How should I set up a file share? Wie sollte ich eine Datei-Freigabe einrichten?

UCS - Univention Corporate Server
#1

I have already set up a few, but I am suspicious whether I have chosen the best way.

I have some users.
Few of them should be able to use a new share.
So far I created a new group in the UCS interface under “Users” and put the desired users in it.

Then I went to the domain settings and created a new share. There I entered root as “owner” and under “owner group” the group I created.

But I don’t understand why the default setting sets the permissions so that the group can’t write. I changed this manually with each share, both directly under the basic settings and under the extended samba rights.

Again and again I have the problem with the new shares that some users can only have read access. In the end a “chmod -R 770 /share” on the filesystem where /share is the directory with the share … that can’t be the ideal way and in the worst case it’s a mess.

If there is an instruction how to do this “best practice”, then I would be happy about a link.

Translated with www.DeepL.com/Translator (free version)

Ich habe zwar schon ein paar eingerichtet, bin aber misstrauisch ob ich den besten Weg gewählt habe.

Ich habe einige User.
Davon sollen wenige eine neue Freigabe nutzen können.
Bisher habe ich dazu auf der UCS-Oberfläche unter “Benutzer” eine neue Gruppe angelegt und die gewünschten Benutzer da reingepackt.

Dann bin ich unter den Domäneneinstellungen auf Freigabe und habe dort eine neue Freigabe angelegt. Dort habe ich als “Besitzer” root eingetragen und unter “Besitzergruppe” die von mir angelegte Gruppe.

Allerdings verstehe ich nicht warum die Vorgabe die Rechte so setzt, dass die Gruppe nicht schreiben kann. Das habe ich dann erst mal bei jeder Freigabe von hand geändert, sowohl direkt unter den Grundeinstellungen als auch bei den erweiterten Samba-Rechten.

Immer wieder habe ich mit den neuen Freigaben dann das Problem, dass erst mal einige User trotzdem nur lesend zugreifen können. Am Ende hilft dann auf dem Dateisystem ein “chmod -R 770 /share” auf das Verzeichnis mit der Freigabe … das kann so doch nicht der ideale Weg sein und im schlimmsten Fall ist es Murks.

Wenn es eine Anleitung gibt, wie man das “best practice” machen kann, dann würde ich mich über einen Link freuen.

#2

Sorry leute. War die Frage zu dumm? Oder war es zu kompliziert?

Sorry, guys. Was that a stupid question? Or was it too complicated?

#3

What am I doing wrong? I’m asking a question, at length. I wait two weeks for an answer.

I get NO answer, there is not even an question asked.

That’s pretty weird for me. Doesn’t really feel like community.

#4

There are so many different scenarios with differing requirements that there are no best practices for setting up file shares.

That being said: if you have the situation that a certain number of people should have full access to all files & directories in a share and no other user should have any access and you’ll only ever access the share via Windows/CIFS (never directly via Linux), you generally set that up via group membership and Samba’s “force group” and “allow users” options:

  • Create a group & make all the users who should have access to the share be members of the group (you already did that). I’ll use MyGroup as an example below:
  • Create the share with the following properties (I’ll only list properties you need to change from their respective defaults):
    • “General” tab:
      • Directory owner group: MyGroup
      • Permissions: group = read+write+access, others=none
    • “Options” tab:
      • Deactivate “Export for NFS clients”
    • “Samba” tab:
      • Windows name: whatever you want to call your share — I suggest something similar to the group’s name in order to make it clear which groups & shares belong together
    • “Advanced settings” tab:
      • “Samba permissions” section:
        • Force group: MyGroup
        • Valid users or groups: @MyGroup (note the leading @ which signals that MyGroup is to be interpreted as a group name)
      • “Samba extended permissions” section:
        • Force file mode: owner & group=read+write+access
        • Force directory mode: owner & group=read+write+access

The result is that all accesses to any of the files & directories in the share will be done as the group MyGroup, and forcing the file & directory modes will ensure that the group MyGroup always has access.

