[Samba] Can't get 'dos filemode' to work as expected
Felix Brack
fb at ltec.ch
Mon Apr 4 11:06:49 MDT 2011
On 04.04.2011 18:25, Chris Smith wrote:
> On Mon, Apr 4, 2011 at 11:41 AM, Felix Brack<fb at ltec.ch> wrote:
>> # file: test-file
>> # owner: root
>> # group: root
>> user::rwx
>> group::rwx #effective:r--
>> group:Development:rwx #effective:r--
>> mask::r--
>> other::---
>
> That's the same thing you would get if were logged into the system as
> root and created the file. So it is an ACL issue.
>
>> # file: test-file
>> # owner: root
>> # group: root
>> user::rwx
>> group::rwx
>> group:Development:rwx
>> mask::rwx
>> other::---
>>
>> At least now , If I am member of supplementary group 'Development', I should
>> have the same rights in directory 'test-directory' as if this was owned by
>> me (felix), right?
>
> I would think so.
>
> I don't know entirely what you want to accompplish, but it may be better to:
> chgrp -R Development test-directory
>
What I am trying to accomplish is pretty simple: assigning access rights
to one ore more groups instead user(s).
Therefore changing the group with chgrp to 'Development' is most
definitely not what I want: what if there is more then one group? This
is what ACLs are used for: giving additional groups and users special
rights to access files. Moreover changing the group does not work, only
changing the owner (I already tried that). This is in fact what the
problem is all about. To put it simple: samba only seems to care about
the _user_ connecting to the share and ignores any other rights for that
user that might be assigned to him or her by means of group membership
(normal or defined by ACLs).
> And eliminate:
> force group = Development
> invalid users = root administrator
> from the share.
> While adding:
> valid users = +Development (and any other groups you want have access)
>
Eliminating 'force group' is not a good idea (for now) since it tells
smbd that connections should be established using group 'Development'.
It has nothing to do with access rights and I use it just as safety
precaution to make sure my client does not get connect as member of
group 'Domain Users'; if this would really happen I (or samba) could
have serious problems accessing the share.
> The -s- flag will propagate new files and directories with the
> Development group.
>
> Basically a performance issue. See the section "Override controls" in:
> http://samba.org/samba/docs/man/Samba-Guide/kerberos.html#id2613307
>
Agreed. As soon as everything is working I will try to remove 'force
group' and look if samba accesses the share with access rights defined
for group 'Development' instead of group 'Domain Users'.
Felix
More information about the samba
mailing list