samba4 - acces to shared directory by groups permissions don't work

[Matthieu Patou]

On 03/31/2009 09:39 AM, Andrew Bartlett wrote:
> On Fri, 2009-03-27 at 13:02 +0100, Justo Alonso wrote:
>    
>> Hi !
>>      I'm trying to configure a shared directory and set permissions by
>> groups, but doesn't work.
>>
>>      On windows, I set write access to "Domain Users" and the user of
>> the domain can't write on the directory. The unix group is created
>> with the same name.
>>
>>      I read about "unixname" and map domain to unix group with swat,
>> but I don't known how make it (swat don't work on samba4>  alpha3,
>> isn't it?)
>>
>>      How do I have to define permissions in Windows and Unix to make it work?
>>      
> Tridge defines this as the 'minimal' mapping.  Ie, there is none (pretty
> much :-)
>
> Files will be created as the UID that Samba determines for that new user
> (stored in it's IDMAP, and unrelated to any existing user).  Users
> access to those files will be restricted by the intersection of both the
> posix mode (user group other) any posix ACL and the windows ACL applied
> to the file.  Only the windows ACL will be visible from the client, and
> only the windows ACL can be changed.
>
>    
Just my 2cents tip: I force the group to have rwx (with directory and 
file mask) and use either sticky bit  on the folder (usually quite 
sufficient) and in some rare case default posix ACL so that every 
folders and files created will be unix group writtable and then I use 
the NT ACL to make fine grained access.

BTW if you do not set any NT ACL you have by default a mapping of POSIX 
ACL to NT ACL done by samba4.

Matthieu.