From - Tue Dec 07 10:13:36 1999 Message-Id: From: David Lee To: Multiple recipients of list SAMBA Subject: Re: Approach to permissions, UNIX usernames, and UNIX groups .. MIME-Version: 1.0 In-Reply-To: <19991204131602Z13083773-24228+24640@samba.anu.edu.au> Date: Tue, 7 Dec 1999 02:08:37 +1100 Content-Type: TEXT/PLAIN; charset=US-ASCII Re: > I have a question I wanted to throw out to the general public. When > dealing with reasonably large numbers of users (120+, in this case), > how do most of you handle your UNIX permissions, usernames, and groups > in corralation to your SAMBA? > > I need to create a directory structure reasonably deep (3-5 directories > off of the main RAID mount point, with 5-10 directories under that, with > another 3-10 directories under those). > > The best approach I have come up with so far is to create a group > specifically for each subdirectory, and put .. say .. Bob, Al, and Tom > in > it. Then I make sure the directory is owned by root.group, and could > utilize > the "force create mode" and "force group" directives in my smb.conf to > create > the files as rwxrwx--- and assigned to the group with respect to the > subdirectory it is in. The only problem is, this means I have to manage > over > 100+ groups with 100+ SAMBA shares, and it seems there has to be a > better way, > and I'm just not seeing it. > > Is there a way to tell SAMBA to assign files being written to the group > of the subdirectory the file is being written to? Is there a better way > altgother to approach this (I hope there is =). > > Any insight or webpage references on approaches to medium-to-large-scale > fileserving with SAMBA on a network are appreciated. Thanks. We have 19,000 registered UNIX users, of which some 7,000 (rapidly increasing) are currently Samba-ised onto our Solaris 2.x fileservers. Many UNIX flavours interpret the SETGID bit on a directory to mean "when creating a new file/directory in here, use the group-owner of this directory (rather than group-owner of the process)". So if your data falls neatly into having dir/subtree all owned by group , then this SETGID should meet your ownership requirement. Note that this functionality, if there, is within that flavour of UNIX itself: it cannot be controlled from Samba. We have a patch which takes this a stage further. It was discussed back in September on the "samba-technical" list, and met with favourable response from the Samba team. But, alas, things have gone very quiet since then... This patch, provisionally called "inherit mode", takes the mode of the directory and applies all its bits to new subdirs, and its rw bits to new files. (This "inherit mode" smb.conf parameter overrides even those parameters entitled "force ..."): See: http://www.dur.ac.uk/~samba/inherit-206.diff for the 2.0.6 patch; substitute 204 or 203 if you run 2.0.4 or 2.0.3 (sorry, no 2.0.5). And if you like it, gently encourage the Samba Team to include it in future releases of Samba. Hope that helps. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/~dcl0tdl South Road : : Durham : : Phone: +44 191 374 2882 U.K. :