On Tue, Aug 9, 2011 at 11:54 AM, Craig White <craig.white at ttiltd.com> wrote: > > On Aug 9, 2011, at 9:02 AM, Les Mikesell wrote: > > > On 8/9/2011 10:44 AM, Craig White wrote: > >> > >>> There's probably a way to add apache to that group with a configuration > >>> on the local machine so it doesn't have to query your ADS/NMB server. > >>> Not sure about the details but the docs at > http://samba.org/samba/docs/ > >>> are invaluable. > >> ---- > >> I'm quite sure that if all the files are owned by the 'department_a' > group and 'readable' by user apache as I have indicated, they should be with > the given configuration, there's absolutely no need to do any mucking with > local users or groups at all. > >> > >> The reality is that this machine will query AD/NMB server each time a > non-local user does anything on this system (read or write) and the only > thing that will lighten that load is something like NSCD (good luck with > that - not always a great option with samba). > > > > Really? I thought samba would map a connection to a uid at connect time. > ---- > indeed it does but that doesn't mean that the system won't keep polling the > authoritative account info source. > ---- > > > >> There are two important features of what I proposed... > >> - sgid means that all files/folders created within will always belong to > department_a group > > > > You can also do a 'force group' in the samba config for a share instead > > of or besides the sgid directory. > ---- > true but: > 1 - force anything seems to be a little heavy handed > 2 - using sgid means that anyone using a shell will also create > files/directories with the same group - using 'force group' only has > implications for samba connections. Using sgid encompasses all methods of > access. > ---- > > > >> - create mask 664& directory mask 775 means that each file& directory > created - group will always get rw privileges and everyone else (ie user > apache) has 'read' privileges. > >> > >> The only weakness of this theory as I see it, is that there very well > may be files - perhaps config files that you wouldn't want anyone to be able > to see and you probably will have to have some<Directory> restrictions in > Apache's configuration to prevent web users from accessing them. > > > > There are also likely situations where the web server needs write > > access, although those cases should be handled carefully or avoided > > where possible. > > ---- > indeed > > Craig > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > Excellent advice thank you!!! I was very close to the same conclusion, but have never messed with SGID , but that definately helps especially as I make changes on the command line side while my users do it via Samba. Also a side note...NONE of this will work if your testing creating files from a Mac. You have to add "unix extensions = no " to the Samba global config section. Once I did that the create mask and directory mask options began to work. Now I have a new requirement passed to me, which is a bit more complicated. How would I allow individual users the ability only to access specific subfolders within that share without them being a part of the department_a group? My initial idea was to make use of ACLs, but if the POSIX permissions don't allow them write access, then ACLs won't help, will they ? The model is I need users of group department_a to have full control over this share while allowing individual faculty members to access only their personal folders within this share. Thanks again, - Trey -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20110809/f45085ba/attachment-0005.html>