1. Samba Group Share
1.1. The Problem
A common problem people have when using Samba is having a set of files that are writable by a whole collection of people. By default on many systems, files are created so only the owner of the file can modify that file; in most cases this is true of directories (folders) also.1.2. Background
UNIX systems provide us with the notion of a group--a list of usernames and a numerical group ID. All files and directories are associated with both a user and a group. When we refer to a group in this document, we are referring a UNIX group, not a real-world collection of people.By default, every user in a UNIX system has at least one group, which is listed numerically in the /etc/passwd file. A user has secondary groups which are defined in the /etc/group file; a user is a member of a group if he's listed with that group in /etc/group. Usually when a user creates a file, that file is associated with his primary group. On the command line, he may use the chgrp command to change the group of a file; in Samba he doesn't have that ability.
Permissions on user-created files and directories are determined by what is called a umask; typically this restricts access to a newly-created file to the owner of the file.
1.3. The Solution
The first part of the solution is to create a group for people who are going to share files. There are a number of methods you can use to do this, such as groupadd or Webmin.We're going to use as examples accounting as the group we've added and Accounting as the Samba share name.
Next, we need to set some options in the share in the Samba config file, smb.conf:[Accounting] comment = Accounting Share path = /home/accounting public = no writable = yes create mode = 0770 directory mode = 0770 force directory = +accounting valid users = @accounting
The create mode option sets the sets the read, write, and execute bits for new files for the owner and the group, which assures group access; everyone else is denied all three. directory mode is similar but applied to directories. force directory forces the file to have group accounting instead of the user's primary group. The + only applies that to users who are actually in the accounting group; remove it if that is not the desired behaviour. valid users restricts all access to the share to accounting; this probably makes the + in force directory redundant, but it's better to protect in layers like this than not.
1.4. Questions
-
Is it necessary to set the executable bit on files on the server in order to execute them? Given that Windows uses extension and not permission to decide whether or not a file is executable, I would expect not. However, a recent Windows client like 2000 or XP might use ACLs and meta-data and do things differently. All the examples in the smb.conf man page had the execute bit set.
1.5. Notes
-
What I said about /etc/passwd and /etc/groups was a little bit of a fib; there are more ways to get user and group information than these files on System V UNIX systems and Linux systems--see NameServiceSwitch for an examplanation.
