Samba on Linux with no ACL's is making things tough

[Michael Marschall]

Please for give me if this gets a bit long.

I am presently in the process of moving my company's file server from
Windows NT 4.0 over to Linux with SAMBA and the lack of ACL support in
the ext2 filesystem is making things very difficult to design. To
clarify I am NOT writing about Samba's support for NT ACL's on NTFS. I
am writing to possibly get some tips for getting around the lack of
ACL's in ext2. I know that ReiserFS and SGI's XFS both have support for
ACL's, but these are beta file systems and that is not acceptable. Also
I know there are projects for ACL support in ext2, but there are also at
the most beta code.

My goal is to get some suggestions or for someone to tell me that I am
SOL.

My problem is that I want/need to setup directories for indivual
departments on the Samba server that all memeber of the department can
have access to. This is easy. I can create a share giving specific
rights to the department's group and or individual users. Within these
directories are going to be other directories that also need to have
specific access set on them (not everybody within a department should be
able to see all the files within the dept folder). This is where the
solution begins to fall apart. Samba can control access to a shared
folder, but (at least to my knowledge) cannot control access to
subdirectories of a share. The only way to control this is via ext2
filesytem security (chmod, chgrp). What has to happen to set more narrow
access on the subdirectory (i.e. grant access for a subset of the users
able to access the department directory) is to create a new group in
Linux /etc/group and add the subset of users that need access to this
folder to the group. Then I would have to set group access on this
folder to the new group. But this sucks. For every subdirectory that I
have within a department directory that would require restricted access
to one or more member[s] of the department (say a secretary or temp
employee) I would have to create a new group. Not only would this be
tedious and difficult to track, but there is a limitation on how many
groups a user id can be a memeber of in Linux (I think it is 16).

The alternative of eliminating the department shares and just creating
shares of all the subdirectories is also a poor solution. This would
create hundreds of shares (my sales directory has a subdirectory
representing every client we have and only specific people can access
each client). I can imagine what a user is going to think when they
either A) need to map 50 shares (drive letter problem) to get access to
their work or B) double click on the server in network neighborhood and
not only sees all the shares for their dept. but also all the shares for
every other dept. (yuk!!!)

Another solution would be to use a combination of the last method
(create shares of the subdirectories) and use virtual servers according
to department. This eliminates every user having to see every directory
from every dept, but it does not solve the sub directory problem and it
also does not solve my affinity for thinking that virtual servers when
you have 50 employees is stupid.

Am I doing something wrong here? Is or did anybody hav[ing] the same
problem? Can someone describe their setup and how it works?

Sorry if this is confusing.

--
Michael Marschall
Infrastructure Manager
VoiceRite, Inc.
7725 NW 48th St.
Miami, Florida 33166
Phone / Fax / Pager : 305 436 1574