[Samba] force group parameter problem

Wed May 7 18:56:45 GMT 2003

Chris,

You need to become more familiar with Unix file and directory permissions
handling.

The simple solution is:

On /sales set owner and group as you want. Lets sat chrisw is the owner
and sales is the group.

	chown -R shrisw.sales /sales

Next set the SGIU bit on the directory:

	chmod g+s /sales

This means that all files in the directory will be created with group
sales.

Now make sure that your create mask is set correctly, or the force create
mode is set correctly in your smb.conf.

ie: force create mode = 0550

Note: You probably do NOT want to set the Unix execute bits on a file that
can not be executed in Unix! But you should familiarise yourself with the
"map system", "map archive", "map hidden" parameters which do use the
three unix execute bits.

Lestly, in your share definition you could put "valid users = +sales"

When you do a "force group" or "force user" you are telling samba to make
the current Widows user to have the rights of the group you are forcing it
to, or in the case of "force user" you are causing Samba to behave as if
the user is actually the name being forced. This is NOT what you want if
you want to not allow Mary (who is not a member of sales) access to the
files.

Note: You can also set up an Access Control List on the Share itself using
the Server Manager from MS Windows (this is part of the Nexus toolkit that
is available from Microsoft's Web site), or from MS Windows 200x or XP you
can do this from the Microsoft Management Console.

- John T.

On Wed, 7 May 2003, Chris Wright wrote:

> Hello.  I'm having some trouble with the force group parameter in the
> smb.conf file.  I'm running samba 2.2.8a on RedHat 9.
>
>
>
> The smb.conf file has the following entries:
>
>
>
> [sales]
>
>             comment = Sales Share
>
>             path = /sales
>
>             public = no
>
>             writable = yes
>
>             create mask = 0770
>
>             directory mask = 0770
>
>             force group = +sales
>
>
>
> The UNIX permissions on /sales are 770.
>
>
>
> User bob has a primary UNIX group of marketing and a secondary group of
> sales.  The command "groups bob" shows that he IS a member of both
> groups.  When he tries to connect, however, access is denied.  The log
> file reads:
>
>
>
> [2003/05/07 13:38:17, 0] smbd/service.c:set_current_service(60)
>
>   chdir (/sales) failed
>
>
>
> If I change the force group entry to "force group = sales", then bob can
> connect and created files and folders.  Further an ls -l on the file
> shows:
>
>
>
> -rwxrw----           1          bob       sales    0          May      7
> 08:40    filename
>
>
>
> With this configuration, the user sue, who is not a member of sales and
> therefore should not have access to the files, can also create and edit
> files on the share.
>
>
>
> -rwxrw----           1          sue       sales    0          May      7
> 08:45    suesfile
>
>
>
> If I understood the smb.conf man page correctly, the "force group =
> sales" line is functioning correctly because it changes the users
> primary group to sales giving them the rwx permissions on the share
> regardless of whether or not the user is in the sales group.  The line
> "force group = +sales" should allow bob to connect with rwx because he
> actually IS a member of sales, but deny sue because she is not a member
> of sales.
>
>
>
> Does anybody have any ideas on how to get this to work?  Any help would
> be greatly appreciated.  Thank you.
>
>
>
> Chris Wright
> Network Specialist
> Information Technology Outreach Services (ITOS)
> University of Georgia
> (706) 542-1976
> cwright at itos.uga.edu
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

-- 
John H Terpstra
Email: jht at samba.org