</para>
<para>
Consider the following, all are unique Unix names but one single MS Windows file name:
- <programlisting>
+ <computeroutput>
MYFILE.TXT
MyFile.txt
myfile.txt
- </programlisting>
+ </computeroutput>
So clearly, In an MS Windows file name space these three files CAN NOT co-exist! But in Unix
they can. So what should Samba do if all three are present? Answer, the one that is lexically
first will be accessible to MS Windows users, the others are invisible and unaccessible - any
<para>
There are three basic operations for managing directories, <command>create, delete, rename</command>.
- <programlisting>
- Action MS Windows Command Unix Command
- ------ ------------------ ------------
- create md folder mkdir folder
- delete rd folder rmdir folder
- rename rename oldname newname mv oldname newname
- </programlisting>
+ <table>
+ <thead>
+ <row><entry>Action</entry><entry>MS Windows Command</entry><entry>Unix Command</entry></row>
+ </thead>
+
+ <tbody>
+ <row><entry>create</entry><entry>md folder</entry><entry>mkdir folder</entry></row>
+ <row><entry>delete</entry><entry>rd folder</entry><entry>rmdir folder</entry></row>
+ <row><entry>rename</entry><entry>rename oldname newname</entry><entry>mv oldname newname</entry></row>
+ </tbody>
+ </table>
</para>
</sect2>
<title>File and Directory Access Control</title>
<para>
- Explain the anatomy of a directory listing, permissions and what they mean.
+ The network administrator is strongly advised to read foundational training manuals and reference materials
+ regarding file and directory permissions maintenance. Much can be achieved with the basic Unix permissions
+ without having to resort to more complex facilities like POSIX Access Control Lists (ACLs) or Extended
+ Attributes (EAs).
+ </para>
+
+ <para>
+ Unix/Linux file and directory access permissions invloves setting three (3) primary sets of data and one (1) control set.
+ A Unix file listing looks as follows:-
+
+ <screen>
+ <prompt>jht@frodo:~/stuff> </prompt><userinput>ls -la</userinput>
+ total 632
+ drwxr-xr-x 13 jht users 816 2003-05-12 22:56 .
+ drwxr-xr-x 37 jht users 3800 2003-05-12 22:29 ..
+ d--------- 2 jht users 48 2003-05-12 22:29 muchado00
+ d--x--x--x 2 jht users 48 2003-05-12 22:29 muchado01
+ dr-xr-xr-x 2 jht users 48 2003-05-12 22:29 muchado02
+ drwxrwxrwx 2 jht users 48 2003-05-12 22:29 muchado03
+ drw-rw-rw- 2 jht users 48 2003-05-12 22:29 muchado04
+ d-w--w--w- 2 jht users 48 2003-05-12 22:29 muchado05
+ dr--r--r-- 2 jht users 48 2003-05-12 22:29 muchado06
+ drwxrwxrwt 2 jht users 48 2003-05-12 22:29 muchado07
+ drwsrwsrwx 2 jht users 48 2003-05-12 22:29 muchado08
+ ---------- 1 jht users 1242 2003-05-12 22:31 mydata00.lst
+ ---x--x--x 1 jht users 1674 2003-05-12 22:33 mydata01.lst
+ --w--w--w- 1 jht users 7754 2003-05-12 22:33 mydata02.lst
+ --wx-wx-wx 1 jht users 260179 2003-05-12 22:33 mydata03.lst
+ -r--r--r-- 1 jht users 21017 2003-05-12 22:32 mydata04.lst
+ -r-xr-xr-x 1 jht users 206339 2003-05-12 22:32 mydata05.lst
+ -rw-rw-rw- 1 jht users 41105 2003-05-12 22:32 mydata06.lst
+ -rwxrwxrwx 1 jht users 19312 2003-05-12 22:32 mydata07.lst
+ <prompt>jht@frodo:~/stuff></prompt>
+ </screen>
+ </para>
+
+ <para>
+ The columns above represent (from left to right): permissions, no blocks used, owner, group, size (bytes), access date, access time, file name.
