[Samba] How to set file/folder permission flexibly in Samba

Wed Nov 5 02:23:52 GMT 2008

Dear Jeremy,  

Thanks very much for your reply.  

Using posix acls maybe can set permissions for different users, but the control right still on manager's hand, while on users' hand, that is, user still cannot control the permission by themselves.   

And you referred 3.2.x, do you mean that if I want to let user control the files permission by themselves with "nt acl support", I need to upgrate samba to 3.2.x? Thanks.  

 Meanwhile, if I upgrade samba to 3.2.x, I still need to set folders on the same level of /Dept while not under /Dept, because folders under /Dept will inherit the permissions. Please advise. Thank you very much.

Best Regards
Andy Zhou/ICILSZX
      _____  

  From: Jeremy Allison [mailto:jra at samba.org]
To: Andy Zhou/ICILSZX [mailto:andyzhou at icil.net]
Cc: samba at lists.samba.org
Sent: Tue, 04 Nov 2008 09:43:16 +0800
Subject: Re: [Samba] How to set file/folder permission flexibly in Samba

On Mon, Nov 03, 2008 at 01:59:29PM +0800, Andy Zhou/ICILSZX wrote:
> Hi All, 
> 
> I am using Samba 3.0.10 on IBM server with REHL 4 Os. The detailed infromation as below. 
> ----------------------------------------------------------------- 
> [root at ufhkglx02 samba]# uname -a
> Linux ufhkglx02 2.6.9-67.ELsmp #1 SMP Wed Nov 7 13:58:04 EST 2007 i686 i686 i386 GNU/Linux
> [root at ufhkglx02 samba]# cat /etc/redhat-release
> Red Hat Enterprise Linux ES release 4 (Nahant Update 6) 
> [root at ufhkglx02 samba]# smbstatus -V
> Version 3.0.25b-0.4E.6 
> --------------------------------------------------------------------
> 
> Currently, we are planning to migration NT domain to Samba domain, and the file/folders controlled by NT domain controller on NT server will be migrated to Linux server with Samba domain. But the problem is: 
> 
> How to restore the permission for file/folders. 
> 
> Because in Nt domain, there are some files/folders with special permissions, for example: 
> UserA and UserB just read folderA 
> UserC and UserD can read/write folderA. 
> 
> In Nt domian, it's easy to do so, we can set such permission by click "Security' button in folder A's Property. But with Samba, it's so difficulty. Because folderA will be migrated to a root directory in Linux server, such as /Dept, that is: 
> --Dept 
> --A 
> --.. 
> --.. 
> And we require all users can read/access folder Dept, but cannot access folder A except User A, B, C and D (with special permission). Maybe it can set group to meet such requirement, but we don't like to do so, because it's not flexible, we have large mounts of file/folders with special permission. 
> 
> Of course, we can set such settings in smb.conf: 
> ------------------- 
> 
> [Folder A]
> path = /folderA
> valid users = UserA, UserB, UserC, UserD 
> writeable = yes
> read list = UserA, UserB
> write list = UserC, UserD
> create mask = 770
> directory mask = 770 
> ----------------
> 
> But with such setting, the folderA will under / directory, while not /Dept, because we have so many folders need to be shared with special permission, we don't like to set too many folders under / partition, we need to set those folders all under /Dept. 
> 
> Therefore, my questions are: 
> 1. Is there any way to meet my requirement? 
> 2. Is there any way to let user control the permissions by themselves? Because with Samba domain, user cannot change the permissin setting in folder's security button, even though we set "nt acl support = Yes" in Global setting in smb.conf. Does samba 3.0.25 support "nt acl support"? 
> 
> Any pointers will be very appreciated. Thank you.

3.0.25 is a little old. I suggest using 3.0.32 if you need to stay
on a 3.0.x environment, change to 3.2.4 if not (only bugfixing is
being done on the 3.0.x codebase, no new changes - all new fixes
are being done on 3.2.x and 3.3.x).

You should be able to allow users to change permissions using
the NT ACL editor using Samba. Using posix acls on your backend
filesystem should allow you to meet these needs.

Jeremy.