<br><meta charset="utf-8"><div><br><div class="gmail_quote">On Tue, Aug 9, 2011 at 11:54 AM, Craig White <span dir="ltr"><<a href="mailto:craig.white@ttiltd.com">craig.white@ttiltd.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><br>
On Aug 9, 2011, at 9:02 AM, Les Mikesell wrote:<br>
<br>
> On 8/9/2011 10:44 AM, Craig White wrote:<br>
>><br>
>>> There's probably a way to add apache to that group with a configuration<br>
>>> on the local machine so it doesn't have to query your ADS/NMB server.<br>
>>> Not sure about the details but the docs at <a href="http://samba.org/samba/docs/" target="_blank">http://samba.org/samba/docs/</a><br>
>>> are invaluable.<br>
>> ----<br>
>> I'm quite sure that if all the files are owned by the 'department_a' group and 'readable' by user apache as I have indicated, they should be with the given configuration, there's absolutely no need to do any mucking with local users or groups at all.<br>
>><br>
>> The reality is that this machine will query AD/NMB server each time a non-local user does anything on this system (read or write) and the only thing that will lighten that load is something like NSCD (good luck with that - not always a great option with samba).<br>
><br>
> Really? I thought samba would map a connection to a uid at connect time.<br>
</div>----<br>
indeed it does but that doesn't mean that the system won't keep polling the authoritative account info source.<br>
----<br>
<div class="im">><br>
>> There are two important features of what I proposed...<br>
>> - sgid means that all files/folders created within will always belong to department_a group<br>
><br>
> You can also do a 'force group' in the samba config for a share instead<br>
> of or besides the sgid directory.<br>
</div>----<br>
true but:<br>
1 - force anything seems to be a little heavy handed<br>
2 - using sgid means that anyone using a shell will also create files/directories with the same group - using 'force group' only has implications for samba connections. Using sgid encompasses all methods of access.<br>
----<br>
<div class="im">><br>
>> - create mask 664& directory mask 775 means that each file& directory created - group will always get rw privileges and everyone else (ie user apache) has 'read' privileges.<br>
>><br>
>> The only weakness of this theory as I see it, is that there very well may be files - perhaps config files that you wouldn't want anyone to be able to see and you probably will have to have some<Directory> restrictions in Apache's configuration to prevent web users from accessing them.<br>
><br>
> There are also likely situations where the web server needs write<br>
> access, although those cases should be handled carefully or avoided<br>
> where possible.<br>
<br>
</div>----<br>
indeed<br>
<font color="#888888"><br>
Craig<br>
</font><div><div></div><div class="h5">_______________________________________________<br>
CentOS mailing list<br>
<a href="mailto:CentOS@centos.org">CentOS@centos.org</a><br>
<a href="http://lists.centos.org/mailman/listinfo/centos" target="_blank">http://lists.centos.org/mailman/listinfo/centos</a><br>
</div></div></blockquote></div><br></div><div><br></div><div><meta charset="utf-8">Excellent advice thank you!!!<div><br></div><div>I was very close to the same conclusion, but have never messed with SGID , but that definately helps especially as I make changes on the command line side while my users do it via Samba.</div>
<div><br></div><div>Also a side note...NONE of this will work if your testing creating files from a Mac. You have to add "<span class="Apple-style-span" style="border-collapse: collapse; font-family: Verdana, Geneva, Helvetica, Arial, sans-serif; font-size: 13px; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; ">unix extensions = no </span>" to the Samba global config section. Once I did that the create mask and directory mask options began to work.</div>
<div><br></div><div>Now I have a new requirement passed to me, which is a bit more complicated.</div><div><br></div><div>How would I allow individual users the ability only to access specific subfolders within that share without them being a part of the department_a group? My initial idea was to make use of ACLs, but if the POSIX permissions don't allow them write access, then ACLs won't help, will they ? The model is I need users of group department_a to have full control over this share while allowing individual faculty members to access only their personal folders within this share.</div>
<div><br></div><div><br></div><div>Thanks again,</div><div>- Trey</div></div>