But like I said above, this kind of setup means that you cannot restrict access to parts of the share, e.g. if you want to mix documents from technical stuff with documents from HR. For mixed access rights you’ll need different shares with this type of setup.

1 Like
#5

Finally a GOOD answer …! Thank you very much!
Yes, I was just looking for a simple file share, without any other specialties.

I tested it and it worked right away.

One more question:

Extended Samba-Rights filemode and direktory mode (not forced) say’s Owner R+W+A, Group and others R … is that correct?

#6

Those two shouldn’t matter when you set “force … mode” if I recall correctly.

#7

So it doesn’t matter what it says at this point if the “forced” settings are set accordingly?

It’s great to get such competent information. What can I do to avoid having to wait a month for the first reaction to another question? Do pornographic pictures or cookies help? :wink:

Thank you in any case! I’m afraid SAMBA is much more extensive than I thought. Is there a good “Samba for dummies” where I learn to understand the options UCS offers me?

Translated with www.DeepL.com/Translator (free version)

#8

Well, please keep in mind that any type of support in this forum is done on a voluntary basis. If someone knows something about your problem and has the time to answer and is motivated enough to answer, they might. Otherwise you won’t get an answer at that particular point in time.

What you’ve done so far is OK: waiting for a certain amount of time (two weeks is definitely OK, one day would be way too short), then bumping the thread again with a friendly request for more help. There are a lot of posts here, and older questions will be forgotten about; therefore bumping is sometimes necessary.

What isn’t OK is trying to guilt-trip us into answering or complaining about no one wanting to do free work for you. You’re not paying us to do anything, we don’t owe you anything. Sure, we’d like to help everyone if possible, otherwise we wouldn’t be here, and believe me, I do get a lot of satisfaction from helping other people. But you have to respect that we might not have the time, the motivation or the knowledge to answer your question.

What’s also questionable or in poor taste is your offer of porn. Sure, you most likely meant that as a joke. But UCS is a software mostly used in professional environments, in most (all?) of those places porn is completely unacceptable. Call me a stick in the mud, whatever, just don’t go there in the first place. Cookies on the other hand are perfectly fine; please send a copious amount of delicious cookies to the following address: … :wink:

If you require more timely answers because you’re running UCS in a business-critical context, consider paying for support packages from Univention or one of the other companies offering them.

#9

Well, of course the pornography was just a provocation and a joke… And I am aware that the forum is not a service and not meant to bum support costs. By the way, I couldn’t read the address for the cookies correctly? :wink:

Here in the forum I do not ask time-critical questions. This is about questions I can’t find the answer to in the manual. Curiosity and desire to try something.

We have a core support contract for UCS and Kopano. (Exchange Replacement Bundle) We use the system for business purposes, but - as with the file shares - in a less complex way. This bundle is only available in the flavor “basic support” and it covers everything we need from the functions. For better support I have to license UCS and Kopano separately and that costs more than twice as much. And I don’t need any more functions than what I already have. So if I (or our system house) get stuck, I buy support per incident.

If it is URGENT, I pay to my system house, who have helped me a few times even after failed updates and who have answered many questions - for a fee. After all, this is also an hourly rate, which allows them to make a living and still is much cheaper than paying the support at Univention and Kopano. And they don’t care which side made the mistake … in the end it works.

When I have real problems I need a solution FAST.
And a problem for me: I often can’t see if the solution of the problem is more to be found at Kopano or Univention. The two work hand in hand. The danger is that I open an expensive ticket at one of them and they point to the other and I have to open an expensive ticket.

So you see: I’m trying to find a reasonable solution, but I don’t want everything for free.

And I also don’t want to make anybody here a bad conscience.

One more thing:

I understand English quite well, but I have difficulty writing. Therefore I use a tool for the translation. But I am not always sure if the translation reflects exactly what I am trying to say. So before somebody gets angry with me because of a wrong understanding, please ask again.

#10

What you’ve written is totally reasonable and polite and to the point. Don’t worry about it. And if you ever find yourself preferring to communicate in German, just say so; sure, English would be better for other people, but we’re primarily trying to solve your problem.

1 Like
Mastodon