[Samba] Can't get 'dos filemode' to work as expected

Felix Brack fb at ltec.ch
Mon Apr 4 11:06:49 MDT 2011 

On 04.04.2011 18:25, Chris Smith wrote:
> On Mon, Apr 4, 2011 at 11:41 AM, Felix Brack<fb at ltec.ch>  wrote:
>> # file: test-file
>> # owner: root
>> # group: root
>> user::rwx
>> group::rwx                      #effective:r--
>> group:Development:rwx           #effective:r--
>> mask::r--
>> other::---
>
> That's the same thing you would get if were logged into the system as
> root and created the file. So it is an ACL issue.
>
>> # file: test-file
>> # owner: root
>> # group: root
>> user::rwx
>> group::rwx
>> group:Development:rwx
>> mask::rwx
>> other::---
>>
>> At least now , If I am member of supplementary group 'Development', I should
>> have the same rights in directory 'test-directory' as if this was owned by
>> me (felix), right?
>
> I would think so.
>
> I don't know entirely what you want to accompplish, but it may be better to:
> chgrp -R Development test-directory
>
What I am trying to accomplish is pretty simple: assigning access rights 
to one ore more groups instead user(s).

Therefore changing the group with chgrp to 'Development' is most 
definitely not what I want: what if there is more then one group? This 
is what ACLs are used for: giving additional groups and users special 
rights to access files. Moreover changing the group does not work, only 
changing the owner (I already tried that). This is in fact what the 
problem is all about. To put it simple: samba only seems to care about 
the _user_ connecting to the share and ignores any other rights for that 
user that might be assigned to him or her by means of group membership 
(normal or defined by ACLs).

> And eliminate:
> force group = Development
> invalid users = root administrator
> from the share.
> While adding:
> valid users = +Development (and any other groups you want have access)
>
Eliminating 'force group' is not a good idea (for now) since it tells 
smbd that connections should be established using group 'Development'. 
It has nothing to do with access rights and I use it just as safety 
precaution to make sure my client does not get connect as member of 
group 'Domain Users'; if this would really happen I (or samba) could 
have serious problems accessing the share.

> The -s- flag will propagate new files and directories with the
> Development group.
>
> Basically a performance issue. See the section "Override controls" in:
> http://samba.org/samba/docs/man/Samba-Guide/kerberos.html#id2613307
>
Agreed. As soon as everything is working I will try to remove 'force 
group' and look if samba accesses the share with access rights defined 
for group 'Development' instead of group 'Domain Users'.

Felix

More information about the samba mailing list