[Samba] "Inherited Permissions" vs "Force/Create Mask"

Fri Nov 21 12:02:48 GMT 2003

This may be the setup that you have at present, but I have a share with the 
following set:

[sharename]
   path = /path/to/share
   writeable = yes
   valid users = @<group>
   force group = <group>
   directory mode = 770
   create mask = 660

Then do

# chown anyuser.groupname /path/to/share
# chmod 770 /path/to/share

Add all the users to the same group, and then any user who writes to the share 
will have their name as the owner of the file, and the group will be the 
group owner, and the permissions will allow full control of the file 
(-rw-rw----).

We have a share for each department at work here, and this seems to be working 
file for all of them - however our needs aren't as intense as yours so this 
may not be the best setup - however it does seem to work quite well so far.

Hope this is of some use,
edd

On Thursday 20 Nov 2003 8:21 pm, AndyLiebman at aol.com wrote:
> I have written to this list several times. I purchased the Officia SAMBA 3
> How-To and Reference Guide (and read much of it). But I can't get a good
> answer to my question.
>
> I'm trying to figure out the difference between "inherited permissions" and
> "force/create mask/directory", and other actions like "force user" and
> "force group" (it seems I don't want to use the latter).
>
> I have a very simple requirement. I have 6 users in a small network of
> Windows XP video editing workstations. All users must be able to read and
> write to the same shared directory (reading, modifying, and deleting each
> other's files). Plus, I want to know who wrote each file that's on the
> system (who is the true owner).
>
> Because I am doing video editing -- sometimes with uncompressed video over
> a gigabit network (18 MB/sec)  -- I need the very highest efficiency. So,
> whatever solution I choose it can't have a negative impact on speed.
>
> So far I have been able to solve my problem more or less by using
> "Inherited Permissions = yes" in my smb.conf file under my shared directory
> name. Is this the best way to do it? Or are there better solutions?
>
> Here are the "facts" about my system.
>
> -- Each user has a username and password on my Linux system.
> -- Each user has the same username and password under Samba
> -- Each user logs onto his/her Windows machine with the same usernames and
> passwords that they have in Linux.
> -- The Shared Directory on my Linux machine is owned by the group to which
> all users belong, and the group has write permission  (rwxrw-r--)
> -- The umask for the Linux user that created the directory is 0002
>
> With the solution I have chosen ("inherited permissions = yes), all files
> and folders that my 6 users create and write into the shared directory are
> listed as being owned by the person who created them (that's good) and by
> the group to which they all belong (that's good) and the group has read and
> write permissions.
>
> However, in Windows XP, group members who didn't originally create a file
> or directory are not listed as having FULL CONTROL. They have read and
> write permission, but not modify. I'm not sure it makes any difference in
> the end because all users seem to be able to change the names of files,
> read them and delete them. But maybe they solution I'm using isn't good or
> has a high impact on performance?
>
> It seems another approache could be to use "force mask" and "create mask"
> and "force directory" and "create directory".
>
> And as I said above, another approach would be to "force user" and "force
> group" -- but that doesn't preserve the information about who actually
> created the file. And I want to keep that if possible.
>
> And maybe there's a solution that doesn't involve using any special
> smb.conf variables.
>
> Some guidance would be appreciated. Thanks.
>
> Andy Liebman

-- 
Edd Payne
IT Co-ordinator
University of London Union
Malet Street, London WC1E 7HY

tel: 020 7664 2060
fax: 020 7436 4604