[Samba] ACL: need additional samba option ?

[Pierre Dehaen]

Hi All,

I need to setup the following rights behavior trhough samba and I'm currently 
stuck after lots of unsuccessful tests. Maybe one of you has an idea or a 
solution to this problem...

Here it comes:

- A share must be available only to some users belonging to the "project" 
group.

That's easy:
   valid users = @project

- There are several administrator-created directories in the share 
corresponding to the departments of the company. Only some users must 
have access to each directory, in read only mode for some, in read/write 
mode for others.

We cannot use the unix groups because of the limitation saying a user may 
only be member of 15 (or 16 I don't remember) groups. So I started playing 
with ACLs: each user with read or read/write access has an ACL on those 
top directories and a default entry also (default:user:john:r-x for instance). 
The mask and default mask (ACL) are set to rwx.

- Under these top directories, read only users must be able to read all files, 
and read/write users must be able to create files and subdirectories. When a 
file/sdir is created by a user, only that user should be able to modify or delete 
the file/sdir unless additional rights are given by him/her through the windows 
permissions.



The solution now:

- I created acls on the top directories, including default entries:
# ls -ld topdir
   drwx------+  7 root  other     512   Aug 13 16:00  topdir/
# getfacl topdir
   # file: topdir
   # owner: peter
   # group: noaccess
   user::rwx
   user:john:rwx
   user:johnny:rwx
   user:jack:r-x
   group::---
   mask:rwx
   other:---
   [and the same entries with default: as prefix]

Note that I set the group to "noaccess" to make sure it will not interfere with 
the user specific rights.

- I set the following options on the samba share:
   read only = no
   inherit permissions = yes
   inherit acls = yes
   force group = noaccess

Note that default entries should not be very useful here because I used the 
samba options "inherit".

This works when john creates a file -rights are inherited- but I don't know how 
to set the rights of all users but the owner to "read only" maximum because 
for now they will get the same rights as on the parent directory.

And this doesn't work when john creates a subdirectory because the mask is 
set to "---" and the effective perms are null too !

- Note that I tested also without the inherit options. I hoped the "default:" 
would do but then another problem comes: the mask is set based on the 
permissions of the group...

- So I'm stuck now ! I think the solution would be to have two more samba 
options:
   force file acl mask = r-x
   force directory acl mask = rwx



I'm sorry for having been so long. Well, if you're still here, you're maybe 
interested...

Thank in advance for any help,
Pierre