Hello forum:
I am a system admin for a small design firm. Trying to provision my first production Linux box. Purpose of server is to share files on an MS Windoze network. New server has CentOS 6, Samba 3. Configured as active directory member server with winbind & kerberos all working. Domain controller is Win 2003 server. Win clients are XP pro and soon to be Win7 pro. Users can browse shares without providing credentials, linux recognizes windows users and groups, everything seems to be correctly configured and working.
Here is my issue:
Because users make a mess of the directory structure where the jobs files are stored I wrote an application which enforces a directory structure and naming conventions. The current solution runs on the workstations themselves (currently WinXP). Basically, users can add, browse, edit and delete files in existing folders but cannot create new folders or rename existing ones. To do so, they run the application and it uses elevated rights to create folders using a predefined structure and naming conventions. The application makes extensive use of ACLs.
Enter Linux. I assumed (perhaps wrongly) that if I used a partition formatted with NTFS that everything would work as it had on a Windoze box. First problem encountered was formating the drive. Using parted I got a message informing me NTFS was not supported. I loaded the fuse-NTFS-3g package and using cfdisk created a partition formatted with NTFS. Reading the documentation for ntfs-3g I managed to create a UserMapping file and get the partition to automount. Using the sytem admin account from a windows machine, I created the basic directory structure and began to add files. Looking at the file permissions from a windows box, the basic stuff seems to be there (domain admin has full control, basic users have read and execute rights) but some of the permissions are missing and a few new ones appear (I assume to be compatable with Linux) such as the 'everyone' account which refuses to be deleted. Also I make extensive use of the 'authenticated users' account which allows me to share stuff with all the users instead of adding each one manually, it doesn't seem to be a available. Also changing certain items in the security tab seems to crash the TC service on the windows box. Windows scripts using robocopy seem to throw wierd errors.
I thought all the information used for ACLs was stored in the filing system. Would a different file system be a better choice? The Linux users never have to access the windows partition. The windows users never have to access the Linux stuff.

Hallo:

Not sure what's your problem, but my experience with Linux and NTFS is:
It's better to use ext3/4 that NTFS on linux. If you can choose the format, it's better to use ext4. NTFS has no full support on Linux (acl doesn't work fine. Partition is mounted with permissions of only one user and group).
If you create a partition with ext4, you can use ACLs for allowing users to access directories and files.
What I do is to assign permissions based on users and groups of Active Directory (which can be combined with local users/groups).
For easy configuration, when I share a folder i say to use ACL of folder so I don't have to configure access control in smb.conf.

Not sure if this can help you... If it can help you and you need more information, tell me.

Regards

1 members found this post helpful.

Thanks for replying Felipe:
I have since tried ext3 as well and couldn't get anything other then owner, group and everyone with ext3 either. With ntfs using the ntfs-3g package, I at least could add some other users. Reformatted the drive and went back to ntfs and now I can't remember the correct combination of options or syntax I used in the fstab file to make it work. Anyhow, my samba is set up to authenticate against Active Directory. All my Win users and groups show up in the Linux system. I've create a usermapping file. With either format (ntfs or ext3) I can only get owner, group and everyone.
My backups don't run right, they throw errors (Win Robocopy). Even just copying in the explorer results in weird stuff being in the security tabs in Windows.
I really love CentOS 6, it's really well developed. But I've got to figure out something that works with Windows in a totally seamless way. I just need a file server that works with my windows clients like my Windows servers do.

Hallo again.

Please read this post (#3) and the next one (#4):
http://www.linuxquestions.org/questi...6/#post4477585

ACL are not enabled by default. To enable acl in ext3/ex4, you have to edit the line in fstab and add "acl".
Ex:
/dev/sdb1 /data ext4 acl,user_xattr 1 2

(you can also add user_xattr for allowing extended attributes).

For the changes to take effect, don't need to restart computer or close open programs accessing drive, just do:
mount -o remount /dev/sdb1 (or the device you are using, of course as root).

If you use konqueror or dolphin or nautilus you will see that now you can add ACL to files/directories.

For assigning access to users/groups of AD from command line you can do:

Ex: Allow group "group1" from AD to read a directory:
setfacl -m -g:group1:rx directory

Allow group "group2" from AD to read and write to directory2 and all folders inside.
setfacl -R -m g:group2:rwx directory2

Allow user "user1" read directory "dir3" and its content:
setfacl -R -m u:user1:rx dir3

-R = Recursive
-m = Modify
u=user
g=group

Delete all ACL of a directory
setfacl -R -b folder

Read acl of a foler/file
getfacl folder

If you want that folders created inside take acl of parent folder, you have to use -d option, to say default for new elements in folder.
Ex:
setfal -R -m -d g:group3:rwx folder

Please ask for "man setfacl" and "man getfacl".

Ex: Allow user of linux "usrlocal1" to rwx on "folder1", allow user "aduser1" of AD to rwx "folder1" and allow group "adgroup1" read and "adgroup2" read/write the folder.

# Delete possible acl
setfacl -R -b folder1

# Assign default access
chmod 770 folder1
chown userlocal1: folder1

# Allow aduser1 rwx to folder, folders inside and new folders (folders or files)
setfacl -R -m u:aduser1:rwx folder1
setfacl -R -d -m u:aduse1:rwx folder1

# Allow group1 read and group2 read/write to folder, folders inside an new folders (folders of files)
setfacl -R -m g:adgroup1:rx folder1
setfacl -R -d -m g:adgroup1:rx folder1
setfacl -R -m g:adgroup2:rwx folder1
setfacl -R -d -m g:adgroup2:rwx folder1

# To see what you have done
getfacl folder1

Groups and users can be local or from AD.

If you have not put "winbind use default domain = true", then groups and users of AD are referenced by the syntax "DOM\\group", "DOM\\user".

You can say samba to share folders using ACL so you don't need to add permissions on smb.conf.

It can be done adding this to the global section:
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes

Later you can share a folder with:

[application]
comment = Folder for sharing applications
path = /application
volume = application

Thus you use the same permissions for a user in local that remote access.

If you configure samba in the right way, you don't need to create/map users/groups. The first time a user connects to system, he is created his home directory.

All I've written can have syntax mistakes as I've not checked it.

If you need more help, tell me.

Regards

1 members found this post helpful.

Thanks Filipe, that is some extremely helpful information and the link has some great stuff as well. I am going to reformat the drive and give it a try. I'll let you know how it goes. Again... THANKS!!!

Felipe:
In your share parameters below
What does the volume = do?

It seems to work!!!
much better then using nsfs. Inheritance seems to work, you can add more users in the security tab in windows and they seem to stick. I will have to read the man pages for getfacl and setfacl to get the hang of it. Seems to run fast as well. Thanks so muc!!

Hallo:

I'm glad it works for you.

About the volume parameter, it's no necesary. If you type "man smb.conf" you will see it's use (I've always put it, but is unnecesary).

man smb.conf
...
"Volume (S)

This allows you to override the volume label returned for a share. Useful for CDROMs with installation
programs that insist on a particular volume label.

Default: volume = # the name of the share"

If you need more help, ask.
And about the setfacl and getfacl try with many samples as it's a bit complicated at first. If you are the owner of the share or you have RW on the folder and "-d" RW on the folder, you can change the permissions of a folder from a client with Windows Explorer, but not sure if it's easier or not...

Regards

1 members found this post helpful.