Goutham
asked on
create mask , create directory mask and force user in samba server
Dear Sir/Madam:
I have linux working as a pdc , can anybody please explain me the the following and it is use int he smb.conf file
create mask = 0664
security mask = 0664
directory mask = 0775
directory security mask = 0775
force user = x, y
force group = group1
I have linux working as a pdc , can anybody please explain me the the following and it is use int he smb.conf file
create mask = 0664
security mask = 0664
directory mask = 0775
directory security mask = 0775
force user = x, y
force group = group1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
dump from the manual
create mask (S)
When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is
then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit not set here will be
removed from the modes set on a file when it is created.
The default value of this parameter removes the group and other write and execute bits from the UNIX modes.
Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force create mode parameter which is set to 000 by
default.
This parameter does not affect directory masks. See the parameter directory mask for details.
Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control
lists also, they need to set the security mask.
Default: create mask = 0744
Example: create mask = 0775
--------------------------
security mask (S)
This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native
NT security dialog box.
This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified. Make sure
not to mix up this parameter with force security mode, which works in a manner similar to this one but uses a logical OR instead of an AND.
Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file.
Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliâ
ance" systems. Administrators of most normal systems will probably want to leave it set to 0777.
Default: security mask = 0777
Example: security mask = 0770
--------------------------
directory mask (S)
This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories.
When a directory is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode
is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a directory. Any bit not set here will
be removed from the modes set on a directory when it is created.
The default value of this parameter removes the 'group' and 'other' write bits from the UNIX mode, allowing only the user who owns the directory to modify it.
Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force directory mode parameter. This parameter is set
to 000 by default (i.e. no extra mode bits are added).
Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control
lists also, they need to set the directory security mask.
Default: directory mask = 0755
Example: directory mask = 0775
directory security mask (S)
This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a directory using the native
NT security dialog box.
This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified. Make sure not
to mix up this parameter with force directory security mode, which works similar like this one but uses logical OR instead of AND. Essentially, zero bits in
this mask may be treated as a set of bits the user is not allowed to change.
If not set explicitly this parameter is set to 0777 meaning a user is allowed to modify all the user/group/world permissions on a directory.
Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance"
systems. Administrators of most normal systems will probably want to leave it as the default of 0777.
Default: directory security mask = 0777
Example: directory security mask = 0700
--------------------------
force user (S)
This specifies a UNIX user name that will be assigned as the default user for all users connecting to this service. This is useful for sharing files. You
should also use it carefully as using it incorrectly can cause security problems.
This user name only gets used once a connection is established. Thus clients still need to connect as a valid user and supply a valid password. Once conâ
nected, all file operations will be performed as the "forced user", no matter what username the client connected as. This can be very useful.
In Samba 2.0.5 and above this parameter also causes the primary group of the forced user to be used as the primary group for all file activity. Prior to 2.0.5
the primary group was left as the primary group of the connecting user (this was a bug).
Default: force user =
Example: force user = auser
--------------------------
force group (S)
This specifies a UNIX group name that will be assigned as the default primary group for all users connecting to this service. This is useful for sharing files
by ensuring that all access to files on service will use the named group for their permissions checking. Thus, by assigning permissions for this group to the
files and directories within this service the Samba administrator can restrict or allow sharing of these files.
In Samba 2.0.5 and above this parameter has extended functionality in the following way. If the group name listed here has a '+' character prepended to it
then the current user accessing the share only has the primary group default assigned to this group if they are already assigned as a member of that group.
This allows an administrator to decide that only users who are already in a particular group will create files with group ownership set to that group. This
gives a finer granularity of ownership assignment. For example, the setting force group = +sys means that only users who are already in group sys will have
their default primary group assigned to sys when accessing this Samba share. All other users will retain their ordinary primary group.
If the force user parameter is also set the group specified in force group will override the primary group set in force user.
Default: force group =
Example: force group = agroup