+ </para>
+
+ <para>
+ The permissions field is made up of:
+
+ <programlisting>
+ <!-- JRV: Put this into a diagram of some sort -->
+ [ type ] [ users ] [ group ] [ others ] [File, Directory Permissions]
+ [ d | l ] [ r w x ] [ r w x ] [ r w x ]
+ | | | | | | | | | | |
+ | | | | | | | | | | |-----> Can Execute, List files
+ | | | | | | | | | |-------> Can Write, Create files
+ | | | | | | | | |---------> Can Read, Read files
+ | | | | | | | |---------------> Can Execute, List files
+ | | | | | | |-----------------> Can Write, Create files
+ | | | | | |-------------------> Can Read, Read files
+ | | | | |-------------------------> Can Execute, List files
+ | | | |---------------------------> Can Write, Create files
+ | | |-----------------------------> Can Read, Read files
+ | |-----------------------------------> Is a symbolic Link
+ |---------------------------------------> Is a directory
+ </programlisting>
+ </para>
+
+ <para>
+ Any bit flag may be unset. An unset bit flag is the equivalent of 'Can NOT' and is represented as a '-' character.
+ <!-- FIXME -->
+ <programlisting>
+ <title>Example File</title>
+ -rwxr-x--- Means: The owner (user) can read, write, execute
+ the group can read and execute
+ everyone else can NOT do anything with it
+ </programlisting>
+ </para>
+
+ <para>
+ Additional posibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = Unix Domain Socket.
+ </para>
+
+ <para>
+ The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),r
+ execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s),
+ sticky (t).
+ </para>
+
+ <para>
+ When the sticky bit is set on a directory, files in that directory may be unlinked (deleted) or renamed only by root or their owner.
+ Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on
+ directories, such as /tmp, that are world-writable.
+ </para>
+
+ <para>
+ When the set user or group ID bit (s) is set on a directory, then all files created within it will be owned by the user and/or
+ group whose 'set user or group' bit is set. This can be very helpful in setting up directories that for which it is desired that
+ all users who are in a group should be able to write to and read from a file, particularly when it is undesirable for that file
+ to be exclusively owned by a user who's primary group is not the group that all such users belong to.
+ </para>
+
+ <para>
+ When a directory is set <command>drw-r-----</command> this means that the owner can read and create (write) files in it, but because
+ the (x) execute flags are not set files can not be listed (seen) in the directory by anyone. The group can read files in the
+ directory but can NOT create new files. NOTE: If files in the directory are set to be readable and writable for the group, then
+ group members will be able to write to (or delete) them.
</para>
</sect2>
<title>Share Definition Access Controls</title>
<para>
-Explain here about the smb.conf [share] Access Control parameters, Mode and Mask parameters, force user/group, valid/invalid users, etc.
+The following parameters in the &smb.conf; file sections that define a share control or affect access controls.
+Before using any of the following options please refer to the man page for &smb.conf;.
</para>
+ <sect2>
+ <title>User and Group Based Controls</title>
+
+ <para>
+ User and group based controls can prove very useful. In some situations it is distinctly desirable to affect all
+ file system operations as if a single user is doing this, the use of the <emphasis>force user</emphasis> and
+ <emphasis>force group</emphasis> behaviour will achieve this. In other situations it may be necessary to affect a
+ paranoia level of control to ensure that only particular authorised persons will be able to access a share or
+ it's contents, here the use of the <emphasis>valid users</emphasis> or the <emphasis>invalid users</emphasis> may
+ be most useful.
+ </para>
+
+ <para>
+ As always, it is highly advisable to use the least difficult to maintain and the least ambiguous method for
+ controlling access. Remember, that when you leave the scene someone else will need to provide assistance and
+ if that person finds to great a mess, or if they do not understand what you have done then there is risk of
+ Samba being removed and an alternative solution being adopted.
