File permission and samba help needed
-
I have a server running samba. It's messy with lots of files in it and people have been connecting to it using the same username/password.
I want to split this up so I created usernames and passwords for everyone, both in linux and samba.
What I think I want is one share but under that directories for different departments - like HR, finance etc. And the users should have different permissions so they can only see the directories they have permission for.
What is my next step? Should I create groups in linux for each department and then add users to that group? And then change the group owner on the departments directory and files below?
-
While I never used Samba or Linux shares, but I believe, better to create a separate shared folder for each dept. such as Finance, HR etc. which can make life easier, instead of sharing the only folder and placing one folder/directory for each dept. and working on sub-folder permissions.
-
Switch to modern solution and leverage your identity service you are already using.
Use a solution like OneDrive, box, dropbox, etc.
Adding users and groups in linux for a file server only is time consuming and will actually lead to a security issue called privilege creep. Where you aren't properly managing a decentralized system and removing permissions/group membership as roles and needs change of users.
Too much complexity to save a tiny bit of money and create way more headache on arguably the most important aspect of the business (data)
-
@openit said in File permission and samba help needed:
While I never used Samba or Linux shares, but I believe, better to create a separate shared folder for each dept. such as Finance, HR etc. which can make life easier, instead of sharing the only folder and placing one folder/directory for each dept. and working on sub-folder permissions.
That's a valid argument. Have to mull that over.
-
@IRJ said in File permission and samba help needed:
Switch to modern solution and leverage your identity service you are already using.
Use a solution like OneDrive, box, dropbox, etc.
Adding users and groups in linux for a file server only is time consuming and will actually lead to a security issue called privilege creep. Where you aren't properly managing a decentralized system and removing permissions/group membership as roles and needs change of users.
Too much complexity to save a tiny bit of money and create way more headache on arguably the most important aspect of the business (data)
That is also a valid argument and something that will probably happen down the line. Right now I'll just restructure the data that is already there.
-
Do you have AD?
-
@stacksofplates said in File permission and samba help needed:
Do you have AD?
No, there is no AD. Local accounts and everyone logs onto the smb share(s).
-
I ran some test on a VM and created some groups and added some top-level directories for those groups.
Changed the group on each top-level directories and files below recursively with
chown -R
.Set directories to permission 2770 and files to 0660 with
chmod -R
.Changed smb.conf and added
create mask=0660
anddirectory mask=2770
.Now new files and directories created on the share have the right permission and belongs to the right group automatically, simply depending on what group the top-level directory belongs to.
If you're not a member of a group, you will not even see the directories or files that belongs to that group.
I think this is a good interim solution without too much work. Then moving to onedrive or whatever can be done in the future on a department to department basis.
Only admin required for adding users is to add them to linux/samba and make sure they become members of the right groups.
It's also very simple to make a separate share out of the top-level folders if you wanted.