[NTLUG:Discuss] Samba, ACL - permissions

Chris Cox cjcox at acm.org
Tue Jun 5 17:46:04 CDT 2007 

Keller Giacomarro wrote:
> Hello everyone!
> 
> I'm brand new to this list and to NTLUG - hopefully I'll be able to meet
> many of you soon.  Dennis Rice suggested strongly that I join this list and
> ask the questions that he can't answer.  Thanks, professor.
> 
> I had a question regarding Samba and Linux permissions.  I'm just getting a
> good grasp on unix-style file permissions, so please correct any mistakes I
> make.
> 
> I'm trying to use a Ubuntu 7.04 server as the main file server for my home.
> Since we're a mixed environment, samba was the way to go.
> 
> Here's what I'm trying to do:
> 
> I have a folder, /var/storage/backup , that is shared with Samba.  Two
> users, user1 and user2, both have write access to the share.  I want each
> user to be able to modify and delete files and folders made by the other
> user.  As it is now, the only way I can figure out to do that is to make all
> new files in the directory have permissions of 777.  However, this seems
> foolish from a security standpoint.

Are these samba-ized domain member servers of an AD domain?

> 
> I've read up some on ACL support in Samba and on Linux filesystems.  Is this
> the best way to go about accomplishing what I want?  I found this howto (
> http://www.bsdzone.net/howto/Samba/Samba_ACL_Linux/), and it seems to
> explain about what I want do to.  However, it seems like there should be a
> way to accomplish this with standard Unix file permissions.

You CAN just use a simple linux group, make both users with the same
primary group membership.  Then adjust the masks setting in your
smb.conf so that write permissions are there for group.
e.g.
directory mask = 775
create mask = 664

If you want something closer to Windows style granularity... then
the whole ACL mess does come into play... see my comments below.

> 
> Any insights would be greatly appreciated.  Thanks in advance!
> 

If you answer 'yes' to the above, then you can have the share managed
with roughly translated Windows->Linux (draft) POSIX ACLs.  It actually
works surprisingly well.  You can use the command (as root):

net ads testjoin

To see if you are joined to the domain.

However, once you have a file share that is managed by
Windows permisions... DO NOT attempt to manage it under
Linux (permission wise) unless you know what you are doing.
There are side effects of changing ACLs in Linux that might
create incompatibilities with what Samba is doing via Windows
permission changes.

The Samba team really wants such a file server to be somewhat
dedicated and have userids automatically created by Samba.  That's
their ideal.  You can do a mapping of the AD usernames to Linux...
I've done that as well (via smb.conf of course).

I recommend that you get the Samba Reference Guide and Samba
by Example books (online at samba.org I think) and do a whole
lot of reading.

I mean there's with LDAP, without LDAP, winbind (pam or not),
domain member servers vs. simple clients... a whole host of
variables.  The books try to lean toward the everything+LDAP
approach.... which might not be needed in all cases.  But the
other ways to do things ARE in the books... just have to
read between the lines a bit.

Richard Geoffrion is doing his part 1 of getting everything
going including LDAP.... at this month's meeting... the other
parts will likely happen later on this year.

More information about the Discuss mailing list