+ </para>
+
+ <table frame='all'><title>User and Group Based Controls</title>
+ <tgroup cols='2'>
+ <thead>
+ <row>
+ <entry align="center">Control Parameter</entry>
+ <entry align="center">Description - Action - Notes</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>admin users</entry>
+ <entry><para>
+ List of users who will be granted administrative privileges on the share.
+ They will do all file operations as the super-user (root).
+ Any user in this list will be able to do anything they like on the share,
+ irrespective of file permissions.
+ </para></entry>
+ </row>
+ <row>
+ <entry>force group</entry>
+ <entry><para>
+ Specifies a UNIX group name that will be assigned as the default primary group
+ for all users connecting to this service.
+ </para></entry>
+ </row>
+ <row>
+ <entry>force user</entry>
+ <entry><para>
+ Specifies a UNIX user name that will be assigned as the default user for all users connecting to this service.
+ This is useful for sharing files. Incorrect use can cause security problems.
+ </para></entry>
+ </row>
+ <row>
+ <entry>guest ok</entry>
+ <entry><para>
+ If this parameter is set for a service, then no password is required to connect to the service. Privileges will be
+ those of the guest account.
+ </para></entry>
+ </row>
+ <row>
+ <entry>invalid users</entry>
+ <entry><para>
+ List of users that should not be allowed to login to this service.
+ </para></entry>
+ </row>
+ <row>
+ <entry>only user</entry>
+ <entry><para>
+ Controls whether connections with usernames not in the user list will be allowed.
+ </para></entry>
+ </row>
+ <row>
+ <entry>read list</entry>
+ <entry><para>
+ List of users that are given read-only access to a service. Users in this list
+ will not be given write access, no matter what the read only option is set to.
+ </para></entry>
+ </row>
+ <row>
+ <entry>username</entry>
+ <entry><para>
+ Refer to the &smb.conf; man page for more information - this is a complex and potentially misused parameter.
+ </para></entry>
+ </row>
+ <row>
+ <entry>valid users</entry>
+ <entry><para>
+ List of users that should be allowed to login to this service.
+ </para></entry>
+ </row>
+ <row>
+ <entry>write list</entry>
+ <entry><para>
+ List of users that are given read-write access to a service.
+ </para></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ </sect2>
+
+ <sect2>
+ <title>File and Directory Permissions Based Controls</title>
+
+ <para>
+ The following file and directory permission based controls, if misused, can result in considerable difficulty to
+ diagnose the cause of mis-configuration. Use them sparingly and carefully. By gradually introducing each one by one
+ undesirable side-effects may be detected. In the event of a problem, always comment all of them out and then gradually
+ re-instroduce them in a controlled fashion.
+ </para>
+
+ <table frame='all'><title>File and Directory Permission Based Controls</title>
+ <tgroup cols='2'>
+ <thead>
+ <row>
+ <entry align="center">Control Parameter</entry>
+ <entry align="center">Description - Action - Notes</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>create mask</entry>
+ <entry><para>
+ Refer to the &smb.conf; man page.
+ </para></entry>
+ </row>
+ <row>
+ <entry>directory mask</entry>
+ <entry><para>
+ The octal modes used when converting DOS modes to UNIX modes when creating UNIX directories.
+ See also: directory security mask.
+ </para></entry></row>
+ <row>
+ <entry>dos filemode</entry>
+ <entry><para>
+ Enabling this parameter allows a user who has write access to the file to modify the permissions on it.
+ </para></entry>
+ </row>
+ <row>
+ <entry>force create mode</entry>
+ <entry><para>
+ This parameter specifies a set of UNIX mode bit permissions that will always be set on a file created by Samba.
+ </para></entry>
+ </row>
+ <row>
+ <entry>force directory mode</entry>
+ <entry><para>
+ This parameter specifies a set of UNIX mode bit permissions that will always be set on a directory created by Samba.
