[Samba] Samba vs Linux file permissions

Fri Jun 3 10:24:52 MDT 2011

John,

Yes, I agree that you should not install from source--I meant to imply
if you could get a deb package for your Ubuntu Server 10.10. 

I did not enable ACLs and User Extended Attributes until I installed the
first iteration of the Samba 3.5 branch on my Fedora 13 server (I'm
about to upgrade to Fedora 15) so I am not sure what issues you might
have using Samba 3.4.7.

Using the User Extended Attributes are convenient for two purposes: 
1) it allows Samba to store the DOS Attributes (ReadOnly, Archive,
Hidden, and I think a few others) in a separate xattr. This frees you
from having to manage these attributes using the Linux permission bits. 
2) It allows Samba to store the full NT ACLs as an xattr. The initial NT
ACLs will be based on the POSIX ACLs which should also be enabled.

You can enable ACLs and User Extended Attributes on a share-by-share
basis. I would start off by creating a test volume (if you can carve one
out of your LVM) and creating a test share with it in Samba. For
example, here my my configuration for a group share:

[Shared]
        comment = Public Share on %h
        path = /home/shared
        valid users = +domadmins, +domusers, +domguests
        write list = +domadmins, +domusers
        force group = domusers
;       create mask = 0664
;       force create mode = 0660
;       directory mask = 0002
;       force directory mode = 0770
        inherit permissions = yes
        inherit acls = yes
        map acl inherit = yes
        acl group control = yes
        ea support = yes
        vfs object = acl_xattr recycle
        store dos attributes = yes
        map archive = no
        map hidden = no
        map system = no
        map readonly = no

The mount configuration in /etc/fstabs is:

/dev/mapper/vg1-home	/home	ext3	defaults,acl,user_xattr	1 2

And the POSIX ACls on /home/shared:

# getfacl shared
# file: shared
# owner: root
# group: users
# flags: -s-
user::rwx
group::rwx
group:users:rwx
group:domadmins:rwx
group:domusers:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:users:rwx
default:group:domadmins:rwx
default:group:domusers:rwx
default:mask::rwx
default:other::---

I like the fact that I no longer have to give the Linux Other group any
permission whatsoever even for my public shared group.

There is alot here that you will need to bone-up on but give it a try
and let us know if you run into any problems.

Good luck,
Bob
--bs

On Thu, 2011-06-02 at 10:36 -0400, John Maher wrote:
John Maher john at chem.umass.edu 
Fri Jun 3 09:37:14 MDT 2011 

>> And, is /lab/chemgroup a local disk volume or a remote NSF volume?
Doing
>> a double mount SMB --> NFS --> Local Vol is not recommended owing to
the
>> way NFS itself handles permissions.

>Bob, I forgot to respond to this part. No, I'm not using NSF. That
mount
>point is an LVM logical volume on a single RAID5 array.

>> 
>> Also I would recommend that you consider upgrading to the latest
3.5.X
>> branch of Samba and consider enabling ACLs and extended User
Attributes
>> on the underlying volumes. Although adding Posix ACls does add
>> complexity to the mix in the end you get a more secure environment
and
>> less Windows-to-Linux permission problems and confusion.
>
>There's resistance in my department to install applications using
source
>rather than Ubuntu packages. For now, I need to stick with the version
>we have unless it becomes clear that the version change would make the
difference.
>
>I've been wondering about extended User Attributes and whether or not
>they are worth the effort.  It sounds like you believe they are worth
>it.  I'll look into it. Thanks.
>
>John