Linux And NTFS Permissions

Question

Trying to restrict a folder within a directory created in linux filesystem. I have changed the permissions to: root rwx, a special active directory group rwx and all others r. Upon doing so, people that are not in the special AD group can access the directory and modify files. Upon doing so the group changes to "Domain Users" when the user modifies documents within the directory. I have to manualy change the documents default group back to my AD group. I have tried to create another AD group and modify permissons to deny write access. When doing so through windows explorer, the settings seem to take affect until I go back in a look at permissions for the restricted group. No permissions show when I view for the second time. Please assist.

Samba share properties

[MyShare]
comment = "blah blah blah"
browseable = yes
guest ok = no 
read only = no 
path = /xxx/xxxxx/ 
create mask = 0640 
directory mask = 0750 
admin users = @"domain\Domain Admins", @"domain\group A", @"domain\group B" 
valid users = @"domain\Domain Admins", @"domain\group A", @"domain\group B" 
nt acl support = Yes 
inherit acls = yes 
inherit owner = yes 
inherit permissions = yes 

Answer 1

I had a similar problem for a long time. For me, the solution was in the Linux filesystem permissions themselves. I had to change the permissions using chmod 2770 ./foo in order to get user and group permissions to work correctly. See my (edited) ls below:

[root@server1 home]# ls -lAF
total 92
drwxrws---.  2 al    al        4096 2009-05-27 00:25 al/
drwxrws---   6 root  shares    4096 2010-06-11 16:19 images/
drwxrws---. 61 jesse jesse     4096 2010-06-13 16:21 jesse/
drwxrws---. 28 mary  mary      4096 2009-08-26 15:52 mary/
drwxrws---. 14 root  work      4096 2010-05-24 08:16 work/
drwxrws---. 12 root  shares    4096 2010-06-18 14:15 share/
[root@server1 home]#

I am not using any admin users = entries. I am simply relying on the user and group structure built into Linux itself. Granted, you are using AD, but a similar concept should apply. For reference, here are the relevant parts of my smb.conf (edited again):

[global]
        server string = Samba Server
        security = share
        unix password sync = Yes
        create mask = 0660
        directory mask = 0770

[jesse]
        path = /home/jesse
        valid users = jesse
        read only = No

[share]
        path = /home/share
        valid users = al, jesse, mary
        read only = No

[work]
        path = /home/work
        valid users = al, jesse
        read only = No

I hope this helps!

Answer 2

This may not answer your question, but when you have when you actually join your host to a windows domain using winbind and pam, it's becomes easier to control permissions using setfacl and getfacl, which are similar to the cacls/xcacls commands in Windows.

Answer 3

on your samba share declaration, use the force group directive to ensure new files are created with that group ownership.

force group = @"domain\special_AD_Group"