-   Linux - Server (
-   -   samba shares and the notion of group of groups (

nass 02-09-2011 09:04 AM

samba shares and the notion of group of groups
Hello everyone,
this is really a brainstorming thread seeking advise on how to setup some samba shares within a small office network. For the quick judgers:

-no I'm not an IT expect and I'm not even the IT at the office, I just fill in this gap too.
-I have looked into several samba 'by example' tutorials - none seems to fit my needs or answer some of my Qs.

So I seek advise from your experience:

What do I know:
-the functionality of the setgid to have subfolders inherit the group owner of the parent folder
-the fact that I don't want samba in 'share' level in order to register the owners of files
-the functionality of acls that enables inheritance of rwx permissions to subfoldrs of a parent folder.
- the groupmod -o option but that doesn't help apparently.

So this is a 25ppl civil engineer consulting office. The physical groups of ppl working here are: engineers, drafters (those who generate the drawings , i'm not sure if thats the correct term), and secretaries.

The job usually is done in the following way, once a project commences a project folder gets generated and everything is done in there. incoming mail arrives there (secretaries put it there), engineers do they calculations on speadsheets, write reports and do draft drawings and, finally, drafters take the draft drawings and finalize them.
So pretty much everyone of these 3 groups needs write access to the main project folder.

How do I accomplish that? as which group should I create the project folders?
It came to mind the notion of group of groups. Now that the actual owner of the file is not so important anymore (several engineers will need to have write access to the folder) and group becomes important, it would be nice to have the ability to add... groups (instead of users) to groups! so that the permissions to a group are inherited by its children groups...
Does such functionality exist of can it be implemented somehow?

How do I go about giving access to everyone and at the same time, NOT giving up on the 'user' secutiry level of samba (and NOT just giving rwx permission to 'others'?

Is it possible? or Should I instead forget about individuals and match the 'physical groups' to 'linux users' and 'groups of groups' to 'linux groups'? ( This means I should give on ownership of files by individuals )?

Since its a small office some work is mixed - engineers might pickup incoming email, a secretary might do abit of drafting work etcetc.

What do you propose I do?
Thank you for your help.

Noway2 02-10-2011 04:39 AM

Take a look at this link. Specifically, try the write list option which will let you specify which users you want to have write access. The information comes from the Samba documentation here. Samba permissions operate like a hybrid between Windows and Linux, which limits your capability somewhat. You could also specify a "group" with write permissions for certain users and read permissions for others. You could then force this group on the samba share, which I think will also accomplish your goal.

nass 02-10-2011 07:18 AM

Noway2 thank you for the reply, but I'm afraid this doesn't accomplish my goal..
before samba permissions , there are the linux permissions.. and if these are not setup in the way I want its no use setting up samba. (even though this is the way forward in setting up samba)

I'm reading through o'reilly books about administration and found smth that I had thought of but did not want to use as it is not ideal. It seems to be the only way though. It states here that I could be setting up a group for each project. Then any user needing access would be included in the group. But that destroys the notion of the physical groups (engineers, drafters, secretaries) and , most importantly , it requires IT support to have an active role in the creation of new projects as they'll have to setup permissions etcetc. And i wanted to avoid that. [O'Reilly - Essential System Administration 3rd Edition].

So i'm still out there looking, even though I 'm afraid i'll end up storing my files in the public folder in the end... :(

technocp 03-12-2011 12:39 AM

samba read list and write list
I am working for a community where several people are engaged for 4 different development projects. we are planning to have a samba server to store our data.

Now the problem is that I have created a share in which @groupa, @groupb and @groupc are allowed to read and write. But three of the members of @groupb are only allowed to for read permission only.

The share that I have created is as follows

path = /mnt/jonodev
comment =
writeable = yes
browseable = yes
create mode = 755
directory mode = 755
read list =john,lexi,rathi
write list [email protected],@groupb,@groupc
valid users = @work,@Developer,@support
read only = no

Members in Groups
groupa = shashi, thomas, kiran, mathew, rosh
groupb = rakesh, william, randy, john, lexi, rathi
groupc = simsim, aham, gothik, rama, ruby

all these groups have read/write permission on above share only john, lexi and rathi have read permissions.

I thought adding john, lexi and rathi to read list would restrict them from writing to share but it doesn't happen.

please help as early as possible or guide me to the place where I can find the help for same. As I have tried to find samba forums but wasn't able to find the appropriate.

Noway2 03-12-2011 04:50 AM

First, while I realize that you are posting to a thread that is very similar to your question, it is considered rude to use an old thread to as a new question. Would you please use the report function of your post to send a message to a moderator asking them to move it to its own thread. This will also help your thread get the attention it deserves.

Second, in answer to your question, have you looked into the Linux file/group permissions. My suggestion would be to let Linux handle the permissions and create a Linux, not samba, group, that has group write permissions enabled. Then make the users that you wish to be able to write members of that group.

All times are GMT -5. The time now is 05:15 AM.