I have a folder mounted by using NFS on the server. That folder has subdirectories, and I want to share specific folders to specific user groups by using SAMBA.
It doesn’t work as expected, because every user can create files, but then they can only access their own files, and not the files from others.
The NFS mount on the Samba server:
172.16.54.56:/export/proyectos on /proyectos type nfs (rw,noatime,rsize=131072,wsize=131072,acregmin=10,acl,nfsvers=3,addr=172.16.54.56)
There’s only one folder right now:
drwsrws---+ 22 root proyecto-innovacion 3,9K 2012-08-30 11:40 innovacion
And then, there’s files from both users:
-rw-rwxr--+ 1 jorge.suarez proyecto-innovacion 0 2012-08-30 12:10 Archivo de Prueba
-rw-rwx---+ 1 maria.tenorio proyecto-innovacion 42K 2012-07-30 11:55 correos.xlsx
That ‘+’ is because of an ACL, setted to set proper permissions to new files, so they can always be accessed to the groups. This is the only ACL I’m using on the NFS server:
# setfacl -d -m mask:007 /export/proyectos
In fact, both users can access each other files by using NFS.
If I understand ok the output from this command, both users are mapped ok to the Samba groups, just in case.
# net user info jorge.suarez Enter root's password: Domain Users proyecto-innovacion # net user info maria.tenorio Enter root's password: Domain Users proyecto-innovacion
Here’s the smb.conf. I also have a homes section but I’ve omitted it:
[global]
workgroup = WORKGROUP
netbios name = SAMBASRV
server string = %h server (Samba, Ubuntu)
interfaces = 127.0.0.0/8, eth0
passdb backend = ldapsam:"ldap://10.1.176.237"
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
ldap admin dn = "cn=Directory Manager"
ldap group suffix = ou=Groups,ou=CITIUS
ldap suffix = dc=inv,dc=usc,dc=es
ldap ssl = no
ldap user suffix = ou=People,ou=CITIUS
panic action = /usr/share/samba/panic-action %d
hosts allow = 172.16.54., 127.
hosts deny = all
strict locking = No
[innovacion]
comment = Proyecto innovacion
path = /proyectos/%S
valid users = @proyecto-innovacion
read only = No
create mask = 0770
directory mask = 0770
browseable = No
browsable = No
To summarize the problem, the user that creates the file can access his own file. But no the others’ files.
I had to give up using ACLs via NFS. The mask is not working properly.
I use inotify now instead, with a little script launched at startup:
#!/bin/bash# Directory name as argument. You MUST set it also down there before using it!LOGFILE="/tmp/inotify-log.tmp"inotifywait -mrq -e attrib,moved_to,create --format %w%f "$1" | while read FILE ; do
# Ignore root FIXME you have to put here all possible root arguments
if [ -d "$FILE" ] && [ $FILE == "/export/proyectos" ] || [ $FILE == "/export/proyectos/" ] ; then
continue;
fi
# Get new permissions
PERMISOS=$(stat -c %a "$FILE")
if [ -d "$FILE" ] ; then
if [ $PERMISOS -ne 2771 ] ; then
NUEVOSPERMISOS=2771 else
NUEVOSPERMISOS=0
fi
else
# Get permissions
if [ ${#PERMISOS} -eq 3 ] ; then
PERMISOS_ADICIONALES=0
PERMISOS_USUARIO=${PERMISOS:0:1}
PERMISOS_GRUPO=${PERMISOS:1:1}
PERMISOS_OTROS=${PERMISOS:2:1}
else
PERMISOS_ADICIONALES=${PERMISOS:0:1}
PERMISOS_USUARIO=${PERMISOS:1:1}
PERMISOS_GRUPO=${PERMISOS:2:1}
PERMISOS_OTROS=${PERMISOS:3:1}
fi # Check permissions
if [ $PERMISOS_USUARIO -ne $PERMISOS_GRUPO ] || [ 0 -ne $PERMISOS_OTROS ] ; then
NUEVOSPERMISOS=${PERMISOS_ADICIONALES}${PERMISOS_USUARIO}${PERMISOS_USUARIO}0
else
NUEVOSPERMISOS=0
fi fi # Set permissions
if [ $NUEVOSPERMISOS -ne 0 ] ; then
chmod $NUEVOSPERMISOS "$FILE"
# Debug output
OUTPUT="$(date) : $FILE ($PERMISOS -> $NUEVOSPERMISOS)"
echo $OUTPUT >> $LOGFILE
fidone
The permissions are fixed now by this script, instead of fall back into ACLs via NFS.
Check more discussion of this question.
