Hello,
I want to create fileshares to serve to our windows clients. We are currently working with an old samba server which wasn’t set up properly by the previous IT guy (e.g. users loosing access to subfolders, not possible to give only read rights…). So I want to make sure I’m doing it right.
What are the best practices regarding the ACL’s to garantuee the following:
- No files & folders should be owned by the creator
- Users may not alter permissions (e.g. no full permissions on files/folders they have created)
- The permissions should be inherited from the shared folder (except if inheritance is manually disabled)
- Maybe impossible: files/folders moved from one share to another must inherit the permissions from the destination share
Related question: which users + group should own the shared folder? If I’m not mistaken this should be the samba-admin account (and not the posix root account) as I’ve read on the samba wiki.
Is there antying else I should take into account? Below is my current sambashare.conf (location: /etc/samba/shares.conf.d)
[Share]
path = /shares/share
msdfs root = no
writeable = yes
browseable = yes
public = no
dos filemode = no
hide unreadable = no
create mode = 0664
directory mode = 0775
force create mode = 0664
force directory mode = 0775
locking = 1
strict locking = Auto
oplocks = 1
level2 oplocks = 1
fake oplocks = 0
csc policy = manual
nt acl support = 1
inherit acls = 1
vfs objects = acl_xattr
inherit owner = yes
inherit permissions = yes
map acl inherit = yes
(fyi: I configured this share through the webgui but I find it easier to share the conf than through several screenshots)