+ </para></entry>
+ </row>
+ <row>
+ <entry>force directory security mode</entry>
+ <entry><para>
+ Controls UNIX permission bits modified when a Windows NT client is manipulating UNIX permissions on a directory
+ </para></entry>
+ </row>
+ <row>
+ <entry>force security mode</entry>
+ <entry><para>
+ Controls UNIX permission bits modified when a Windows NT client manipulates UNIX permissions.
+ </para></entry>
+ </row>
+ <row>
+ <entry>hide unreadable</entry>
+ <entry><para>
+ Prevents clients from seeing the existance of files that cannot be read.
+ </para></entry>
+ </row>
+ <row>
+ <entry>hide unwriteable files</entry>
+ <entry><para>
+ Prevents clients from seeing the existance of files that cannot be written to. Unwriteable directories are shown as usual.
+ </para></entry>
+ </row>
+ <row>
+ <entry>nt acl support</entry>
+ <entry><para>
+ This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT access control lists.
+ </para></entry>
+ </row>
+ <row>
+ <entry>security mask</entry>
+ <entry><para>
+ Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file.
+ </para></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ </sect2>
+
+ <sect2>
+ <title>Miscellaneous Controls</title>
+
+ <para>
+ The following are documented because of the prevalence of administrators creating inadvertant barriers to file
+ access by not understanding the full implications of &smb.conf; file settings.
+ </para>
+
+ <table frame='all'><title>Other Controls</title>
+ <tgroup cols='2'>
+ <thead>
+ <row>
+ <entry align="center">Control Parameter</entry>
+ <entry align="center">Description - Action - Notes</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>case sensitive, default case, short preserve case</entry>
+ <entry><para>
+ This means that all file name lookup will be done in a case sensitive manner.
+ Files will be created with the precise filename Samba received from the MS Windows client.
+ </para></entry>
+ </row>
+ <row>
+ <entry>csc policy</entry>
+ <entry><para>
+ Client Side Caching Policy - parallels MS Windows client side file caching capabilities.
+ </para></entry>
+ </row>
+ <row>
+ <entry>dont descend</entry>
+ <entry><para>
+ Allows to specify a comma-delimited list of directories that the server should always show as empty.
+ </para></entry>
+ </row>
+ <row>
+ <entry>dos filetime resolution</entry>
+ <entry><para>
+ This option is mainly used as a compatibility option for Visual C++ when used against Samba shares.
+ </para></entry>
+ </row>
+ <row>
+ <entry>dos filetimes</entry>
+ <entry><para>
+ DOS and Windows allows users to change file time stamps if they can write to the file. POSIX semantics prevent this.
+ This options allows DOS and Windows behaviour.
+ </para></entry>
+ </row>
+ <row>
+ <entry>fake oplocks</entry>
+ <entry><para>
+ Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an
+ oplock then the client is free to assume that it is the only one accessing the file and it will aggressively cache file data.
+ </para></entry>
+ </row>
+ <row>
+ <entry>hide dot files, hide files, veto files</entry>
+ <entry><para>
+ Note: MS Windows Explorer allows over-ride of files marked as hidden so they will still be visible.
+ </para></entry>
+ </row>
+ <row>
+ <entry>read only</entry>
+ <entry><para>
+ If this parameter is yes, then users of a service may not create or modify files in the service's directory.
+ </para></entry>
+ </row>
+ <row>
+ <entry>veto files</entry>
+ <entry><para>
+ List of files and directories that are neither visible nor accessible.
