Samba and XP permissions management

Fri Apr 6 11:40:19 UTC 2007

Hi,

I've setup samba3 in freeBSD with a "Stuff" share under the
user/group "bob/bob" with permission 770. I've also added an ACL
to this dir to allow "joe" r-x access to the directory as
well as ensuring the default ACL is nothing more than rwx for
user/group.

So far the ACL's in unix work and access appears to be correct
when connecting from XP to the samba share. When I
create a folder in "holidayphotos" as user "bob" from xp in the
share the "holidayphotos" dir has the default permissions

    drwxrwx---+   gary gary   holidayphotos

With the ACL been the defaults previously set. This is as
expected based on the ACL and smb.conf setup

Now I want to allow "joe" to have read/execute access to the
holidayphotos directory. I could do this by logging into the server
and using

    setfacl -m u:joe:rx holidayphotos

However, I want to instead be able to simply right click the
folder at the time I created it in XP, select properties, go
to the security tab click add (or go via advanced) and then add
"joe" to the permissions list.

The problem I'm facing is that "check names" will not accept
joe as a valid name. The only way I've been able to do this is
to add to the share config in smb.conf

    admin users = bob;

Is there any way to allow bob to add new permissions without this?
Without it, bob can only change existing permissions.

The reason I'd like to avoid this, is that now when I create
files, they're defaulted to "root:bob" which means I now also
have to set "inherit owner = yes" to ensure new files I create
are assigned to "bob:bob", this has the side effect that should
any other users create files in subfolders, those files are also
auto switched to "bob:bob"

However, the biggest reason is that if I joe creates (or has
a folder created for him) called joes-photos and joe wishes to
allow "mandy" access to view the directory contents, he is unable
to add mandy due to the above check names problem. He would also
now have to be an admin of the share, which isn't going to happen.

 From what I can tell, my options are to always admin ACL permissions
via ssh, or not allow users to create folders outside of shares they're
admins of, which although possible may be a little more inconvenient.

Any alternatives or a config option I've missed?

One other quick question regarding ACL.

If I create a directory with "root:wheel rwxr-x--- testing" is there any
way to add a user "bob" with rwx permissions to the ACL of that directory
without the wheel group having to change to rwx to prevent "bob"
getting an effective "r-x" permission?

Currently I'm using a dummy group with rwx by default to avoid this.

Thanks,

Gary