File permission and samba help needed



  • I have a server running samba. It's messy with lots of files in it and people have been connecting to it using the same username/password.

    I want to split this up so I created usernames and passwords for everyone, both in linux and samba.

    What I think I want is one share but under that directories for different departments - like HR, finance etc. And the users should have different permissions so they can only see the directories they have permission for.

    What is my next step? Should I create groups in linux for each department and then add users to that group? And then change the group owner on the departments directory and files below?



  • While I never used Samba or Linux shares, but I believe, better to create a separate shared folder for each dept. such as Finance, HR etc. which can make life easier, instead of sharing the only folder and placing one folder/directory for each dept. and working on sub-folder permissions.



  • Switch to modern solution and leverage your identity service you are already using.

    Use a solution like OneDrive, box, dropbox, etc.

    Adding users and groups in linux for a file server only is time consuming and will actually lead to a security issue called privilege creep. Where you aren't properly managing a decentralized system and removing permissions/group membership as roles and needs change of users.

    Too much complexity to save a tiny bit of money and create way more headache on arguably the most important aspect of the business (data)



  • @openit said in File permission and samba help needed:

    While I never used Samba or Linux shares, but I believe, better to create a separate shared folder for each dept. such as Finance, HR etc. which can make life easier, instead of sharing the only folder and placing one folder/directory for each dept. and working on sub-folder permissions.

    That's a valid argument. Have to mull that over.



  • @IRJ said in File permission and samba help needed:

    Switch to modern solution and leverage your identity service you are already using.

    Use a solution like OneDrive, box, dropbox, etc.

    Adding users and groups in linux for a file server only is time consuming and will actually lead to a security issue called privilege creep. Where you aren't properly managing a decentralized system and removing permissions/group membership as roles and needs change of users.

    Too much complexity to save a tiny bit of money and create way more headache on arguably the most important aspect of the business (data)

    That is also a valid argument and something that will probably happen down the line. Right now I'll just restructure the data that is already there.



  • Do you have AD?



  • @stacksofplates said in File permission and samba help needed:

    Do you have AD?

    No, there is no AD. Local accounts and everyone logs onto the smb share(s).



  • I ran some test on a VM and created some groups and added some top-level directories for those groups.

    Changed the group on each top-level directories and files below recursively with chown -R.

    Set directories to permission 2770 and files to 0660 with chmod -R.

    Changed smb.conf and added create mask=0660 and directory mask=2770.

    Now new files and directories created on the share have the right permission and belongs to the right group automatically, simply depending on what group the top-level directory belongs to.

    If you're not a member of a group, you will not even see the directories or files that belongs to that group.

    I think this is a good interim solution without too much work. Then moving to onedrive or whatever can be done in the future on a department to department basis.

    Only admin required for adding users is to add them to linux/samba and make sure they become members of the right groups.

    It's also very simple to make a separate share out of the top-level folders if you wanted.