[Samba] How to set file/folder permission flexibly in Samba
Jeremy Allison
jra at samba.org
Tue Nov 4 01:43:16 GMT 2008
On Mon, Nov 03, 2008 at 01:59:29PM +0800, Andy Zhou/ICILSZX wrote:
> Hi All,
>
> I am using Samba 3.0.10 on IBM server with REHL 4 Os. The detailed infromation as below.
> -----------------------------------------------------------------
> [root at ufhkglx02 samba]# uname -a
> Linux ufhkglx02 2.6.9-67.ELsmp #1 SMP Wed Nov 7 13:58:04 EST 2007 i686 i686 i386 GNU/Linux
> [root at ufhkglx02 samba]# cat /etc/redhat-release
> Red Hat Enterprise Linux ES release 4 (Nahant Update 6)
> [root at ufhkglx02 samba]# smbstatus -V
> Version 3.0.25b-0.4E.6
> --------------------------------------------------------------------
>
> Currently, we are planning to migration NT domain to Samba domain, and the file/folders controlled by NT domain controller on NT server will be migrated to Linux server with Samba domain. But the problem is:
>
> How to restore the permission for file/folders.
>
> Because in Nt domain, there are some files/folders with special permissions, for example:
> UserA and UserB just read folderA
> UserC and UserD can read/write folderA.
>
> In Nt domian, it's easy to do so, we can set such permission by click "Security' button in folder A's Property. But with Samba, it's so difficulty. Because folderA will be migrated to a root directory in Linux server, such as /Dept, that is:
> --Dept
> --A
> --..
> --..
> And we require all users can read/access folder Dept, but cannot access folder A except User A, B, C and D (with special permission). Maybe it can set group to meet such requirement, but we don't like to do so, because it's not flexible, we have large mounts of file/folders with special permission.
>
> Of course, we can set such settings in smb.conf:
> -------------------
>
> [Folder A]
> path = /folderA
> valid users = UserA, UserB, UserC, UserD
> writeable = yes
> read list = UserA, UserB
> write list = UserC, UserD
> create mask = 770
> directory mask = 770
> ----------------
>
> But with such setting, the folderA will under / directory, while not /Dept, because we have so many folders need to be shared with special permission, we don't like to set too many folders under / partition, we need to set those folders all under /Dept.
>
> Therefore, my questions are:
> 1. Is there any way to meet my requirement?
> 2. Is there any way to let user control the permissions by themselves? Because with Samba domain, user cannot change the permissin setting in folder's security button, even though we set "nt acl support = Yes" in Global setting in smb.conf. Does samba 3.0.25 support "nt acl support"?
>
> Any pointers will be very appreciated. Thank you.
3.0.25 is a little old. I suggest using 3.0.32 if you need to stay
on a 3.0.x environment, change to 3.2.4 if not (only bugfixing is
being done on the 3.0.x codebase, no new changes - all new fixes
are being done on 3.2.x and 3.3.x).
You should be able to allow users to change permissions using
the NT ACL editor using Samba. Using posix acls on your backend
filesystem should allow you to meet these needs.
Jeremy.
More information about the samba
mailing list