[Samba] Mapping of Unix groups to Samba user permissions

Lars Poulsen lars at beagle-ears.com
Fri May 30 04:11:38 GMT 2008 

Andras S. Haramasz wrote:
> Hi,
> Since I'm UNIX boy myself here is what I did
>
> Say a user belongs two mpim (management) and mpir (research) and perhaps a
> third one too mpig(generic)
> Management share
> ls -latd /mpi/Management
> drwxrws---  36 root mpim 4096 2008-05-27 21:34 /mpi//Management
>
> ls -latd /research/mpi.Research
> drwxrwsr--  48 root mpir 12288 2008-05-29 13:08 /research/mpi.Research
>
> This way no matter what the user's primary group is the share's group
> ownership will be maintained. It doesn't matter the subsequently created
> files directories owner either, since will inherit the parent directory's
> group. Also, allows access to group members only. In other words
> chmod 2770 dirname
Yes, this is structurally similar to what I have been doing, and for
that to work, the samba client must have the same group access rights
as a unix user logged in with the same username.

What I was seeing here today was this:

[sales]
        comment = Sales Department
        path = /home/sales
        public = yes
        writable = yes
        write list = @sales
        create mask = 0775

Two users alan and bob both have the primary group "employee", but
/etc/group defies them both as members of "sales".

drwxrwsr-- 11 alan sales  4096 2008-05-27 12:34 /home/sales/Contacts
-rwxrw-r--  1 alan sales 12345 2008-05-27 08:58 
/home/sales/Contacts/expo.csv
-rwxrw-r--  1 bob  sales 12345 2008-05-27 15:46 
/home/sales/Contacts/cann.csv

Both alan and bob should be able to create files in Contacts, and to
modify the files. But in fact only alan could do that. When bob
tried to create a file, access was refused; the directory was mapped as
read-only to bob. When I changed ownership of the directory to bob,
bob had the access he needed. The FILES seemed to have the correct rights.

Now, a few hours later, you message confirmed it should work as I
thought ... and now it DOES work that way.

I still think an article that spells out the mechanism in some
detail would be helpful. If I added to the write list a username
that is not in the sales group, would that user have access, or
would the underlying unix permission bits still block him?
If the server instance runs as root and SIMULATES the file system
protection, arbitrary patterns are possible. If the server instance
runs under the userid of the logged-in user, keywords such as "write
list" and "admin users" can restrict access but not open it beyond
what the user can do. I do not know the server's architecture,
so I cannot deduce the ground rules.

/ Lars Poulsen

More information about the samba mailing list