+ </para></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ </sect2>
+
</sect1>
<sect1>
<title>MS Windows Access Control Lists and Unix Interoperability</title>
<sect2>
- <title>Viewing and changing UNIX permissions using the NT
- security dialogs</title>
+ <title>Managing UNIX permissions Using NT Security Dialogs</title>
<para>Windows NT clients can use their native security settings
dialog box to view and modify the underlying UNIX permissions.</para>
</sect2>
<sect2>
- <title>How to view file security on a Samba share</title>
+ <title>Viewing File Security on a Samba Share</title>
<para>From an NT4/2000/XP client, single-click with the right
mouse button on any file or directory in a Samba mounted
<sect2>
<title>Viewing file ownership</title>
- <para>Clicking on the <command>"Ownership"</command> button
+ <para>Clicking on the <guibutton>Ownership</guibutton> button
brings up a dialog box telling you who owns the given file. The
owner name will be of the form :</para>
the Samba server, <replaceable>user</replaceable> is the user name of
the UNIX user who owns the file, and <replaceable>(Long name)</replaceable>
is the descriptive string identifying the user (normally found in the
- GECOS field of the UNIX password database). Click on the <command>Close
- </command> button to remove this dialog.</para>
+ GECOS field of the UNIX password database). Click on the
+ <guibutton>Close </guibutton> button to remove this dialog.</para>
<para>If the parameter <parameter>nt acl support</parameter>
is set to <constant>false</constant> then the file owner will
- be shown as the NT user <command>"Everyone"</command>.</para>
+ be shown as the NT user <constant>"Everyone"</constant>.</para>
- <para>The <command>Take Ownership</command> button will not allow
+ <para>The <guibutton>Take Ownership</guibutton> button will not allow
you to change the ownership of this file to yourself (clicking on
it will display a dialog box complaining that the user you are
currently logged onto the NT client cannot be found). The reason
</sect2>
<sect2>
- <title>Viewing file or directory permissions</title>
+ <title>Viewing File or Directory Permissions</title>
- <para>The third button is the <command>"Permissions"</command>
+ <para>The third button is the <guibutton>Permissions</guibutton>
button. Clicking on this brings up a dialog box that shows both
the permissions and the UNIX owner of the file or directory.
The owner is displayed in the form :</para>
- <para><command>"SERVER\user (Long name)"</command></para>
+ <para><command>"<replaceable>SERVER</replaceable>\
+ <replaceable>user</replaceable>
+ <replaceable>(Long name)</replaceable>"</command></para>
<para>Where <replaceable>SERVER</replaceable> is the NetBIOS name of
the Samba server, <replaceable>user</replaceable> is the user name of
<para>If the parameter <parameter>nt acl support</parameter>
is set to <constant>false</constant> then the file owner will
- be shown as the NT user <command>"Everyone"</command> and the
+ be shown as the NT user <constant>"Everyone"</constant> and the
permissions will be shown as NT "Full Control".</para>
triples are mapped by Samba into a three element NT ACL
with the 'r', 'w', and 'x' bits mapped into the corresponding
NT permissions. The UNIX world permissions are mapped into
- the global NT group <command>Everyone</command>, followed
+ the global NT group <constant>Everyone</constant>, followed
by the list of permissions allowed for UNIX world. The UNIX
owner and group permissions are displayed as an NT
- <command>user</command> icon and an NT <command>local
- group</command> icon respectively followed by the list
+ <guiicon>user</guiicon> icon and an NT <guiicon>local
+ group</guiicon> icon respectively followed by the list
of permissions allowed for the UNIX user and group.</para>
<para>As many UNIX permission sets don't map into common
- NT names such as <command>"read"</command>, <command>
- "change"</command> or <command>"full control"</command> then
- usually the permissions will be prefixed by the words <command>
- "Special Access"</command> in the NT display list.</para>
+ NT names such as <constant>read</constant>, <constant>
+ "change"</constant> or <constant>full control</constant> then
+ usually the permissions will be prefixed by the words <constant>
+ "Special Access"</constant> in the NT display list.</para>
<para>But what happens if the file has no permissions allowed
for a particular UNIX user group or world component ? In order
above, and is displayed in the same way.</para>
<para>The second set of directory permissions has no real meaning
- in the UNIX permissions world and represents the <command>
- "inherited"</command> permissions that any file created within
+ in the UNIX permissions world and represents the <constant>
