I have finally solved my SMB sharing troubles
Hi!
I have read two most enlightening postings regarding ACLs and POSIX rights. I have always seen that they both affect access rights but have not been able to figure it out quite right. It seems very easy on first sight but it is not. Just try to edit MS Office document on a Windows PC right on the SMB share and you will see what I am talking about. But to cut the long story short, here's what I have done with my SMB configuration and why.
1) I modified /etc/smb.conf to disable streams support.
; stream support = yes
vfs objects = darwinacl
We don't need or use streams on our shares, buaving them enabled will occasionally block files from being read from the share. So in our case it is better to disable them.
2) I have removed all Deny statements from ACLs.
If you edit documents on the SMB share using MS Office, ACLs get messed up big time. The most important thing is that you don't know where you Deny ACEs will end up, so they could be the first thing in the ACL and you could be denied of any access.
3) I have set all POSIX rights to None on all directories and files.
darwinacl module will combine the POSIX rights and the ACL and will show POSIX rights as ACL entries to the Windows client. If the Windows client now saves something, the combined entries will all land in the saved file's ACL. E.g. if you have POSIX right r/w for group staff, the ACL will have an entry for group Users afterwards.
All in all I have only set ACLs to allow selective Allow rights for directories and no Deny statements at all. It works pretty well on Windows clients and also on Mac SMB clients. I have not enabled AFP at all for easier management.
The only downside is that the access-rights-limited directories are still listed for everyone who has access to the level above them.
Oh, for everyone who is interested in the two postings I read and found so good, here's the link:
http://lists.apple.com/archives/Macos-x-server/2008/May/msg00335.html
See the reply too, that's the second interesting posting.
Hopefully someone will find this information helpful! I have seen too many cries for help on this same issus.
Best regards,
Andrus Suitsu
I have read two most enlightening postings regarding ACLs and POSIX rights. I have always seen that they both affect access rights but have not been able to figure it out quite right. It seems very easy on first sight but it is not. Just try to edit MS Office document on a Windows PC right on the SMB share and you will see what I am talking about. But to cut the long story short, here's what I have done with my SMB configuration and why.
1) I modified /etc/smb.conf to disable streams support.
; stream support = yes
vfs objects = darwinacl
We don't need or use streams on our shares, buaving them enabled will occasionally block files from being read from the share. So in our case it is better to disable them.
2) I have removed all Deny statements from ACLs.
If you edit documents on the SMB share using MS Office, ACLs get messed up big time. The most important thing is that you don't know where you Deny ACEs will end up, so they could be the first thing in the ACL and you could be denied of any access.
3) I have set all POSIX rights to None on all directories and files.
darwinacl module will combine the POSIX rights and the ACL and will show POSIX rights as ACL entries to the Windows client. If the Windows client now saves something, the combined entries will all land in the saved file's ACL. E.g. if you have POSIX right r/w for group staff, the ACL will have an entry for group Users afterwards.
All in all I have only set ACLs to allow selective Allow rights for directories and no Deny statements at all. It works pretty well on Windows clients and also on Mac SMB clients. I have not enabled AFP at all for easier management.
The only downside is that the access-rights-limited directories are still listed for everyone who has access to the level above them.
Oh, for everyone who is interested in the two postings I read and found so good, here's the link:
http://lists.apple.com/archives/Macos-x-server/2008/May/msg00335.html
See the reply too, that's the second interesting posting.
Hopefully someone will find this information helpful! I have seen too many cries for help on this same issus.
Best regards,
Andrus Suitsu
XServe, Mac OS X (10.5.8)
