[Samba] Re: Controlling files through groups:Update

[Failed Access]

force group means that when you make a new file or save a file as 
opposed to the file aquiring the standerd group of the users e.g. 
"theUser" it would go in as the "forced group" e.g. "users"

nope if you tell all the files that they are only to be r-x no one could 
write to it. The read list/write list should as I understand it control 
who has the rights to write. e.g.
We have a share called marketing, anyone is allowed to read from the 
share but only marketing are allowed to edit the share so the drive 
permissions on the server read

-rwxrw-r-- username users afile

the share reads
[marketing]
comment = marketing drive
path = /var/marketing
read list = @users
write list = @marketing, mdonovan

Seen as everyone on the server is set up with -g users the group 
assigned shall always be "users" so I don't need the force users.

in your share everyone would need to be a member of "officers" in order 
to see anything on the drive becouse the user group would be forced to 
@officers...

The way I understand it Samba permissions work at the front line and 
then the unix auth works at the server level... so samba would say if 
your part of marketing you can write, if you are in @users you can read 
but the write permissions in marketing override the basic read 
permission of @users... so if someone not in @marketing tries to write 
samba shall say nope your not allowed to do this.
If someone in @marketing tries they shall be allowed by samba
Then it goes to the unix authorisation which will say are you the user 
who wrote it? nope, are you in the user group users? yes... then your 
allowed to write. (Same logic would go for a member of @users who was 
trying to read the document)

So the main thing to remember is Samba is like a shell between windows 
and unix/linux making prelimenary decisions. At the server level (ergo 
file system level) it shall act in the way the file system 
authentication expects it to work.

I may be wrong on many parts here but it works at my sites but that 
doesn't mean to say it'll work else where ;c)

Hope this helps.


Jason Williams wrote:
> Ahh, very interesting.
> 
> So if I had one group called Officers that need only Read access to the 
> share.
> And another group called Processors that would need Read and Write 
> access to the share, I would setup something like the following:
> 
> [share]
> comment = a drive
> path = /var/drive
> read list = @officers
> write list = @processors
> force group = offcers
> 
> then:
> cd /var/drive
> chown :users *
> 
> Couple questions on this: What exactly does the force group option do? 
> Im a little unclear on this.
> Secondly, if I chown the entire /var/drive direcotry to officers, and 
> set the permissions on the directory and files to r-x, will the 
> processors group still be able to write to files in the directory as 
> well as create new files in the directory?
> 
> Thanks for your help.
> 
> Jason
> 
> 
> At 10:43 AM 8/7/2003 +0100, you wrote:
> 
>> one way would be
>>
>>
>> [drive]
>>  comment = a drive
>>  path = /var/drive
>>  read list = @users
>>  write list = @otherusers
>>  force group = users
>>
>>  ========================================
>> then
>>  cd /var/drive
>>  chown :users *
>>
>> If all the users arn't part of users then you'll need to faff
>>
>> but thats the way we have it and it works well.
>>
>>
>>
>> Jason Williams wrote:
>>
>>> Ok..i've been trying to troubleshoot this issue to see if I can fix it.
>>>  From what I can tell, there are certain options on this program that 
>>> will require write access to the share.
>>> Looking at the share, this is what it looks like:
>>> [root at PDC-SRV point]# ls -ld CLOSED
>>> drwxrwx---    4 root     cm           4096 Aug  6 15:58 CLOSED
>>> The corresponding files in the directory also have the same 
>>> permissions. I had to do this to get a certain function in the 
>>> program to work correctly, since it requires write access.
>>> My share info:
>>> [point]
>>>   comment = Point Program
>>>   path = /home/point
>>>   writable = yes
>>>   browseable = yes
>>>   public = no
>>>   valid users = jwilliams @cm
>>>   create mask = 770
>>>   force group = cm
>>> So here is what I need to figure it, to see if it is even possible.
>>
>>
>> These settings mean that every one in @cm and jwilliams are allowed to 
>> edit and execute the file... and no one else can see it at all.
>>
>>> How can I set it up so this share through samba, so that only certain 
>>> users can have write access to this directory, and everyone else will 
>>> just have read access?
>>> Anyone have suggestions on how to get this setup and working correctly?
>>> Im thinking I need to setup users in a specific group and give the 
>>> share owned by that group. That group will have r/w access. Then, the 
>>> rest of my users will just have read access.
>>> Anyone have any suggestions? Im at my wits end here almost. :)
>>> Jason
>>>
>>> At 03:22 PM 8/6/2003 -0700, you wrote:
>>>
>>>> Hello everyone.
>>>>
>>>> Have a question here about controlling permissions and groups for 
>>>> Samba.
>>>>
>>>> Our samba server is being used by our users to access files through 
>>>> a program.
>>>> In our initial testing, what I noticed is that once a user starts to 
>>>> work with the file, and their are any modifications done to it, it 
>>>> changes the owner to the user and the group to the group that the 
>>>> user belongs to.
>>>>
>>>> For instance, here is an example of a test file we were using.
>>>>
>>>> It had the owner of 'root' and the group of 'cm'.
>>>>
>>>> Once the user accessed the file through the program, made some 
>>>> changes, the owner and group were changed.
>>>> They were now:
>>>>
>>>> owner = blackberry  group = loans
>>>>
>>>> Couple quick questions here.
>>>> What im trying to do is setup a repository so my users can access 
>>>> the files at any given time.
>>>> However, I can that what is going on will definitely pose a problem.
>>>>
>>>> With that in mind, how can I make sure that any files that are 
>>>> accessed or created by a user still retain the origina user and group?
>>>>
>>>> Any suggestions here is greatly appreciated.
>>>>
>>>> Jason
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  http://lists.samba.org/mailman/listinfo/samba
>>
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
>