I know this is possible but I don't know how to do it. I have a Samba network share that is open to all internal lan users. I sit permissions on the folder 2770, meaning the user: "admin" and group: "users" have read, write, and list permissions and that files within the folder will inherit the group ("other" have no permisions).

My issue is that an internal lan user created a folder and it's permissions are set as follows: 2755; the user is the one who created it (not user: "admin"), with read,write,and list permissions. And the group is "users" with read and list permissions. And "other" is set for read and list as will.

What I need is to set, regardless of who created it, the contents of all folders and files created with the shared folder to be set for 2770 and the user set as "admin" and the group set as "users" with full read, write, and list permissions. And also no permissions for "others".

Your help will be greatly appreciated.

Thanks,

Greg

You're looking for these parameters that are set in the smb.conf file on a per-share basis:

create mask = 2770
force user = admin
force group = users

check out 'man smb.conf' for more info.

Bentz,

Thanks for the help. This folder is /home/netstorage(the name netstorage has no username or group associated with it.). The user and group are root. I did a standard samba share, which I believe is 755. The way i designed it was no-one could create a folder or file in this directory (its kinda like my root directory for our main network share) except for root. In the directory I created "docs", "datastore", and "downloads" folders (examples). For those folders I set the user: "admin" and group: "users" at 2770, thru the filesystem. The main goal for it was so it would show up as one network share or one windows mapped drive. If I set up individual shares for those folders, would it not show up as seperate network shares and consequently multiple mapped drives on windows clients? Your post is a great help but can this be not done without having multiple samba shares for the above folders? Or is it possible to set the permissions in samba on an absolute path name like /home/netstorage/docs, for example? Or do I have to look at another means?

Help, advice, and tips would be great. I also guess that I'm confussed on where Samba permissions starts and when the local filesystem permissions end, or vise-versa.

Thanks,

Greg

Important. I forgot to mention on a couple of folders in that directory I have different groups assigned to it. Like: A folder called, "managment" would be uid: admin, gid: management; with 2770. Another folder called "sales" with uid: admin and gid: sales' with 2770.

Thanks again,

Greg

Now, I wondering if I am going about all this in the wrong way. Should I just setup each folder that belongs to a different group id as seperate share. The only problem I see with this is if a user belongs to five different groups, he is going to have five different mapped drives in windows. How is this usually done? I see this being a bitch for logon scripts.

Thanks,

Greg

I think the problem you're experiencing is that NT supports ACLs (Access Control Lists) on the file system, while UNIX only supports Owner, Group and Other permissions. This is something you have to plan to work around while you design your structure.

If your Windows clients are authenticating against an NT or Samba Domain Controller, you can set up the root folder (where the share is) to be global-writable. I know this sounds inially like a security risk, but if your Windows clients are authenticating against a domain controller, then a user can only gain access to this global-writable location only after being properly authenticated- so this is not 'Guest' or 'anonymous' access. You still need to mindful of other services running on the machine (FTP, shell logins, NFS) where global-writable permissions can be utilized by non-samba clients.

Remember, you have control over the UNIX permissions at the share level. This permission cannot be overwritten by virtue of the client's creation of a folder or file.

What the clients have control over, however, is the creation of new folders or directories but you ultimately dictate the UNIX permissions that are applied when a client creates a file using the force user, force group, and create mode settings on the share. It's important to note that these parameters really only apply to the creation of new files, which, if I understand your messages correctly, is what you are trying to control.

I think your approach for avoiding separate shares is best. Yes, separate drive mappings for a million shares are a bitch, especially when Microsoft uses letters of the alphabet to mount disk resources. I'm hoping that you can get away with setting granular permissions differently throughout the directory structure to accomplish the effect that you are looking for.

I also want to mention that if you are a member of an NT domain where your clients are authenticating against a single account, you'll want to look into Winbindd if you are not using it already. Winbindd allows you to assign local domain-based-groups to the UNIX filesystem just like they were actually in /etc/passwd or /etc/group.

Good luck!

It all seems to be working will, except for the user is still being set as the user how created it. It seems to be ignoring the force user = admin statement under the particular share statement.

Greg

I got it working, I forgot to restart samba.

Thanks for the help.

Greg

I am just curious, regarding Samba. What are the differences between: "force directory mode" and "directory mode"? And "force create mode" and "create mode"? Don't they do the same thing, or is there something I'm missing?

Thanks

Greg