[nflug] Samba

Darin Perusich Darin.Perusich at cognigencorp.com
Thu Aug 7 17:23:42 EDT 2008 


Robert Wolfe wrote:
> 
> Basically, we have a Windows 2000 Advanced Server file server set up on our 
> network.  Each department has it's own group set up and each user can be in 
> one or more department.  Each department has its own folder set up on the 
> file server.  So, for instance, our billing department can only access the 
> billing folder, but not the Systems folder, whereas the Systems department 
> (where I work, has access to the Systems folder and every other folder).  
> There are also departments that overlap, too.  For example, our networking 
> department's folder is shared by Systems and Networking, but no one else.
> 

There are a few way you can go about accomplishing this, assigning your 
users to multiple groups or using ACL's. Using ACL's will likely be 
simplest and is what I'll talk about.

Firstly make sure your shared file system has 'acl' enabled, additional 
enabling 'user_xattr' won't be a bad idea as well. You'll need to use 
either ext2, ext3, or reiserfs file sysetms to use ACL's. Update column 
4 in /etc/fstab to read 'acl,user_xattr' instead of 'defaults' to mount 
with these options at boot. To enable on an already mounted FS use this 
command...

# mount -o acl,user_xattr,remount /shared

The commands getfacl and setfacl, part of the acl package, are used to 
assign and view on directories and files.

So you have two groups, systems and billing and two shared folders with 
the same names. The perms on the folders are such that only the 
associated group member can read/write/access their respective folders.

# ls -l /shared
total 8
drwxrwx--- 2 root billing 4096 Aug  7 16:59 billing
drwxrwx--- 2 root systems 4096 Aug  7 16:59 systems

Using ACL's you can allow members of the systems group read+write access 
  to the billing directory, this is where setfacl comes into play.

# setfacl -m g:systems:rwx billing
# ls -l
total 12
drwxrwx---+ 2 root billing 4096 Aug  7 16:59 billing
drwxrwx---  2 root systems 4096 Aug  7 16:59 systems

You'll notice there is now a + trailing the permissions column, this 
denotes there are extend attributes on the directory, which can be 
viewed with getfacl.

getfacl billing/
# file: billing
# owner: root
# group: billing
user::rwx
group::rwx
group:systems:rwx
mask::rwx
other::---

Now members of the systems and billing groups have read+write access to 
the billing directory.

> I know with Windows 2000, I can assign multiple groups to each user; what I 
> want to do here is be able to do the same thing with Samba -- both with and 
> without MySQL-based authentication.

You can assign users to multiple groups in Linux as well, use groupadd 
to added more and groupmod to modify which your members are assigned to.

-- 
Darin Perusich
Unix Systems Administrator
Cognigen Corporation
395 Youngs Rd.
Williamsville, NY 14221
Phone: 716-633-3463
Email: darinper at cognigencorp.com

More information about the nflug mailing list