[Samba] samba file server in active directory domain - manage acls

Mikael Kermorgant mikael.kermorgant at gmail.com
Fri Oct 17 10:57:14 GMT 2008


On Fri, Oct 17, 2008 at 12:56 PM, Mikael Kermorgant <
mikael.kermorgant at gmail.com> wrote:

>
>
> On Thu, Oct 16, 2008 at 7:45 PM, Sébastien Prud'homme <
> sebastien.prudhomme at gmail.com> wrote:
>
>> 2008/10/16 Mikael Kermorgant <mikael.kermorgant at gmail.com>:
>> > Hello,
>> >
>> > I'm considering moving our windows shares (2003 domain) to a samba
>> server,
>> > to improve performance, setup clustering and use scheduled lvm
>> snapshots.
>> > However, I've not clarified how our current security policy would be
>> applied
>> > on this server and like to ask you some things (sorry, I'm sure they
>> already
>> > have been posted but there is so much on this topic to read I prefer to
>> ask
>> > again)
>> >
>> > Currently, we manage security on our shares by :
>> > * giving full control to everybody at the "share" level
>> > * restricting rights at the "security" level
>> >
>> > By switching to samba, we face a set of challenges :
>> >
>> > * Changes to our security policy. We will have to manage security at the
>> > linux/samba level and this raises some questions:
>> > - is it still possible to keep the security management at the file level
>> (by
>> > giving full control at the share level and thus eliminating botherings
>> on
>> > this side) ? I know there are some limitations when mapping posix acls
>> to
>> > windows one but that might be acceptable.
>> >
>>
>> No problem if you edit Posix ACL directly. I advice not to use the
>> Security tab in Windows (when you right click on a file/directory and
>> change the Properties) to modify ACL.
>>
>> > - I've tried to manage posix acls on ext3 via konqueror which I could
>> find a
>> > good alternative to windows' gui but I'd prefer a web front end. Would
>> you
>> > have some nice web gui to recommend ?
>>
>> The only one i know is a Webmin module:
>> http://webmin-fsacls.sourceforge.net/en/index.html
>>
>>
Thanks for this info, I'll check how it works.

Regarding your advice not to use the security tab in windows, that's a
possibility I wasn't aware of. If I have understood how it works, you have
to mount the share under a specific letter (S: for example)  , and then you
can manage security from there. AS this would surely be the easiest solution
in our migration, could you please indicate what the drawbacks would be ?

Regards,

-- 
Mikael Kermorgant


More information about the samba mailing list