HPE Community
Operating System - Linux
1828149 Members
2669 Online
109975 Solutions
New Discussion

help with samba on sles 10

 
Oskar Teran
Frequent Advisor

‎08-02-2007 05:22 PM

‎08-02-2007 05:22 PM

help with samba on sles 10

hello,
I'm running sles 10 setup with samba as PDC.

machines can login to it fine.

I've setup 2 groups (accounting and general) where users from general can't see accounting files but users from accounting (made members of both groups) can see everything.

the problem i'm having is when users create file, the files are made with permission 0744. I don't want this because other members of the group can't work (edit) files made by someone else.

I tried adding create mask 0777 but it still makes user files 744. How can I get the user files to be made 777? I need samba to keep the 2 groups seperate but allow users to create files that any member of that group can work on.


thanks,

Oskar



> [global]
> workgroup = FRANK
> printing = cups
> printcap name = cups
> printcap cache time = 750
> cups options = raw
> map to guest = Bad User
> include = /etc/samba/dhcp.conf
> logon path = \\%L\profiles\.msprofile
> logon home = \\%L\%U\.9xprofile
> logon drive = P:
> ldap admin dn = cn=Administrator,dc=franksupplyco,dc=com
> ldap suffix = dc=frank,dc=com
> ldap group suffix = ou=group
> ldap user suffix = ou=people
> security = user
> encrypt passwords = yes
> passdb backend = ldapsam:ldap://localhost smbpasswd
> add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.ycp %m$
> domain logons = yes
> idmap backend = ldap:ldap://localhost
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Computers
> local master = yes
> wins support = yes
> netbios name = fileserver
> domain master = yes
> preferred master = yes
> os level = 65
> [homes]
> comment = Home Directories
> valid users = %S
> browseable = no
> read only = No
> inherit acls = Yes
> guest ok = no
> printable = no
> [profiles]
> comment = Network Profiles Service
> path = %H
> read only = No
> store dos attributes = Yes
> create mask = 0600
> directory mask = 0700
> browseable = yes
> guest ok = no
> printable = no
> [users]
> comment = All users
> path = /home
> read only = No
> inherit acls = Yes
> veto files = /aquota.user/groups/shares/
> browseable = yes
> guest ok = no
> printable = no
> [groups]
> comment = All groups
> path = /home/groups
> read only = No
> inherit acls = Yes
> browseable = yes
> guest ok = no
> printable = no
> create mask = 0777
> [printers]
> comment = All Printers
> path = /var/tmp
> printable = yes
> create mask = 0600
> browseable = no
> guest ok = no
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
> write list = @ntadmin root
> force group = ntadmin
> create mask = 0664
> directory mask = 0775
> browseable = yes
> guest ok = no
> printable = no
> [public]
> comment = ANYONE
> path = /home/public
> writeable = yes
> browseable = yes
> guest ok = no
> printable = no
> public = yes
> mail:/etc/samba #
0 Kudos
Reply
2 REPLIES 2
Ivan Ferreira
Honored Contributor

‎08-03-2007 02:26 AM

‎08-03-2007 02:26 AM

Re: help with samba on sles 10

Your solution of 777 is not good enough.

The create mode/create mask should set the mode for new created files, have you reloaded the service?

I also see severals create mask options with different values.

The right thing to do is to set create mask to 660 or 664 maximum, and set the SGID bit on the parent directory, and the parent directory owned by the apropiate group.

The SGID bit in the parent directory makes that all files created in the directory, inherit the group.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎08-03-2007 02:30 AM

‎08-03-2007 02:30 AM

Re: help with samba on sles 10

The "create mask" option restricts the permissions of the file to be _no more than_ the value of the option. But the client can create files with _less_ permissions.

To force the Samba-generated file to have _at least_ certain permissions, you must use "force create mode" parameter.

If you set:

create mask = 0664
force create mode = 0660

it means the user and the group can always both read & write, but the user still has the freedom to choose whether non-members can read the file or not.

To specify exactly what permissions the files should have, set both "create mask" and "force create mode" to the same value.

For directories, there is a "force directory mode" parameter which works the same way.

MK
MK
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.