+ inherited</constant> permissions that any file created within
this directory would inherit.</para>
<para>Samba synthesises these inherited permissions for NT by
<para>Modifying file and directory permissions is as simple
as changing the displayed permissions in the dialog box, and
- clicking the <command>OK</command> button. However, there are
+ clicking the <guibutton>OK</guibutton> button. However, there are
limitations that a user needs to be aware of, and also interactions
with the standard Samba permission masks and mapping of DOS
attributes that need to also be taken into account.</para>
<para>If the parameter <parameter>nt acl support</parameter>
is set to <constant>false</constant> then any attempt to set
- security permissions will fail with an <command>"Access Denied"
- </command> message.</para>
+ security permissions will fail with an <errorname>"Access Denied"
+ </errorname> message.</para>
- <para>The first thing to note is that the <command>"Add"</command>
+ <para>The first thing to note is that the <guibutton>"Add"</guibutton>
button will not return a list of users in Samba (it will give
- an error message of <command>"The remote procedure call failed
- and did not execute"</command>). This means that you can only
+ an error message of <errorname>The remote procedure call failed
+ and did not execute</errorname>). This means that you can only
manipulate the current user/group/world permissions listed in
the dialog box. This actually works quite well as these are the
only permissions that UNIX actually has.</para>
<para>If a permission triple (either user, group, or world)
is removed from the list of permissions in the NT dialog box,
- then when the <command>"OK"</command> button is pressed it will
+ then when the <guibutton>OK</guibutton> button is pressed it will
be applied as "no permissions" on the UNIX side. If you then
view the permissions again the "no permissions" entry will appear
as the NT <command>"O"</command> flag, as described above. This
<para>When setting permissions on a directory the second
set of permissions (in the second set of parentheses) is
by default applied to all files within that directory. If this
- is not what you want you must uncheck the <command>"Replace
- permissions on existing files"</command> checkbox in the NT
- dialog before clicking <command>"OK"</command>.</para>
+ is not what you want you must uncheck the <guilabel>Replace
+ permissions on existing files</guilabel> checkbox in the NT
+ dialog before clicking <guibutton>OK</guibutton>.</para>
<para>If you wish to remove all permissions from a
user/group/world component then you may either highlight the
- component and click the <command>"Remove"</command> button,
- or set the component to only have the special <command>"Take
- Ownership"</command> permission (displayed as <command>"O"
+ component and click the <guibutton>Remove</guibutton> button,
+ or set the component to only have the special <constant>Take
+ Ownership</constant> permission (displayed as <command>"O"
</command>) highlighted.</para>
</sect2>
<para><parameter>directory security mask</parameter></para>
<para><parameter>force directory security mode</parameter></para>
- <para>Once a user clicks <command>"OK"</command> to apply the
+ <para>Once a user clicks <guibutton>OK</guibutton> to apply the
permissions Samba maps the given permissions into a user/group/world
r/w/x triple set, and then will check the changed permissions for a
file against the bits set in the <ulink url="smb.conf.5.html#SECURITYMASK">
<para>What this can mean is that if the owner changes the permissions
to allow themselves read access using the security dialog, clicks
- <command>"OK"</command> to get back to the standard attributes tab
- dialog, and then clicks <command>"OK"</command> on that dialog, then
+ <guibutton>OK</guibutton> to get back to the standard attributes tab
+ dialog, and then clicks <guibutton>OK</guibutton> on that dialog, then
NT will set the file permissions back to read-only (as that is what
the attributes still say in the dialog). This means that after setting
- permissions and clicking <command>"OK"</command> to get back to the
- attributes dialog you should always hit <command>"Cancel"</command>
- rather than <command>"OK"</command> to ensure that your changes
+ permissions and clicking <guibutton>OK</guibutton> to get back to the
+ attributes dialog you should always hit <guibutton>Cancel</guibutton>
+ rather than <guibutton>OK</guibutton> to ensure that your changes
are not overridden.</para>
</sect2>
</sect1>
<title>Common Errors</title>
<para>
-Stuff from mailing lists here
+File, Directory and Share access problems are very common on the mailing list. The following
+are examples taken from the mailing list in recent times.
</para>
+
+ <sect2>
+ <title>Users can not write to a public share</title>
+
+ <para>
+ <quote>
+ We are facing some troubles with file / directory permissions. I can log on the domain as admin user(root),
+ and theres a public share, on which everyone needs to have permission to create / modify files, but only
+ root can change the file, no one else can. We need to constantly go to server to
+ <userinput>chgrp -R users *</userinput> and <userinput>chown -R nobody *</userinput> to allow others users to change the file.
+ </quote>
+ </para>
+
+ <para>
+ There are many ways to solve this problem, here are a few hints:
+ </para>
+
+ <procedure>
+ <title>Example Solution:</title>
+ <step>
+ <para>
+ Go to the top of the directory that is shared
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Set the ownership to what ever public owner and group you want
+ <programlisting>
+ find 'directory_name' -type d -exec chown user.group {}\;
+ find 'directory_name' -type d -exec chmod 6775 'directory_name'
+ find 'directory_name' -type f -exec chmod 0775 {} \;
+ find 'directory_name' -type f -exec chown user.group {}\;
+ </programlisting>
+ </para>
+
+ <note><para>
+ The above will set the 'sticky bit' on all directories. Read your
+ Unix/Linux man page on what that does. It causes the OS to assign
+ to all files created in the directories the ownership of the
+ directory.
+ </para></note>
+ </step>
+ <step>
+ <para>
+
+ Directory is: <replaceable>/foodbar</replaceable>
+ <screen>
+ <prompt>$ </prompt><userinput>chown jack.engr /foodbar</userinput>
+ </screen>
+ </para>
+
+ <note><para>
+ <para>This is the same as doing:</para>
+ <screen>
+ <prompt>$ </prompt><userinput>chown jack /foodbar</userinput>
+ <prompt>$ </prompt><userinput>chgrp engr /foodbar</userinput>
+ </screen>
+ </para></note>
+ </step>
+ <step>
+ <para>Now do:
+
+ <screen>
+ <prompt>$ </prompt><userinput>chmod 6775 /foodbar</userinput>
+ <prompt>$ </prompt><userinput>ls -al /foodbar/..</userinput>
+ </screen>
+
+ </para>
+
+ <para>You should see:
+ <screen>
+ drwsrwsr-x 2 jack engr 48 2003-02-04 09:55 foodbar
+ </screen>
+ </para>
+ </step>
+ <step>
+
+ <para>Now do:
+ <screen>
+ <prompt>$ </prompt><userinput>su - jill</userinput>
+ <prompt>$ </prompt><userinput>cd /foodbar</userinput>
+ <prompt>$ </prompt><userinput>touch Afile</userinput>
+ <prompt>$ </prompt><userinput>ls -al</userinput>
+ </screen>
+ </para>
+
+ <para>
+ You should see that the file 'Afile' created by Jill will have ownership
+ and permissions of Jack, as follows:
+ <screen>
+ -rw-r--r-- 1 jack engr 0 2003-02-04 09:57 Afile
+ </screen>
+ </para>
+ </step>
+
+ <step>
+ <para>
+ Now in your &smb.conf; for the share add:
+ <programlisting>
+ force create mode = 0775
+ force direcrtory mode = 6775
+ </programlisting>
+ </para>
+
+ <note><para>
+ The above are only needed IF your users are NOT members of the group
+ you have used. ie: Within the OS do not have write permission on the directory.
+ </para>
+ </note>
+
+ <para>
+ An alternative is to set in the &smb.conf; entry for the share:
+ <programlisting>
+ force user = jack
+ force group = engr
+ </programlisting>
+ </para>
+ </step>
+ </procedure>
+ </sect2>
+
</sect1>
</chapter>