Date: Fri, 06 Apr 2007 12:12:55 +0100 From: Gary <gary@mups.co.uk> To: freebsd-questions@freebsd.org Subject: Samba and XP permissions management Message-ID: <op.tqcz3tllnsa3lq@babylon2>
next in thread | raw e-mail | index | archive | help
Hi, I've setup samba3 in freeBSD with a "Stuff" share under the user/group "bob/bob" with permission 770. I've also added an ACL to this dir to allow "joe" r-x access to the directory as well as ensuring the default ACL is nothing more than rwx for user/group. So far the ACL's in unix work and access appears to be correct when connecting from XP to the samba share. When I create a folder in "holidayphotos" as user "bob" from xp in the share the "holidayphotos" dir has the default permissions drwxrwx---+ gary gary holidayphotos With the ACL been the defaults previously set. This is as expected based on the ACL and smb.conf setup Now I want to allow "joe" to have read/execute access to the holidayphotos directory. I could do this by logging into the server and using setfacl -m u:joe:rx holidayphotos However, I want to instead be able to simply right click the folder at the time I created it in XP, select properties, go to the security tab click add (or go via advanced) and then add "joe" to the permissions list. The problem I'm facing is that "check names" will not accept joe as a valid name. The only way I've been able to do this is to add to the share config in smb.conf admin users =3D bob; Is there any way to allow bob to add new permissions without this? Without it, bob can only change existing permissions. The reason I'd like to avoid this, is that now when I create files, they're defaulted to "root:bob" which means I now also have to set "inherit owner =3D yes" to ensure new files I create are assigned to "bob:bob", this has the side effect that should any other users create files in subfolders, those files are also auto switched to "bob:bob" However, the biggest reason is that if I joe creates (or has a folder created for him) called joes-photos and joe wishes to allow "mandy" access to view the directory contents, he is unable to add mandy due to the above check names problem. He would also now have to be an admin of the share, which isn't going to happen. From what I can tell, my options are to always admin ACL permissions via ssh, or not allow users to create folders outside of shares they're admins of, which although possible may be a little more inconvenient. Any alternatives or a config option I've missed? One other quick question regarding ACL. If I create a directory with "root:wheel rwxr-x--- testing" is there any= way to add a user "bob" with rwx permissions to the ACL of that director= y without the wheel group having to change to rwx to prevent "bob" getting an effective "r-x" permission? Currently I'm using a dummy group with rwx by default to avoid this. Thanks, Gary
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.tqcz3tllnsa3lq>