Samba and Local System Permission Confilct
Hi all Im new to the forums but not to linux, long time fan since RH 7.2 and stuck with it ever since.
I have a FC3 server that has Samba Ver 3.0.10 on it. It is a PDC for Two diffrent departments, but they are on the same domain. It has two interfaces too. one for each department.
In one department, the manager must be able to read, write and execute files from certain users home folders. also the other department cannot be able to see the others files either.
Currently the users have little, if any security applied in samba or on the FS, i have looked for ways to enable this kind of setup but no luck. so i am asking here first because i tust the experts here. i just took over this server so any config entrys have made by the previous tech.
Config Files (Edited for Privacy):
workgroup = DOMAIN
server string = DOMAIN01
netbios name = DOMAIN01
security = user
encrypt passwords = yes
os level = 64
domain master = yes
domain logons = yes
preferred master = yes
local master = yes
guest account = nobody
map to guest = bad user
logon path = \\DOMAIN01\users\%U\profile
add machine script = /usr/sbin/useradd -d /dev/null -s /bin/false -M %m$
printcap name = /etc/printcap
printing = bsd
printer admin = @wheel,@dept1,@dept2
queuepause command = /usr/sbin/lpc -P%p stop
queueresume command = /usr/sbin/lpc -P%p start
username map = /etc/samba/users.map
admin users = @wheel
#logon drive = H:
logon script = %G.bat
#hide files = /desktop.ini/Desktop.ini/NTUSER.ini
#passwd program = /usr/bin/passwd %u
#passwd chat= *New*password* %n\n *Retype*new*passwordn* %n\n
#unix password sync = yes
hide unreadable = yes
interfaces = 192.168.1.5/255.255.255.0 \ 172.16.80.5/255.255.248.0
wins support = yes
time server = yes
comment = NetLogon
path = /opt/samba/netlogon
writable = no
write list = @wheel
comment = Users home folders
path = /opt/samba/users
browseable = yes
read only = no
create mode = 640
directory mode = 751
if there is any thing else that you want posted let me know and ill post it. the end result, i am looking for is to have the manager of each dept to look at certian members in there dept, but have each dept seprate from each other.
one question i had was if once the home directories were created and shared is it possible to create a share in smb.conf that reflects the share permissions for a indiviual user's folder or is the home folder governed by inheritance by the parent folder?
any insight on this would be much appreciated. thanks for all your help.
I answered my own question:
the command getfacl will view the current Access Control Lists on folders and files. setfacl will set the appropriate permissions on the files or folder. allows for the fine granulated control i was looking for. Wonderful thing this internet is.