Linux And NTFS Permissions

linuxntfssamba

Trying to restrict a folder within a directory created in linux filesystem. I have changed the permissions to: root rwx, a special active directory group rwx and all others r. Upon doing so, people that are not in the special AD group can access the directory and modify files. Upon doing so the group changes to "Domain Users" when the user modifies documents within the directory. I have to manualy change the documents default group back to my AD group. I have tried to create another AD group and modify permissons to deny write access. When doing so through windows explorer, the settings seem to take affect until I go back in a look at permissions for the restricted group. No permissions show when I view for the second time. Please assist.

Samba share properties

[MyShare]
comment = "blah blah blah"
browseable = yes
guest ok = no 
read only = no 
path = /xxx/xxxxx/ 
create mask = 0640 
directory mask = 0750 
admin users = @"domain\Domain Admins", @"domain\group A", @"domain\group B" 
valid users = @"domain\Domain Admins", @"domain\group A", @"domain\group B" 
nt acl support = Yes 
inherit acls = yes 
inherit owner = yes 
inherit permissions = yes

Best Answer

I had a similar problem for a long time. For me, the solution was in the Linux filesystem permissions themselves. I had to change the permissions using chmod 2770 ./foo in order to get user and group permissions to work correctly. See my (edited) ls below:

[root@server1 home]# ls -lAF
total 92
drwxrws---.  2 al    al        4096 2009-05-27 00:25 al/
drwxrws---   6 root  shares    4096 2010-06-11 16:19 images/
drwxrws---. 61 jesse jesse     4096 2010-06-13 16:21 jesse/
drwxrws---. 28 mary  mary      4096 2009-08-26 15:52 mary/
drwxrws---. 14 root  work      4096 2010-05-24 08:16 work/
drwxrws---. 12 root  shares    4096 2010-06-18 14:15 share/
[root@server1 home]#

I am not using any admin users = entries. I am simply relying on the user and group structure built into Linux itself. Granted, you are using AD, but a similar concept should apply. For reference, here are the relevant parts of my smb.conf (edited again):

[global]
        server string = Samba Server
        security = share
        unix password sync = Yes
        create mask = 0660
        directory mask = 0770

[jesse]
        path = /home/jesse
        valid users = jesse
        read only = No

[share]
        path = /home/share
        valid users = al, jesse, mary
        read only = No

[work]
        path = /home/work
        valid users = al, jesse
        read only = No

I hope this helps!

Related Solutions

Linux – NTFS and Linux Permissions

Did you check

getfacl /path/to/MyShare

to get all of the acl's set on that directory? The primary group of the user that opens the document is most likely "Domain Users", causing the permissions to change when they access the file.

Samba Permissions – I’m going to throw it!

This might help. I do something similar, but only one share is open to the group's users. Other shares are read-only except for a single maintainer user. The [global] section of my smb.conf is almost identical to yours, except I don't use the force create/directory mode directives (in my case, they'd interfere with the other shares).

Here's the share definition:

[shared stuff]
        comment = blah, blah, etc
        path = /path/to/share
        write list = @sambagroup
        force group = +sambagroup
        read only = yes
        directory mask = 0775
        create mask = 0664
        guest ok = yes
        invalid users = root
        case sensitive = True
        default case = lower
        preserve case = yes
        short preserve case = yes

The important stuff here are these:

read only = yes -- by default, read only.
guest ok = yes -- guests can browse.
write list = @sambagroup -- Authenticated members of sambagroup can write.
force group = +sambagroup -- The + means that the force only applies to existing members of sambagroup. They're already the only ones who can write. I think, without the +, guest is given sambagroup credentials, which is not wanted (particularly with the write list directive above).
directory mask = 0775
create mask = 0664

These do exactly what you want yours to do: "drwxrwxr-x" on directories, "rwxrwxr-x" on files, and newly created files are owned by the user and sambagroup. The maintainers of the other shares get the same permissions as everyone else when working in shared stuff, and permissions & groups are normal when they work in the other shares.

My smb.conf has been working with only minor tweaks through several different versions of Samba, and currently is used with Samba 3.2.5. I never had it running on Ubuntu 8.04, but it ran on Ubuntu 7.04 for a long time before getting migrated to a recent Debian Lenny install.

Best Answer

Related Solutions

Linux – NTFS and Linux Permissions

Samba Permissions – I’m going to throw it!

Related Topic