[Samba] require membership to two groups

Fri Dec 31 13:54:21 MST 2010

On 12/30/2010 20:49, Gary Dale wrote:
> On 30/12/10 03:56 PM, Christ Schlacta wrote:
>> I have some shares on a media server that are considdered "Local, 
>> offline content", namely they should be accessible if the rest of the 
>> network is down, and each system has it's own group of users who are 
>> allowed to maintain it.  the media servers in the livingroom are only 
>> for my wife and I, but each person can modify the one in their own 
>> bedroom and noone elses bedroom.  Furthermore, the users must be 
>> members of the group "Music" to be allowed to modify music, and the 
>> group "Videos" to be allowed to modify videos.  currently my setup 
>> looks like this for rebirth:
>>
>> [videos]
>>         comment = Rebirth local Videos
>>         path = /media/local/videos
>>         write list = @rebirth
>>         force group = videos
>>         create mask = 0664
>>         force create mode = 0664
>>         directory mask = 0775
>>         force directory mode = 0775
>>
>> [music]
>>         comment = Rebirth local Music
>>         path = /media/local/music
>>         write list = @rebirth
>>         force group = music
>>         create mask = 0664
>>         force create mode = 0664
>>         directory mask = 0775
>>         force directory mode = 0775
>>
>> but my fear is that someone not in the music group will still be able 
>> to write to the shares.  is there a way to make it explicitly require 
>> BOTH groups to allow writing?
>
> I'm not entirely sure what you are trying to do, let alone why it is a 
> problem. Since you are sharing files 
I want to require a user to me a member of TWO groups to add or modify 
files in a share.  the user MUST be a member of the groups "rebirth" and 
"videos" to be able to write to the directory "videos" on the server 
"rebirth".  if they're only in one or the other I don't want them to be 
able to add files (I'd like to make it so they can't even read files if 
they're not in both groups, but that's nowhere near as important)
> via Samba, why are you using group access instead of user access 
> rights? Why aren't you simply using user accounts to control access 
> the way CIFS usually does it?
I can't add permissions for each user the way cifs wants it because I 
don't have ACLs.  I want to be able to add a user to a group and voila, 
they have group permissions to the group's resources.
> Ignore the ZFS problems. If user A is in Music, then they have write 
> access to the music share. If they are not then they have read access. 
> Forcing the group simply overrides the whole point of having a group 
> in the first place.
>
forcing the group is also common here because each share has permissions 
enforced on a per-group basis.  files in the www share can be modified 
by anyone in the www group.  files in the dump share can be modified by 
anyone in the dump group, etc..  I use filesystem "sticky group" 
permissions to help enforce permissions, but without proper ACL support, 
forcing g=rwX is difficult without using samba force group and create 
mask options.
> You can set Guest OK to yes to give the world read access, or you can 
> set a Read list in addition to the Write list.
can I specify "noone can read UNLESS they're in this group"?