Simple shared folder on UCS AD domain


#1

I am looking to make a simple shared folder similar to the shares on NAS appliances. Specifically, I want to allow only the group “Domain Users” to have 777 access to a share called ‘clientapps’ and no NT ACLs.

So, my thought is to make the share with "root:Domain Users’’ on the main Share page, and in advanced, uncheck the NT ACL and Inherit ACL. If I disable the NT ACL the boxes below about creating new file/dir with the same owner should be moot, right?

Basically, I want to only manage a folder with share permissions, while the ntfs permissions are everyone with full access. Kind of the opposite of standard, where you make the share permission everyone and then filter the access by the ntfs acl.

I hope this makes sense. What do you think?


#2

Hello,

So basically, you want to
[ul]
[li] allow members of ONE GROUP to connect, and[/li]
[li] not restrict what they can do at the file level?[/li][/ul]
To restrict who can connect, set it in “Samba permissions”: valid users or groups, invalid users or groups, and Restrict write access to these users/groups. And omit anything that sets filesystem permissions.

No, these settings remain useful because they aren’t related to NT ACLs. Let’s try to explain.

Create files/directories with the owner of the parent directory
[ul]
[li] YES -> every file/subdir being created will have the same owner as the directory it is in[/li]
[li] NO -> every file/subdir being created will be owned by the user creating it[/li][/ul]
Create files/directories with permissions of the parent directory
[ul]
[li] YES -> every file/subdir being created will have the same filesystem permissions as the directory it is in[/li]
[li] NO -> the permissions depend on the user creating a file/subdir (his umask, and some other masks)[/li][/ul]
So unchecking these two boxes on your shared directory would leave you with a share where every file or directory can possibly be owned by somebody different, and have different permissions.

Note that you can achieve a similar effect (set unique ownership and permissions) at different levels: the “force user” and “force group” settings at the top of “Samba permissions”, or extensively using the “Samba extended permissions” attributes matrix, especially the ‘force file mode’ and ‘force directory mode’ settings.

Regards,
Frank Greif.