[Samba] samba file server in active directory domain - manage acls

Jeremy Allison jra at samba.org
Fri Oct 17 01:53:58 GMT 2008

On Thu, Oct 16, 2008 at 02:18:13PM +0200, Mikael Kermorgant wrote:
> By switching to samba, we face a set of challenges :
> * Joining the domain and retrieving users and groups from the windows domain
> to the samba server.
> As I know, this is ok and is well done with winbind

Yep, winbind will fix this.

> * Changes to our security policy. We will have to manage security at the
> linux/samba level and this raises some questions:
> - is it still possible to keep the security management at the file level (by
> giving full control at the share level and thus eliminating botherings on
> this side) ? I know there are some limitations when mapping posix acls to
> windows one but that might be acceptable.
> - I've tried to manage posix acls on ext3 via konqueror which I could find a
> good alternative to windows' gui but I'd prefer a web front end. Would you
> have some nice web gui to recommend ?

I don't know of any web gui to modify POSIX ACLs, mostly people ssh
in and use getfacl/setfacl directly.

If you set the options :

"dos filemode = yes"
"inherit owner = yes"

and set the setgid bit on the share directory then this will
have a similar effect to Windows "group ownership" of files,
so users in the same group as the containing directory will
have access as though they were owners.


More information about the samba mailing list