[Samba] Help pls. -- Samba permission question

Gary Dale garydale at torfree.net
Wed Dec 12 21:30:26 MST 2012


On 12/12/12 08:01 PM, J Gao wrote:
> On 12-12-12 03:02 PM, Gary Dale wrote:
>> On 12/12/12 05:18 PM, J Gao wrote:
>>> On 12-12-12 12:52 PM, Gary Dale wrote:
>>>> On 12/12/12 02:07 PM, J Gao wrote:
>>>>> Thank you Gary  for the help.
>>>>>
>>>>>
>>>>> On 12-12-12 09:45 AM, Gary Dale wrote:
>>>>>> If you want the CIFS permissions to be set correctly, use the
>>>>>> Samba/CIFS
>>>>>> tools to set them (ie. set them from the client. Don't set them 
>>>>>> using
>>>>>> Unix permissions on the server).
>>>>>
>>>>> I don't know if I'm doing it correct. I'm using a bash script to help
>>>>> user mount the CIFS share like this:
>>>>>
>>>>> sudo mount.cifs //fileserver/management/ 
>>>>> ${HOME}/fileserver/management
>>>>> -o user=${USER},password=$userPass,uid=$UID,rw,mand
>>>>>
>>>>> Could you give me an example on using Samba/CIFS tools?
>>>> That line mounts the share using the credentials you gave it but that
>>>> doesn't set the permissions. If you right-click on the share's folder,
>>>> you should be able to set the CIFS permissions.
>>>>
>>>>
>>>
>>> OK, right-click in natilus works. But how can I set this up by
>>> default. I mean once the share mounted, it will set the correct
>>> permission to 770 if the user copy files on the share?
>>>
>>> I read man page for the cifs.mount but I couldn't figure it out myself.
>>>
>>> Here are more info:
>>> 1. The management group has gid=1018 on the server.
>>> 2. Once the share mounted on the Ubuntu client, the share's group ID
>>> set to numeric 1018. (there isn't a local gid 1018)
>>> 3. When copy a file, for example:
>>> -rwxr--r--  1 gao gao    14429 Nov 20 09:56 test
>>> to the mounted share, the permission appears to be:
>>> -rwxrwxr--  1 gao 1018      14429 Nov 20 09:56 test
>>> And I check it on the Samba server:
>>> -rwxrwxr--  1 gao management      14429 Nov 20 09:56 test
>>> So the permission changed to 774, not 770. I think somehow it combined
>>> the permission here.
>>> Just like you said, I can change it to 770 from the right-click. But I
>>> prefer to do it automatically.
>>>
>>> Please help.
>>>
>>> Thanks a lot.
>>>
>>> Gao
>>
>> If you have the domain created correctly, the Samba database keeps the
>> CIFS permissions. The Unix permissions aren't needed. Keep in mind that
>> the two sets of permissions are distinct. If you set the CIFS
>> permissions they are remembered. Checking the Unix permissions to see
>> what the CIFS permissions are doesn't work.
>>
>> Having a Unix group called management isn't helpful unless it maps to a
>> CIFS group. For example, most Samba users map the CIFS "Domain Users" to
>> the Unix "users". This is in the Samba documentation. The 1018 simply
>> shows that there is no CIFS group recognized for 1018 (don't forget, you
>> are forcing the group - probably not what you really want to do).
>>
>> You really want to set up a CIFS group called management and add CIFS
>> users to it.
>>
>> Samba maps CIFS users to Unix users if the name is the same.
>>
>> Have you tried using SWAT to manage your users and shares? It makes
>> things easier if you don't have a Windows client to work from.
>>
>>
>
> Looks like I need more reading. I googled for "CIFS group" and got 
> lots oracle/silaris but not much for linux. WHen you say "CIFS group", 
> do you mean a local group on the client PC?
>
> Also I quickly installed SWAT and I can't find anywhere about CIFS group.
>
> Gao

That's a Windows Domain group in M$ parlance. The group is recognized on 
the member server because it comes from the Domain. That's why I used 
the example of "Domain Users" as a CIFS group, as distinct from the Unix 
group "users".

Windows provides graphical tools for managing groups and users on the 
Domain Controller, but you can also do it from the command line in 
Linux. Something like net rpc group ADD <groupname> should work.

Once the group is created, you can populate it with users.

The essential point is that the Windows Domain model is different from 
the Unix security model. When you are using Samba, use Samba and the 
Windows way of handling things. Don't try to use Unix tools. You're not 
in Unix-land anymore.


More information about the samba mailing list