[Samba] simple right question

Jeroen Vriesman jeroen.vriesman at hivos.nl
Mon Feb 5 13:37:25 GMT 2007 

Dear all,

I got the following situation, a share called "Bureaus", with the follwong
subdirs:

/Bureaus/A
/Bureaus/B
/Bureaus/C
etc.

where A,B,C.. are the bureau names

under all the bureau names are directories:

A/Task1
A/Task2
A/Task3
A/Archive

For all the bureau names.

I've got groups, a groups, everyone is a member of "Domain Users", and that's
also always the primary group.
And, a group A, a group B etc, and groups "Task1 A", Task1 B"..."Task2 A" etc.

The simple idea is to give everyone access to Bureaus, only those who are member
of group A can go into /Bureaus/A, and only those who are a member of group
"Task1 A" can go to /Bureaus/A/Task1 and do there whatevery they want.

So fa so good, I've made acl's which allow "Domain Users" to r-x /Bureau,
without passing this to the subdirectories, an acl which allows r-x to group A
(also without allowing this to subfolders) for /Bureau/A, and for
/Bureau/A/Task1 including subdirectories the acl is "allow group Task1
everything".

That works fine.

But now for the Archive directory, the /Bureau/A/Archive should be read-only for
 members of the group A, and read-write for members of the group "Archive Mods
A".

And that's the problem, if I add an acl (with the windows rights management
stuff) for the group A to have read-only right for /Bureau/A/Archive and
subdirectories, and for the same directories an acl with "allow everything" for
members of the group "Archive Mods A", then the effitive rights for members of
"Archive Mods A" is read-only, since the most restrictive rights apply.

What I expected at first was that the rights would be additive and only a deny
would have the effect which I'm seeing now.

How can I make it work?

The options I have:
global: map acl inherit = Yes

The share /Bureaus:

        path = /samba/Bureau
        public = no
        browseable = yes
        writable = yes
        printable = no
        force create mode = 0770
        directory mask = 0770
        security mask = 0777
        force security mode = 0
        directory security mask = 0777
        force directory security mode = 0
        hide unreadable = yes



Kind regards,
Jeroen Vriesman.

More information about the samba mailing list