[NTLUG:Discuss] Samba, ACL - permissions

Keller Giacomarro keller.g at gmail.com
Tue Jun 5 18:45:16 CDT 2007 

Thanks all for the great info - you've given me plenty to look at.

@Chris
The fileserver is not part of a Windows domain, it's just a standalone Samba
fileserver.  This isn't for business or anything, just for personal storage
and my own education about Linux.  And I will definately use the
samba.orgresources.

@Greg
Sounds like the permissions I would need are simpler than I thought.  While
I know that Unix permissions will probably work fine for the scenario I'm
working on, I wanted to see how complicated permissions would be handled for
hundreds or thousands of users with different permissions on each folder.
Would you still use unix permissions in this case?  Would there just be a
group for each share that is given write access?

@Jerome
POSIX ACLs was my first throught on how to accomplish this.  I know that you
can set the ACL flag per partition in fstab.  Once it's enabled, will that
mess with any other programs that might be using that partition?  If I
choose to implement something else later and turn ACLs off, will the ACL
data be saved?  Will the old permissions still be there?

Thanks everyone for the help - I was amazed to get responses so fast.

-Keller

On 6/5/07, Chris Cox <cjcox at acm.org> wrote:
>
> Keller Giacomarro wrote:
> > Hello everyone!
> >
> > I'm brand new to this list and to NTLUG - hopefully I'll be able to meet
> > many of you soon.  Dennis Rice suggested strongly that I join this list
> and
> > ask the questions that he can't answer.  Thanks, professor.
> >
> > I had a question regarding Samba and Linux permissions.  I'm just
> getting a
> > good grasp on unix-style file permissions, so please correct any
> mistakes I
> > make.
> >
> > I'm trying to use a Ubuntu 7.04 server as the main file server for my
> home.
> > Since we're a mixed environment, samba was the way to go.
> >
> > Here's what I'm trying to do:
> >
> > I have a folder, /var/storage/backup , that is shared with Samba.  Two
> > users, user1 and user2, both have write access to the share.  I want
> each
> > user to be able to modify and delete files and folders made by the other
> > user.  As it is now, the only way I can figure out to do that is to make
> all
> > new files in the directory have permissions of 777.  However, this seems
> > foolish from a security standpoint.
>
> Are these samba-ized domain member servers of an AD domain?
>
> >
> > I've read up some on ACL support in Samba and on Linux filesystems.  Is
> this
> > the best way to go about accomplishing what I want?  I found this howto
> (
> > http://www.bsdzone.net/howto/Samba/Samba_ACL_Linux/), and it seems to
> > explain about what I want do to.  However, it seems like there should be
> a
> > way to accomplish this with standard Unix file permissions.
>
> You CAN just use a simple linux group, make both users with the same
> primary group membership.  Then adjust the masks setting in your
> smb.conf so that write permissions are there for group.
> e.g.
> directory mask = 775
> create mask = 664
>
> If you want something closer to Windows style granularity... then
> the whole ACL mess does come into play... see my comments below.
>
> >
> > Any insights would be greatly appreciated.  Thanks in advance!
> >
>
> If you answer 'yes' to the above, then you can have the share managed
> with roughly translated Windows->Linux (draft) POSIX ACLs.  It actually
> works surprisingly well.  You can use the command (as root):
>
> net ads testjoin
>
> To see if you are joined to the domain.
>
> However, once you have a file share that is managed by
> Windows permisions... DO NOT attempt to manage it under
> Linux (permission wise) unless you know what you are doing.
> There are side effects of changing ACLs in Linux that might
> create incompatibilities with what Samba is doing via Windows
> permission changes.
>
> The Samba team really wants such a file server to be somewhat
> dedicated and have userids automatically created by Samba.  That's
> their ideal.  You can do a mapping of the AD usernames to Linux...
> I've done that as well (via smb.conf of course).
>
> I recommend that you get the Samba Reference Guide and Samba
> by Example books (online at samba.org I think) and do a whole
> lot of reading.
>
> I mean there's with LDAP, without LDAP, winbind (pam or not),
> domain member servers vs. simple clients... a whole host of
> variables.  The books try to lean toward the everything+LDAP
> approach.... which might not be needed in all cases.  But the
> other ways to do things ARE in the books... just have to
> read between the lines a bit.
>
> Richard Geoffrion is doing his part 1 of getting everything
> going including LDAP.... at this month's meeting... the other
> parts will likely happen later on this year.
>
>
>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>



-- 
Keller Giacomarro
keller.g at gmail.com

More information about the Discuss mailing list