[Samba] replacing a w2k machine with samba 2.2.7a

[James Kosin]

Alex,

Hi...
The way I got around this was to create a share and use the "force user" and
"force group" options on the share.  This makes everyone that can login to
the share have owner access to all files.  This should solve your problems
and allow everyone to change RW options on the files.

I used nobody as the owner and group!  Just for security reasons, I don't
like using root for this.

Thanks,
James Kosin

Original Message
---------------------------
Message: 3
From: "Alex Kramarov" <alex at incredimail.com>
To: <samba at lists.samba.org>
Date: Mon, 6 Jan 2003 19:10:48 +0200
Subject: [Samba] replacing a w2k machine with samba 2.2.7a

This is a multi-part message in MIME format.

------=_NextPart_000_0005_01C2B5B7.5276B870
Content-Type: text/plain;
charset="windows-1255"
Content-Transfer-Encoding: quoted-printable

Hi.

First, i would like to thank samba developers for producing such a good =
product. Second, i have a few questions/remarks :

I have recently replaced a w2k file server running in w2k domain (native =
mode) with samba 2.2.7a on RH 7.3 with the latest kernel, no acl, =
configured winbind, and ran into the problem described here :

http://lists.samba.org/pipermail/samba-technical/2001-October/032017.html=


it would be helpful if this info made it's way into the winbind.html at =
the doc directory of the samba distribution - i waisted an hour tracking =
it down, and other people may just give up on it before finding the =
solution.

After configuring everything, my samba server is running for 2 weeks =
already , without any major problems. i have a few minor problems though =
:

generally, this server holds a few shares for several different groups =
in my organization. each share is writable for members of that group, =
and readable for the rest. this is accomplished by the following setup =
(a sniplet from my smb.conf regargding the "_creative" share):

[global]
     workgroup =3D MyOrg
     winbind separator =3D +
     winbind uid =3D 10000-20000
     winbind gid =3D 10000-20000
     winbind enum users =3D yes
     winbind enum groups =3D yes
     template homedir =3D /mnt/usersdata/_users/%U
     security =3D domain
     encrypt passwords =3D yes
     dos filemode =3D yes
#     security mask =3D 0000
[_Creative]
   comment =3D Creative division
   path =3D /mnt/gendata/_creative
   read only =3D no
   create mode =3D 664
   directory mode =3D 775
   force security mode =3D 664
   force group =3D +MyOrg+Creative
   write list =3D @MyOrg+Creative

all files written to the share are mode 664, and directories are 775 .=20

There is a problem though, when an owner of the file sets the file read =
only, noone except him can remove the read only attribute, since the =
file becomes 444. i tried dos filemode - it's is not much help. is there =
a solution for this ? the problem is escalated by people copying many =
read only files into the share (like pictures from a cd), and other =
users can't remove the read only attribute.

trying to solve the problem, i have tried to set "security mask =3D =
0000" - but this was completely not helpful, setting files read only =
still worked. another problem was uncovered with this line - for some =
reason, people working in m$ work (yacccs) were not able to save their =
documents while working on the samba share - for some reason suring the =
save operation the file got the 000 permission, and of course nother =
else could be done with the file until i fixed the problem by chmod 664 =
of the file.=20

nt has the option to grans write control to a share, and full control. i =
would really like to make these shares only write accessible, and all =
attribute shanges would not be propagated tothe files themselvs - i =
don't mind that a person will not be able to set a file read only. all i =
want is for all my files to have the permission i set in createmode, =
whatever the user tries to do to it.=20

I have read the entire smb.conf documentation, and didn't find anything =
that could help me. am i missing something ? am i looking at is from the =
wrong direction ?

right now the only solution i have is a cron job ran daily that runs =
find on all shared directories and changes permissions of all files to =
the default, and of course, this is not much of a solution...

addition question i have is as follows : i want to provide a group of my =
users with a home directory, but not all of them - some users are =
administrative users only, and they don't need home dirs. i have started =
with something like this :

[homes]
   comment =3D Home Directories
   path =3D /mnt/usersdata/_users/%S
   browseable =3D no
   writable =3D yes
   valid users =3D MyOrg+alex MyOrg+alon MyOrg+ariela=20
   create mode =3D 0644
   directory mode =3D 0755

and these users get their directories fine, but these users who are not =
in valid users (and i don't want to provide them with home directories) =
still see a share of a home directory on that server (of course they =
can't connect to it, since it does't exist on the HD). what better way =
to do this ?

Thank you.

Alex.

------------------------------------------
End of Original Message

----
James Kosin <jkosin at intcomgrp.com>

International Communications Group, Inc.
200 Enterprise Drive
Newport News, VA 23603-1300
-- United States of America --

Voice:   +1 (757) 947-1030 x122
Fax:      +1 (757) 947-1035

----
"Walking on water and developing software to specification
are easy as long as both are frozen" - Edward V. Berard.