0

I have a folder mounted by using NFS on the server. That folder has subdirectories, and I want to share specific folders to specific user groups by using SAMBA.

It doesn't work as expected, because every user can create files, but then they can only access their own files, and not the files from others.

The NFS mount on the Samba server:

172.16.54.56:/export/proyectos on /proyectos type nfs (rw,noatime,rsize=131072,wsize=131072,acregmin=10,acl,nfsvers=3,addr=172.16.54.56)

There's only one folder right now:

drwsrws---+ 22 root proyecto-innovacion 3,9K 2012-08-30 11:40 innovacion

And then, there's files from both users:

-rw-rwxr--+ 1 jorge.suarez proyecto-innovacion 0 2012-08-30 12:10 Archivo de Prueba -rw-rwx---+ 1 maria.tenorio proyecto-innovacion 42K 2012-07-30 11:55 correos.xlsx

That '+' is because of an ACL, setted to set proper permissions to new files, so they can always be accessed to the groups. This is the only ACL I'm using on the NFS server:

 # setfacl -d -m mask:007 /export/proyectos

In fact, both users can access each other files by using NFS.

If I understand ok the output from this command, both users are mapped ok to the Samba groups, just in case.

 # net user info jorge.suarez Enter root's password: Domain Users proyecto-innovacion # net user info maria.tenorio Enter root's password: Domain Users proyecto-innovacion

Here's the smb.conf. I also have a homes section but I've omitted it:

 [global] workgroup = WORKGROUP netbios name = SAMBASRV server string = %h server (Samba, Ubuntu) interfaces = 127.0.0.0/8, eth0 passdb backend = ldapsam:"ldap://10.1.176.237" syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No ldap admin dn = "cn=Directory Manager" ldap group suffix = ou=Groups,ou=CITIUS ldap suffix = dc=inv,dc=usc,dc=es ldap ssl = no ldap user suffix = ou=People,ou=CITIUS panic action = /usr/share/samba/panic-action %d hosts allow = 172.16.54., 127. hosts deny = all strict locking = No [innovacion] comment = Proyecto innovacion path = /proyectos/%S valid users = @proyecto-innovacion read only = No create mask = 0770 directory mask = 0770 browseable = No browsable = No

To summarize the problem, the user that creates the file can access his own file. But no the others' files.

Improve this question

1 Answer 1

Reset to default
0

I had to give up using ACLs via NFS. The mask is not working properly.

I use inotify now instead, with a little script launched at startup:

#!/bin/bash # Directory name as argument. You MUST set it also down there before using it! LOGFILE="/tmp/inotify-log.tmp" inotifywait -mrq -e attrib,moved_to,create --format %w%f "$1" | while read FILE ; do # Ignore root FIXME you have to put here all possible root arguments if [ -d "$FILE" ] && [ $FILE == "/export/proyectos" ] || [ $FILE == "/export/proyectos/" ] ; then continue; fi # Get new permissions PERMISOS=$(stat -c %a "$FILE") if [ -d "$FILE" ] ; then if [ $PERMISOS -ne 2771 ] ; then NUEVOSPERMISOS=2771 else NUEVOSPERMISOS=0 fi else # Get permissions if [ ${#PERMISOS} -eq 3 ] ; then PERMISOS_ADICIONALES=0 PERMISOS_USUARIO=${PERMISOS:0:1} PERMISOS_GRUPO=${PERMISOS:1:1} PERMISOS_OTROS=${PERMISOS:2:1} else PERMISOS_ADICIONALES=${PERMISOS:0:1} PERMISOS_USUARIO=${PERMISOS:1:1} PERMISOS_GRUPO=${PERMISOS:2:1} PERMISOS_OTROS=${PERMISOS:3:1} fi # Check permissions if [ $PERMISOS_USUARIO -ne $PERMISOS_GRUPO ] || [ 0 -ne $PERMISOS_OTROS ] ; then NUEVOSPERMISOS=${PERMISOS_ADICIONALES}${PERMISOS_USUARIO}${PERMISOS_USUARIO}0 else NUEVOSPERMISOS=0 fi fi # Set permissions if [ $NUEVOSPERMISOS -ne 0 ] ; then chmod $NUEVOSPERMISOS "$FILE" # Debug output OUTPUT="$(date) : $FILE ($PERMISOS -> $NUEVOSPERMISOS)" echo $OUTPUT >> $LOGFILE fi done

The permissions are fixed now by this script, instead of fall back into ACLs via NFS.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.