Trying to restrict a folder within a directory created in linux filesystem. I have changed the permissions to: root rwx, a special active directory group rwx and all others r. Upon doing so, people that are not in the special AD group can access the directory and modify files. Upon doing so the group changes to "Domain Users" when the user modifies documents within the directory. I have to manualy change the documents default group back to my AD group. I have tried to create another AD group and modify permissons to deny write access. When doing so through windows explorer, the settings seem to take affect until I go back in a look at permissions for the restricted group. No permissions show when I view for the second time. Please assist.
Samba share properties
[MyShare]
comment = "blah blah blah"
browseable = yes
guest ok = no
read only = no
path = /xxx/xxxxx/
create mask = 0640
directory mask = 0750
admin users = @"domain\Domain Admins", @"domain\group A", @"domain\group B"
valid users = @"domain\Domain Admins", @"domain\group A", @"domain\group B"
nt acl support = Yes
inherit acls = yes
inherit owner = yes
inherit permissions = yes
-
on your samba share declaration, use the force group directive to ensure new files are created with that group ownership.
force group = @"domain\special_AD_Group"VGE IT : added filter, reloaded samba and non special_ad_group users can still modify documentsVGE IT : using force group actually denied access to a default user group for top level folder, access restored once force group was removed from Samba configVGE IT : Is there any other way to accomplish setting permissions other than force group?From Peter Carrero -
I had a similar problem for a long time. For me, the solution was in the Linux filesystem permissions themselves. I had to change the permissions using
chmod 2770 ./fooin order to get user and group permissions to work correctly. See my (edited)lsbelow:[root@server1 home]# ls -lAF total 92 drwxrws---. 2 al al 4096 2009-05-27 00:25 al/ drwxrws--- 6 root shares 4096 2010-06-11 16:19 images/ drwxrws---. 61 jesse jesse 4096 2010-06-13 16:21 jesse/ drwxrws---. 28 mary mary 4096 2009-08-26 15:52 mary/ drwxrws---. 14 root work 4096 2010-05-24 08:16 work/ drwxrws---. 12 root shares 4096 2010-06-18 14:15 share/ [root@server1 home]#I am not using any
admin users =entries. I am simply relying on the user and group structure built into Linux itself. Granted, you are using AD, but a similar concept should apply. For reference, here are the relevant parts of mysmb.conf(edited again):[global] server string = Samba Server security = share unix password sync = Yes create mask = 0660 directory mask = 0770 [jesse] path = /home/jesse valid users = jesse read only = No [share] path = /home/share valid users = al, jesse, mary read only = No [work] path = /home/work valid users = al, jesse read only = NoI hope this helps!
From Jesse -
This may not answer your question, but when you have when you actually join your host to a windows domain using winbind and pam, it's becomes easier to control permissions using setfacl and getfacl, which are similar to the cacls/xcacls commands in Windows.
From andyortlieb
0 comments:
Post a Comment