Les Mikesell wrote: > Ted Miller wrote: >> >>> After this, a windows user mapping a samba-shared directory from your >>> office2 machine will have the same access as the same user logged in >>> locally. There are the same issues with directories that users share >>> with group permissions, but samba offers some extra options to force >>> owner/group/permissions on newly created files that will help. >> >> That is something I need to fix, because I do have some issues with >> group accessed files, where certain operations require me to log in as >> root and run a script that cleans up the file ownership, otherwise >> some users can no longer access the files. Any pointers on where to >> find documentation on this? > > Newly created files default to having the group ownership of the primary > group of the user creating it, and the RH scheme is to give every user > his own group. You can do something like this in the samba share > configuration: > valid users = @groupname > force group = groupname > force create mode = 0775 > force directory mode = 0775 How about if I just change the primary user group to being the user group that I want their files' group ownership set to? Would that "just take care of it" on the group side? Then I could just set the "force create mode" and "force directory mode". > You can find samba docs here: > http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/ > >> I have been using 'share' mode, but a little reading makes it sound >> like I should switch to 'user' mode to make my life easier. I have >> been adding various user permission lines to each share. Will they >> keep working if I just comment out those lines? > > Share vs. user doesn't make a difference in how things work after the > connection is established - it controls when authentication happens. > Share mode just lets you browse the share list before authenticating and > you can connect to different shares with different credentials. > >>> You might look at webmin, since it has an option to maintain unix and >>> samba passwords at the same time and it can also keep multiple >>> machines in sync. >> >> Does anyone maintain webmin for Centos? I have most of the common >> repos hooked to yum, but webmin draws a blank. > > This is one of the reasons I usually install k12ltsp instead of the > stock centos distribution (you don't lose anything, it just adds some > extras and makes the updates yummable). You probably can grab the RPM > directly from the webmin site. Can I just add a k12ltsp repo and use their webmin? >>> There is also the issue that users who have root access to their own >>> workstation can pretend to be any user over NFS. >> >> Not an issue in this situation, users do not have root access. > > Do they have the same uid/gid, and group lists on their workstations as > on the file server? yes, got that straight a while back. >>> Centralizing >>> authentication will help if you have many users and password changes. >>> But that can be as simple as turning on domain controller emulation >>> on samba on your office2 server and configuring everything else >>> (windows and Linux) to use it. >> >> Any pointers to where I could learn the implications/pluses/minuses of >> that? It might be useful with my multiple machines (real and virtual) >> per user. > > Samba authentication for linux just checks that a login/password match. > You still have to create the users and if you use NFS, make sure the > uid/gid's are all the same. For windows it works like a domain > controller and once you've logged in as a windows user, you > automatically authenticate to the samba shares as the same user and the > server can force login scripts to run on the client. I looked at the How-To for domain control, and it looks interesting. I'll have to dig into that further. Ted Miller