR department. A subdirectory of the hr directory
named hrshared is shared as "hrshared" and should be accessible to
specific users that are not part of the HR department. File system
permissions for the hr directory are set for the domain admin as owner
and the HR department security group (in AD) as the group. The file
system permissions for the hrshared subdirectory are set for domain
admin as owner and the security group that has the people that need
access to the hrshared share. With permissions set as they are, users
who are not part of the HR group are unable to access the hrshared
folder. I'm assuming this is because the hrshared subdirectory is
inheriting permissions from the parent hr directory.
Here's the share specifications in smb.conf
[hr]
comment = Human Resources
valid users = "@DOMAIN+Personnel"
path = /shared/depts/hr
guest ok = no
read only = no
create mask = 6770
force create mode = 6770
directory mask = 6770
force directory mode = 6770
[shared_hr]
comment = Human Resources Shared information with supervisors
valid users = @DOMAIN+Personnel @"DOMAIN+Domain Admins"
@"DOMAIN+hr_readonly"
path = /shared/depts/hr/hrshared
guest ok = no
writable = yes
read list = @"DOMAIN+hr_readonly"
create mask = 6770
force create mode = 6770
directory mask = 6770
force directory mode = 6770
Is there a way to properly share a subdirectory that has different
permissions than the parent directory?
Any help is appreciated. Thanks.
Rod
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rod
2011-Mar-23 11:46 UTC
[Samba] Shared directory contained within another shared directory
Thanks David. That's what I'm going to do. On Thu, Mar 17, 2011 at 10:25 PM, David Roid <dataroid at gmail.com> wrote:> Looking at this "A subdirectory of the hr directory > named hrshared is shared as "hrshared" and should be accessible to > specific users that are not part of the HR department.", it's really > not a good decision to put it under HR directory. Setup another > directory and share, life will be easier. > > 2011/3/18, Rod <securitybasics at gmail.com>: >> Thanks, everyone. I think I'll just move that particular folder and >> set up the share. >> >> On Thu, Mar 17, 2011 at 11:39 AM, Daniel M?ller <mueller at tropenklinik.de> >> wrote: >>> IN [global] >>> This could be: >>> follow symlinks = yes >>> ?wide links = yes >>> >>> in the other groups share make: ?ln ?s /shared/depts/hr/hrshared >>> /where/the/link/isset >>> I think the link is then read only or what you set the permission >>> >>> >>> EDV Daniel M?ller >>> >>> Leitung EDV >>> Tropenklinik Paul-Lechler-Krankenhaus >>> Paul-Lechler-Str. 24 >>> 72076 T?bingen >>> Tel.: 07071/206-463, Fax: 07071/206-499 >>> eMail: mueller at tropenklinik.de >>> Internet: www.tropenklinik.de >>> >>> Von: Santiago Diez [mailto:chebarbudo at gmail.com] >>> Gesendet: Donnerstag, 17. M?rz 2011 16:02 >>> An: mueller at tropenklinik.de >>> Cc: Rod; samba at lists.samba.org >>> Betreff: Re: [Samba] Shared directory contained within another shared >>> directory >>> >>> In my case, the idea was that one departement already had a folder that >>> they >>> were used to and that they wanted to share with the rest. >>> So instead of moving all the files, it looked simplier to just take this >>> very folder (it was a little deeper) and share it somewhere else. >>> >>> Santiago >>> >>> On Thu, Mar 17, 2011 at 3:52 PM, Daniel M?ller <mueller at tropenklinik.de> >>> wrote: >>> Hello, >>> >>> why subdirectory!? Just make two simple shares for each group. >>> Bind them together with dfs >>> Ex-tree: +human-resources >>> ? ? ? ? | >>> ? ? ? ? +--hr >>> ? ? ? ? | >>> ? ? ? ? +--hr_readonly >>> >>> [global] >>> Host msdfs=yes >>> >>> [human-resources] >>> path = /shared/depts/dfsroot >>> msdfs root = yes >>> >>> [hr] >>> ? ? ? ?comment = Human Resources >>> ? ? ? ?valid users = "@DOMAIN+Personnel" >>> ? ? ? ?path = /shared/depts/hr >>> ? ? ? ?guest ok = no >>> ? ? ? ?read only = no >>> ? ? ? ?create mask = 6770 >>> ? ? ? ?force create mode = 6770 >>> ? ? ? ?directory ?mask = 6770 >>> ? ? ? ?force directory mode = 6770 >>> >>> [shared_hr] >>> ? ? ? ?comment = Human Resources Shared information with supervisors >>> ? ? ? ?valid users = @DOMAIN+Personnel @"DOMAIN+Domain Admins" >>> @"DOMAIN+hr_readonly" >>> ? ? ? ?path = /shared/depts/hrshared >>> ? ? ? ?guest ok = no >>> ? ? ? ?writable = yes >>> ? ? ? ?read list = @"DOMAIN+hr_readonly" >>> ? ? ? ?create mask = 6770 >>> ? ? ? ?force create mode = 6770 >>> ? ? ? ?directory ?mask = 6770 >>> ? ? ? ?force directory mode = 6770 >>> >>> In /shared/depts/dfsroot as root >>> >>> Ln -s msdfs:yourserver\\hr hr >>> Ln -s msdfs;yourserver\\shared_hr shared_hr >>> >>> >>> ----------------------------------------------- >>> EDV Daniel M?ller >>> >>> Leitung EDV >>> Tropenklinik Paul-Lechler-Krankenhaus >>> Paul-Lechler-Str. 24 >>> 72076 T?bingen >>> >>> Tel.: 07071/206-463, Fax: 07071/206-499 >>> eMail: mueller at tropenklinik.de >>> Internet: www.tropenklinik.de >>> ----------------------------------------------- >>> -----Urspr?ngliche Nachricht----- >>> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] >>> Im >>> Auftrag von Rod >>> Gesendet: Donnerstag, 17. M?rz 2011 15:26 >>> An: samba at lists.samba.org >>> Betreff: [Samba] Shared directory contained within another shared >>> directory >>> >>> Hello, >>> >>> I have Samba server running version 3.0.33-3.29.el5_5.1. The Samba >>> server is a member server of a Windows 2003 domain. Winbind provides >>> authentication. >>> >>> We have a physical directory named hr that is shared as "hr" and is >>> accessible to the HR department. A subdirectory of the hr directory >>> named hrshared is shared as "hrshared" and should be accessible to >>> specific users that are not part of the HR department. File system >>> permissions for the hr directory are set for the domain admin as owner >>> and the HR department security group (in AD) as the group. ?The file >>> system permissions for the hrshared subdirectory are set for domain >>> admin as owner and the security group that has the people that need >>> access to the hrshared share. With permissions set as they are, users >>> who are not part of the HR group are unable to access the hrshared >>> folder. I'm assuming this is because the hrshared subdirectory is >>> inheriting permissions from the parent hr directory. >>> Here's the share specifications in smb.conf >>> >>> [hr] >>> ? ? ? ?comment = Human Resources >>> ? ? ? ?valid users = "@DOMAIN+Personnel" >>> ? ? ? ?path = /shared/depts/hr >>> ? ? ? ?guest ok = no >>> ? ? ? ?read only = no >>> ? ? ? ?create mask = 6770 >>> ? ? ? ?force create mode = 6770 >>> ? ? ? ?directory ?mask = 6770 >>> ? ? ? ?force directory mode = 6770 >>> >>> [shared_hr] >>> ? ? ? ?comment = Human Resources Shared information with supervisors >>> ? ? ? ?valid users = @DOMAIN+Personnel @"DOMAIN+Domain Admins" >>> @"DOMAIN+hr_readonly" >>> ? ? ? ?path = /shared/depts/hr/hrshared >>> ? ? ? ?guest ok = no >>> ? ? ? ?writable = yes >>> ? ? ? ?read list = @"DOMAIN+hr_readonly" >>> ? ? ? ?create mask = 6770 >>> ? ? ? ?force create mode = 6770 >>> ? ? ? ?directory ?mask = 6770 >>> ? ? ? ?force directory mode = 6770 >>> >>> >>> >>> Is there a way to properly share a subdirectory that has different >>> permissions than the parent directory? >>> >>> Any help is appreciated. Thanks. >>> >>> Rod >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: ?https://lists.samba.org/mailman/options/samba >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: ?https://lists.samba.org/mailman/options/samba >>> >>> >>> >>> -- >>> ____________________________________________________________________________ >>> _______ >>> TEL +33637908198 - MSN santiago.diez at free.fr - SKYPE chebarbudo - YAHOO >>> MSG >>> santiago_diez >>> >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: ?https://lists.samba.org/mailman/options/samba >> >