[plug] Samba group awarness

Ryan ryan at is.as.geeky.as
Thu Mar 25 12:21:28 WST 2004


Howdy PLUG,

Some of you may have caught on that I'm testing out Samba in my
minuscule amounts of spare time at work with the view of replacing our
NT file servers.  I plan to document what I discover eventually, however
this generally hinges on the fact that I actually make some discoveries
:)

If you can't be bothered reading all this, please don't, but I know at
least one other person on the list doing *exactly* this and several
others who are vaguely interested in it .. hence the post.

I've now got Samba 3.0x running as a PDC with POSIX ACLs and extended
attributes.  I've got domain login scripts and roaming profiles all
working fine.  The permissions side is going okay, but I'm having some
grief with groups.

Everything below is written from the perspective that I am trying to
replicate as much Windows client permissions management as possible.  By
this I mean that if I am logged in with a domain administrator account
on any client on a pure Windows network, I can perform a large degree of
permissions management from that client on the file shares.  I can
add/remove user/group permissions on files/directories etc. as if I was
doing it on the box holding the shares.   This is to assist in letting
'complete morons' do some of the admin of file permissions without
letting them run riot on the Linux box.

Extending this idea to the Samba network, I'd like to be able to have
the same level of control from a Windows client over the Samba shares. 
Currently the only way to really do what I want it from the console with
setfacl.  I can happily assign all the permissions I want from there are
they show up in the Properties Security tab on the file/directory on
Windows clients.   The problem is that groups don't seem to translate
beyond the Linux box.  For example, the groups permissions (which can be
as extensive as you want with ACLs) set with setfacl on the console show
up correctly on the Windows clients' security tabs, but they can't
really be managed from there.  If I wanted to add another group to the
file permissions, the list of accounts I have to choose from contains no
groups, just normal users and the Windows built-in accounts.

With a pure Windows network and PDC, the list of groups appear in the
account selection on any Windows client, so they can effectively do all
the permissions management necessary.

Is there any way anyone knows to get the Linux groups to appear as group
accounts on the Windows clients, or is the 'cost' of such a Samba setup
the need to admin this kind of stuff from the console?

Mildly irrelevant banter about ACLs for those interested:
--------------------------------------------------------
Another note as Tony pointed out with ACLS is that only the owner of a
file can modify them.   Despite the fact that Samba lets you define
administator accounts, it still can't overcome this.  Luckily, those
accounts defined as administrator accounts, can take ownership of said
files and then adjust the permissions.  You can't then give the
ownership of the file back to the original owner, but neither can a pure
Windows network.

Please challenge all my conclusions, I hope I'm wrong with a lot them :)

Thanks,

Ryan




More information about the plug mailing list