Approach to permissions, UNIX usernames, and UNIX groups ..

David Lee T.D.Lee at durham.ac.uk
Mon Dec 6 15:07:23 GMT 1999 

Re:

> I have a question I wanted to throw out to the general public.  When
> dealing with reasonably large numbers of users (120+, in this case),
> how do most of you handle your UNIX permissions, usernames, and groups
> in corralation to your SAMBA?
> 
> I need to create a directory structure reasonably deep (3-5 directories
> off of the main RAID mount point, with 5-10 directories under that, with
> another 3-10 directories under those).
> 
> The best approach I have come up with so far is to create a group
> specifically for each subdirectory, and put .. say .. Bob, Al, and Tom
> in
> it.  Then I make sure the directory is owned by root.group, and could
> utilize
> the "force create mode" and "force group" directives in my smb.conf to
> create
> the files as rwxrwx--- and assigned to the group with respect to the
> subdirectory it is in.  The only problem is, this means I have to manage
> over
> 100+ groups with 100+ SAMBA shares, and it seems there has to be a
> better way,
> and I'm just not seeing it.
> 
> Is there a way to tell SAMBA to assign files being written to the group 
> of the subdirectory the file is being written to?  Is there a better way
> altgother to approach this (I hope there is =).
> 
> Any insight or webpage references on approaches to medium-to-large-scale
> fileserving with SAMBA on a network are appreciated.  Thanks.

We have 19,000 registered UNIX users, of which some 7,000 (rapidly
increasing) are currently Samba-ised onto our Solaris 2.x fileservers. 

Many UNIX flavours interpret the SETGID bit on a directory to mean "when
creating a new file/directory in here, use the group-owner of this
directory (rather than group-owner of the process)".  So if your data
falls neatly into having dir<n>/subtree<n> all owned by group <n>, then
this SETGID should meet your ownership requirement.  Note that this
functionality, if there, is within that flavour of UNIX itself: it cannot
be controlled from Samba.

We have a patch which takes this a stage further.  It was discussed back
in September on the "samba-technical" list, and met with favourable
response from the Samba team.  But, alas, things have gone very quiet
since then...

This patch, provisionally called "inherit mode", takes the mode of the
directory and applies all its bits to new subdirs, and its rw bits to new
files.  (This "inherit mode" smb.conf parameter overrides even those
parameters entitled "force ..."):

See:
   http://www.dur.ac.uk/~samba/inherit-206.diff

for the 2.0.6 patch; substitute 204 or 203 if you run 2.0.4 or 2.0.3
(sorry, no 2.0.5). 

And if you like it, gently encourage the Samba Team to include it in
future releases of Samba.

Hope that helps.

--

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/~dcl0tdl            South Road            :
:                                           Durham                :
:  Phone: +44 191 374 2882                  U.K.                  :

More information about the samba mailing list