[Samba] Best way to do simple Samba for very small office.

[Stroller]

Hi there,

My experience: I've used Samba on a couple of servers at home in  
which security isn't an issue, and I've used WinBind & PAM to  
authenticate a Linux mailserver from a Windows domain. I'm quite  
confident about installing Samba & setting up simple shares, I can  
follow a howto & even do advanced trouble-shooting but I have no  
experience with many of the features that Samba surely offers.

In this case I have installed a Samba server to replace an XP machine  
essentially because the office wants off-site back-up, and I know  
that on a Linux system I can easily script backups to http:// 
rsync.net and email the office's proprietor each morning to notify  
him of the backup's success.

I can easily configure a simple simple share for everyone in the  
office to use, but the proprietor has expressed a desire for a folder  
that only he can access "using a password". How is the best way to so  
this? It's easy to use a separate share with different permissions,  
but I think that the customer might find it confusing or clumsy to  
have a "Z:" drive that anyone can use and a separate "X:" drive for  
his private data.

Can folders within Samba shares carry different permissions? So that  
within
    [Files]
    comment = The single network file share
    path = /mnt/samba
    writeable = Yes
    guest ok = Yes
"/mnt/samba/foo", "/mnt/samba/bar" and "/mnt/samba/grunt" are read- 
writable by anyone, but "/mnt/samba/boss" is only readable by user  
"boss"?

I have an idea that ACL might be required for this. Is that the case,  
or will simple Unix file permissions suffice?

Also related: what's the best way to handle a very small number of  
users on the Linux server? I can't see more than 5 or 10 users ever  
using the server and they have no need to access other services on  
it. So adding a Unix user to the Linux server for each Windows user  
in the office would not be too onerous, but it seems slightly  
inelegant. I can see the advantage of having a [homes] share for  
users' private files, but again this means two mounts per user  
([homes] and [everyonez_files]). I believe that Samba can do user  
authentication off an SQL backend, but this seems overkill for only  
half-a-dozen users. Any thoughts? Users should be able to login to  
SWAT (or similar) to change their passwords.

Finally, I'm a little unclear about how the Windows GUI copes with  
authentication to file shares. As I understand my experience (I'm  
beginning to realise a disadvantage of using a Mac at home!) if a  
Windows PC tries to connect to a network share then it will submit as  
authentication the username:password of the Windows user currently  
logged in. As I understand it things become clumsy if a user is  
logged onto a PC as "Bob" and wants to access a file share as user  
"Bobby". I know that one can mount a network drive as a different  
user, but this may not be desirable as, in this office, Dave might be  
using Bob's PC. It would be better for the user to be asked for a  
password each time, rather than the share be mounted at boot-up with  
permissions to read the boss' private files.

I'm sure this is a problem-space that has been done to death in the  
past, and I'm sure that Googling will reveal some references. But I  
thought I'd post here in case anyone would enjoy sharing their  
thoughts on this subject, and I would be glad if anyone can recommend  
some resources particularly relevant to my situation.

Stroller.