[Samba] Basic questions about share permissions

[Terry Phelps]

I'm implementing a Samba 3.5.4 server, and have some basic questions
about controlling share-level permissions. To let you know my level of
knowledge, I'm a pretty good Linux admin, and can do basic Windows
domain admin work.

My goal is fairly simple: I need several shares that will be used by
Windows users to send and get files from a Unix process. One share
would do it, except that I need different security on different
directories. I have the shares all created and in use, but I have NO
security on any of them, yet. The configuration of each one is the
same. Here's a sample:

[TEST]
        path = /xxx/test
        read only = No
        force group = user1
        force create mode = 060

My basic question is: Given that I'd be happy with simply creating a
Windows group for each share, and giving full read/write access to the
group associated with each share, what's the best practice for doing
this?

>From my reading (chapter16 of the Samba HOWTO), it appears that one
way is just to say:
    valid users = domain\group1
in the smb.conf for each share. Is this NOT a perfectly good way to do
it? Any reason why I might not want to do it?

>From reading the HOWTO, and expermenting, it looks like I can assign
permissions from a Windows client, by right-clicking the share, select
properties, going to the security tab, and adding permissions, just
like it was a real Windows server. This appears to work, but I haven't
tested it much, and I'm concerned because I can't figure out where
Samba is storing the permission changes I'm making. None of the TDB
files seem to change when I fiddle with the permissions, and I think
Samba must be storing these changes SOMEWHERE.

So, question 2 is: Can I indeed assign permissions from a Windows
client, without doing anything at all in smb.conf? if so, can you
point me to docs that explain how this works?