--- juan <[EMAIL PROTECTED]> wrote: > Here is the situation. I have setup a samba server > to authenticate against > Active Directory. I have created a group under my > linux server and created > all the accounts that need to access the share on > the samba server. I gave > the group the rights to the samba share, but when a > user adds to the share a > file or directory and I view the permissions under > linux the owner of that > new file, or directory is not the group anymore, its > the creator. which > creates a big problem because the group needs total > access to any directory > under the share and needs to have full access which > I setup intially but > when a user in the group creates a file he or she > own it and other users can > write to that directory.
This involves a basic but obscure feature of Unix security I didn't learn about until recently: Set Group ID (sgid) on directories. New files and directories created inside it inherit the group ID, and anyone in that group will automatically share permissions. You first chmod all directories (NOT files) in your share: find /path/to/share -type d -print0 | xargs -0 chmod g+s Explanation: find = the find command, which finds files matching criteria /path/to/share = any directory where you want to apply inheritence -type d = Directories -print0 = Print with no newlines, for xargs to read | = run this command on the output xargs = run a command on each line input -0 = data comes in with no newlines chmod = change mode g+rwxs = read, write, execute (browse), and set group id Then you chgrp all files: chgrp -R /path/to/share Explanation: chgrp = change group of the files/folders -R = Recursive Finally, add members to your group: gpasswd -a <user> <group> Explanation: gpasswd = the group password command, but we're not setting a password here -a = Add Have the users log out and back in again to take effect. >From then on, all files created in that directory will be in the same group. The user doesn't truly matter, as long as you have at least ---r-x--- for group read-only directories, ---rwx--- for group writeable directories, ---r----- for group readable files, ---rw---- for group writeable files. At least those permissions. You could then safely remove "other" permissions to prevent a breech in security, as everyone should be in that group to have access. This is also useful with Winbind and "winbind use default domain = yes" in smb.conf. I can create a group: groupadd smbwrite Add some users from my NT domain into it: for USER in chris steve mike; do gpasswd -a $USER smbwrite done Set my permissions: find /share/mis -type d -print0 | xargs -0 chmod g+s And then set the group ID: chgrp -R smbwrite /share/mis Also, sgid is the 2 bit in the first number of octal permissions (e.g. chmod 2770 some_directory). Don't forget to have your users log out before trying, and good luck. /dev/idal __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba