Slackware Samba Server + Windows Network Permissions Issues
 

Hello all! Been a while since I've posted here, but I figured where better to go with a question like this?

Anyhow, please excuse my thread if it turns out to be a duplicate, I only searched briefly on the topic. My current situation is this: I have an HP server running Slackware 12.1 dedicated to only file serving at the moment. All machines on my small network (only 1 8-port switch so far) have access, with the right user credentials. Connectivity and file sharing with the windows boxes is done by Samba, and it works out pretty well. The problem is, anytime one user creates a new directory in the Samba share, all other users are prevented write access to the directory until I go and manually reset the permissions on the server, even if they're part of the same group as the creator. Since the network is small and we don't have a large number of folks accessing the share, I generally leave the permissions set to 755.

I'm guessing that maybe there's a config option in Samba that could fix this by giving new default permissions for file creation, but it lead me to a bigger question. For flexibility as the company (hopefully) grows, would it be better now to implement some sort of LDAP to aid in keeping windows user/group permissions in line with the samba permissions? Or, if I can change the default mask in samba, would that be easier to do given that I may need to expand the network to more than just two groups later?

As it stands now I'm pretty unclear on what software could accomplish what I'm looking for: For users of the same group on the windows network, file sharing with default permissions to allow the group to access whatever files or directories are created, and the ability to separate users' and groups' access to the different shares on the samba server. It's very possible that the problem here has something to do with the windows boxes on the network, but I'm taking a stab in the dark here hoping that one of you will have some insight to help me plan this thing out. I look forward to your responses. Thanks!

If I am understanding you correctly, you may need to force perms on the directory / file. So, maybe something like:
I believe you can set lock files as well. Google might show more on that. Either way, the above should force read/write for any file placed in uploads. I dont know if you want execute for everyone. The trick will be setting up where you want your users uploading to. Might check into something like ldap for setting all that up. Not sure if your share is work group based or a lil bit more involved. Hope this helps.

The shares are workgroup based. I only have one workgroup with one samba server. The config options you mentioned above, are those for the smb.conf? I might give that a go. What would I use LDAP for? I mean I've heard a few people suggest it but I've never used it and don't really know what sort of benefit it might have for all the work.

LDAP could force some defaults on some share locations, bookmarks, workspace settings, etc..

Yeah, the above would typically be found at the tail of a tthe smb.conf. I think whats important to consider is that what I posted is a example. Your only going to need to add
create mask = 0660
directory mode = 0660
force group = samba_wrkgrp

Any ways, let me know how it plays out. The above is just going to create and enforce permissions for read write only with out any execute bit set. It should work as long as every one that tries to modify the file is a member of samba_wrkgrp. Now, you can create any group you want, I only use samba_wrkgrp for reference.

Hope this helps!

Ok, I'll give it a go this afternoon. The samba_wrkgrp you mentioned in a linux GID right? Thus, the machine accounts that are being used for credentials are the ones that will have to belong to that group?

Well, actually you can just create a group that suites your management needs. You could just as easily call the group account_samba, the name of the group is not that important. You also might want to read up on building user accounts with the /bin/false option. Reason: if the account is only used to access a samba share I dont see a need for shell access to the machine. You can also omit a home dir on a real simple set up. Other wise, you can map user home directories in samba; moreover, you can configure specific folders in each users home directory to be a samba share.

For simple workgroup level stuff on a very small network, I would just let users know where to place uploaded files that should be available for modification by everyone.

Going back to your first question: the group can be any name you decied on. It will be just that, a group, not so much a "machine" account. Hope this has helped.