Description Arvid Requate 2017-07-13 15:40:08 CEST

The permission options of the UMC shares module are both overly complex on the one hand and not covering common real life use cases. For example currently there is no straight forward way via UMC alone to configure a share in such a way that two groups have access and can create files and directories. The additional requirement would be that no member of either group can withdraw or extend write access. This is what we came up with for Ticket #2017071121000584:

===========================================================================
udm shares/share modify --dn cn=example,cn=shares,dc=example,dc=org \
        --set sambaValidUsers="@group1 @group2 Administrator" \
        --set group=0 \
        --set directorymode=0755 \
        --remove sambaDirectoryMode \
        --remove sambaForceGroup \
        --set sambaInheritOwner=0 \
        --set sambaInheritPermissions=0

smbcacls //$(hostname -f)/example1 / -U Administrator \
        -a 'ACL:group1:ALLOWED/OI|CI/CHANGE'

smbcacls //$(hostname -f)/example1 / -U Administrator \
        -a 'ACL:group2:ALLOWED/OI|CI/CHANGE'
===========================================================================

Since NTACLs and fACLs are transparently converted into each other, you could do something similar with setfacl, but that would give the groups "FULL" access to the shares, allowing them to modify permissions. NTACLs simply allow more fine grained control at this point.

IMHO it would be good, if the UMC shares module would support configuration of ACLs. NTACLs if it's a samba share, fACLs otherwise.