What I basically want to do, is to be able to set SGID (setgid) on certain directories from Windows on Samba shares. Reminder: Files and directories created within directory with SGID set inherit the primary group of parent directory.
Environment
I have an environment with few dozen groups which need to access files related to projects they belong to. As the membership of project groups and the groups themselves is changing quite often, I want to delegate setting of permissions to group leaders as much as it is possible. While managing group membership was easy (GOSa privilege delegation took care of this nicely), I'm struggling with file permissions.
Note: the number of groups and other similar hierarchies is large, so creating different shares for each group or hierarchies is unworkable (the amount of possible mount points in Windows is limited, using UNC paths is unfortunately impossible too).
The folders in the share look like this:
/share root
+-- hierarchy 1
+-- hierarchy 2
| ...
+-- hierarchy 20
+-- projects
+-- project A
| +-- dir A
| +-- file
+-- project B
+-- ...
+-- project Z
Samba ACL Group Control
The nice feature of samba (acl group control) allows me to allow members of primary group owning the directory or file to edit its permissions (unlike the regular: owner, root and "admin users" from smb.conf).
So when I have a folder like this (POSIX ACL from getfacl):
# file: project A # owner: root # group: proj-a-adm # flags: -s- user::rwx group::rwx group:Domain\040Users:r-x group:proj-a:rwx mask::rwx other::--- default:user::rwx default:group::rwx default:group:Domain\040Users:r-x default:group:proj-a:rwx default:mask::rwx default:other::---
Members of group proj-a-adm can edit permissions of this directory (and all directories and files created within), while members of proj-a group can modify files themselves, but can't change permissions of those files. Domain Users can only read files within.
Problem
When there is a new project created, a root user needs to run chmod g+s projects/project\ AA on command line.
I can edit permissions of files and folders after a new project was created without a problem using Windows file permissions window, but creation of new project folder requires running a command in the shell which is rather hackish.
A) Write a small web form and a small script that will create a group and a directory for a project.
B) Write a small windows batch file that will do the same over ssh. You can use the ssh client from the cygwin project or some native windows ssh client.