Question of the day for SAMBA GURUS!

Donovan R. Palmer palmerd at
Thu Apr 27 10:22:46 GMT 2000


I have a question that I haven't been able to answer from the docs.  I
wondered if someone out there has tried to do what I would like to

On our server, we have mapped a share called wrkgrps to drive G:  Users
then have various directories under drive G: which correspond with their
department, i.e. accounts, personnel, etc.  Each of these directories
has a share which I have defined in smb.conf

What I would like to do, is restrict read/write access under the main
share..  I'll try to explain:

G: wrkgrps (open to all valid users)

then under this:
---> personnel (only accessible to members of personnel group)
---> accounts (only accessible of accounts group)
---> operations (etc...

This allows people to select drive G: and then drop into any directory
which they are a member of the group that owns it.  A user might be a
member of the personnel group and also the operations group.

The problem I have encountered is that when I map drive G: to the
wrkgrps share, that the read/write/access rules are then carried down to
the lower directories.  I would like to force that when the person
writes to the lower directory, that it uses the rules and definitions
for that share (i.e. personnel) rather than wrkgrps.

So in essence, I would like to restrict the access and force different
users in lower directories if possible.  My only other alternative is to
make browseable each and every share and have people access the
respective directories that way through the network neighborhood.  I
would like to avoid this as it is very convenient when working on a
project to just pull up drive G: and decend down into the directory that
you want.

Anyhow, if there is any advice or hints on this front, I would
appreciate it.  Currently at the moment, I just have all the of the
decending directories open for anyone to access who validates as a valid
user of the "users" group.  This is not a major problem for our 
small team, but I would like to begin to restrict access and strengthen 
security for when we grow.

Here is my share definition for wrkgrps:

comment=Working Directories for workgroups
force create mode=770
force group=users
create mask=0770

And one of the shares for one of the lower directories

comment=Personnel Department's Directory
force create mode=770
force group=personnel
create mask=0770

Kind regards,
Donovan Palmer

Donovan R. Palmer, Operations Manager
m/v Africa Mercy - Newcastle upon Tyne, U.K.
Tel: +44 (870) 3211586 Fax: +44 (870) 1332611  Mob: +44 (7887) 567582

More information about the samba mailing list