[Samba] simple rights question

Jeroen Vriesman jeroen at hivos.nl
Mon Feb 5 13:52:46 GMT 2007 

Dear all,

I got the following situation, a share called "Bureaus", with the follwong
subdirs:

/Bureaus/A
/Bureaus/B
/Bureaus/C
etc.

where A,B,C.. are the bureau names

under all the bureau names are directories:

A/Task1
A/Task2
A/Task3
A/Archive

For all the bureau names.

Groups: everyone is a member of "Domain Users", and that's
always the primary group.
And, a group A, a group B etc, and groups "Task1 A", Task1 B"..."Task2 
A" etc.

The simple idea is to give everyone access to Bureaus, only those who 
are member
of group A can go into /Bureaus/A, and only those who are a member of group
"Task1 A" can go to /Bureaus/A/Task1 and do there whatever they want.

So fa so good, I've made acl's which allow "Domain Users" to r-x /Bureau,
without passing this on to the subdirectories, an acl which allows r-x 
to group A
(also without allowing this to subdirectories) for /Bureau/A, and for
/Bureau/A/Task1 including subdirectories the acl is "allow group Task1
everything".

That works fine.

But now for the Archive directory, the /Bureau/A/Archive should be 
read-only for
 members of the group A, and read-write for members of the group 
"Archive Mods
A".

And that's the problem, if I add an acl (with the windows rights management
stuff) for the group A to have read-only right for /Bureau/A/Archive and
subdirectories, and for the same directories an acl with "allow 
everything" for
members of the group "Archive Mods A", then the effitive rights for 
members of
"Archive Mods A" is read-only, since the most restrictive rights apply.

What I expected at first was that the rights would be additive and only 
a deny
would have the effect which I'm seeing now.

How can I make it work?

smb.conf:
global: map acl inherit = Yes

The share /Bureaus:

        path = /samba/Bureau
        public = no
        browseable = yes
        writable = yes
        printable = no
        force create mode = 0770
        directory mask = 0770
        security mask = 0777
        force security mode = 0
        directory security mask = 0777
        force directory security mode = 0
        hide unreadable = yes



Kind regards,
Jeroen Vriesman.

More information about the samba mailing list