Hallo again.
Please read this post (#3) and the next one (#4):
http://www.linuxquestions.org/questi...6/#post4477585
ACL are not enabled by default. To enable acl in ext3/ex4, you have to edit the line in fstab and add "acl".
Ex:
/dev/sdb1 /data ext4
acl,user_xattr 1 2
(you can also add user_xattr for allowing extended attributes).
For the changes to take effect, don't need to restart computer or close open programs accessing drive, just do:
mount -o remount /dev/sdb1 (or the device you are using, of course as root).
If you use konqueror or dolphin or nautilus you will see that now you can add ACL to files/directories.
For assigning access to users/groups of AD from command line you can do:
Ex: Allow group "group1" from AD to read a directory:
setfacl -m -g:group1:rx directory
Allow group "group2" from AD to read and write to directory2 and all folders inside.
setfacl -R -m g:group2:rwx directory2
Allow user "user1" read directory "dir3" and its content:
setfacl -R -m u:user1:rx dir3
-R = Recursive
-m = Modify
u=user
g=group
Delete all ACL of a directory
setfacl -R -b folder
Read acl of a foler/file
getfacl folder
If you want that folders created inside take acl of parent folder, you have to use -d option, to say default for new elements in folder.
Ex:
setfal -R -m -d g:group3:rwx folder
Please ask for "man setfacl" and "man getfacl".
Ex: Allow user of linux "usrlocal1" to rwx on "folder1", allow user "aduser1" of AD to rwx "folder1" and allow group "adgroup1" read and "adgroup2" read/write the folder.
# Delete possible acl
setfacl -R -b folder1
# Assign default access
chmod 770 folder1
chown userlocal1: folder1
# Allow aduser1 rwx to folder, folders inside and new folders (folders or files)
setfacl -R -m u:aduser1:rwx folder1
setfacl -R -d -m u:aduse1:rwx folder1
# Allow group1 read and group2 read/write to folder, folders inside an new folders (folders of files)
setfacl -R -m g:adgroup1:rx folder1
setfacl -R -d -m g:adgroup1:rx folder1
setfacl -R -m g:adgroup2:rwx folder1
setfacl -R -d -m g:adgroup2:rwx folder1
# To see what you have done
getfacl folder1
Groups and users can be local or from AD.
If you have not put "winbind use default domain = true", then groups and users of AD are referenced by the syntax "DOM\\group", "DOM\\user".
You can say samba to share folders using ACL so you don't need to add permissions on smb.conf.
It can be done adding this to the global section:
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes
Later you can share a folder with:
[application]
comment = Folder for sharing applications
path = /application
volume = application
Thus you use the same permissions for a user in local that remote access.
If you configure samba in the right way, you don't need to create/map users/groups. The first time a user connects to system, he is created his home directory.
All I've written can have syntax mistakes as I've not checked it.
If you need more help, tell me.
Regards