This might help. I do something similar, but only one share is open to the group's users. Other shares are read-only except for a single maintainer user. The [global] section of my smb.conf is almost identical to yours, except I don't use the force create/directory mode directives (in my case, they'd interfere with the other shares).
Here's the share definition:
[shared stuff]
comment = blah, blah, etc
path = /path/to/share
write list = @sambagroup
force group = +sambagroup
read only = yes
directory mask = 0775
create mask = 0664
guest ok = yes
invalid users = root
case sensitive = True
default case = lower
preserve case = yes
short preserve case = yes
The important stuff here are these:
read only = yes -- by default, read only.guest ok = yes -- guests can browse.write list = @sambagroup -- Authenticated members of sambagroup can write.force group = +sambagroup -- The + means that the force only applies to existing members of sambagroup. They're already the only ones who can write. I think, without the +, guest is given sambagroup credentials, which is not wanted (particularly with the write list directive above).directory mask = 0775create mask = 0664
These do exactly what you want yours to do: "drwxrwxr-x" on directories, "rwxrwxr-x" on files, and newly created files are owned by the user and sambagroup. The maintainers of the other shares get the same permissions as everyone else when working in shared stuff, and permissions & groups are normal when they work in the other shares.
My smb.conf has been working with only minor tweaks through several different versions of Samba, and currently is used with Samba 3.2.5. I never had it running on Ubuntu 8.04, but it ran on Ubuntu 7.04 for a long time before getting migrated to a recent Debian Lenny install.
First off, you can view the context of something with ls using ls -Z
[root@servername www]# ls -dZ /var/www
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t /var/www
Second, there are two options for giving Samba and Apache access to the same directory.
The simple way is to just allow samba read/write access everywhere with:
setsebool -P samba_export_all_rw 1
It's simple, easy, and doesn't mess with any weird properties of SELinux.
If you're concerned with Samba having full access to all directories and only want to change /var/www, try:
chcon -t public_content_rw_t /var/www
setsebool -P allow_smbd_anon_write 1
setsebool -P allow_httpd_anon_write 1
This will allow both Samba and Apache write access to any directories with the public_content_rw_t context. Note that chcon is only modifying /var/www. Any new directories created under /var/www will be public_content_rw_t, but not existing directories like /var/www/html or /var/www/manual. If you want to change everything, add an -R to chcon:
chcon -R -t public_content_rw_t /var/www
You can look through this CentOS wiki page to get hints on other SELinux booleans.
Best Answer
For a folder in Samba to be writable ALL the following have to be true: