Directory Access Question--Teachers Views.
I would like teachers to be able to see students directories from a Windows machine through Samba--but only directories inside the home directory. Later I want to refine it to only their students. Teachers are in a group called staff. Students are in 4 groups (s2005, s2006 etc) I really don't want all of them on the server itself with root access. Thanks. __________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail
David Poleshuck wrote:
I would like teachers to be able to see students directories from a Windows machine through Samba--but only directories inside the home directory. Later I want to refine it to only their students.
Teachers are in a group called staff.
Students are in 4 groups (s2005, s2006 etc)
One approach is to have group ownership of a pupils folder set to the Teacher's group and use the SetGID options on ext3 and create mask functions in Samba to ensure that files and directories are created with permissions to allow the teacher's group access. You could also allow write access in the same manner. To give the teachers access, create a new share at the "year" level with permissions that only allow members of the staff group access. Then map that to a drive on the Windows machines (as part on the login script, probably). HTH, Tony
--- Tony Whitmore
One approach is to have group ownership of a pupils folder set to the Teacher's group and use the SetGID options on ext3 and create mask functions in Samba to ensure that files and directories are created with
permissions to allow the teacher's group access. You could also allow write access in the same manner.
You have to be _extremely_ careful with g+s settings. Note that if we are talking $HOME; having that top-level directory sGID is not something you should do. -- Thomas Adam ===== "The Linux Weekend Mechanic" -- http://linuxgazette.net "TAG Editor" -- http://linuxgazette.net "<shrug> We'll just save up your sins, Thomas, and punish you for all of them at once when you get better. The experience will probably kill you. :)" -- Benjamin A. Okopnik (Linux Gazette Technical Editor) ___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
Thomas Adam wrote:
--- Tony Whitmore
wrote: One approach is to have group ownership of a pupils folder set to the Teacher's group and use the SetGID options on ext3 and create mask functions in Samba to ensure that files and directories are created with
permissions to allow the teacher's group access. You could also allow write access in the same manner.
You have to be _extremely_ careful with g+s settings. Note that if we are talking $HOME; having that top-level directory sGID is not something you should do.
The clients in the OPs (and my) case are Windows machines using Samba, so $HOME is not as important an issue as it could be for a Linux system based around NFS. For example, our Debian based storage server authenticates users against our NT domain controller for Samba services, but the users don't have shell access. By setting GID on the user's directory, it ensures that files placed into a user's area by the user or by the Administrator are read/writable by the user. This makes restoring files or helping pupils with problems a reduced-hassle process by enabling pupils to work with files created for them by others. By making teachers members of the group that owns the pupil's directory they could traverse the directories as necessary. You can use share permissions to restrict access to "year shares" to members of staff. As for David's concern about setting this us for 4300 users, we use some scripts to set up and configure these scripts. You can find them at http://www.tonywhitmore.co.uk/scripts. There is one to "suck" all the usernames from the NT domain and create home directories based on a path of /home/$DOMAIN/$PRIMARY_GROUP/$USERNAME. There is another script that sets all the permissions on the directories and files. (It also changes ownership as this is important for quotas to work.) It also creates the home directories for any new users. This is run overnight by cron and takes 10 minutes to process 1300 users and ~30GB data. You might find these a useful starting point for your own situation. A third script is run as a root pre-exec every time a connection is initiated to the Samba server - it creates and configures the home folder if it does not already exist. Useful for late admissions or people who start without notice! Cheers, Tony
--- Tony Whitmore
For example, our Debian based storage server authenticates users against our NT domain controller for Samba services, but the users don't have shell access.
Most interesting... tell me - could this be done if some muppet had created all 600 users with white spaces in the usernames on the NT4 server? I'd really like to be able to add our linux terminal server to authenticate from our NT4 box... By authenticate I mean... allow logons to the linux box via Gnome and map the NT4 homedir to linux HOME. Thanks for any sharing of expertise in this area... -- Matt ___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
As for a teacher view on this thread... at primary level we don't allow any children to have passwords, so the directory access from our point of view is completely supported, if not encouraged for class teachers. Just because pupils *can* login as someone else doesn't mean they should. To put it another way, at primary level, the kids don't use lockers, we don't lock children's draws or sew up coat pockets. We don't have passwords. I appreciate that this may well be different at other keystages!? Just some thoughts. -- Matt Johnson ___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
Early thoughts on this. You could set up Apache so that it would browse the users home directory. We have this set up to servername://~username/ Staff could then browse that folder for the pupil they are interested in. Pupils can also use this to set up there own websites. Another possible solution is to make a link ln - s from the group folder to somewhere on a staff share. If permissions are set to other read execute on the home drives then surely you can browse these from that share. Early in the morning for me so i probably have missed the plot ;) regards Simon On Wednesday 06 October 2004 03:26, David Poleshuck wrote:
I would like teachers to be able to see students directories from a Windows machine through Samba--but only directories inside the home directory. Later I want to refine it to only their students.
Teachers are in a group called staff.
Students are in 4 groups (s2005, s2006 etc)
I really don't want all of them on the server itself with root access.
Thanks.
__________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail
Wouldn't this allow everyone to see each others home directory? That could add another dimension to copying someones answers.. Plus I'd be extremely cautious about what was being hosted in the way of websites by the dearly beloved clientel. We have enough hassles keeping an eye out on what they're sharing using pen drives, let alone giving them an easier method like their own website. On 6 Oct 2004 at 8:17, Simon Marsden wrote:
Early thoughts on this.
You could set up Apache so that it would browse the users home directory. We have this set up to servername://~username/
Staff could then browse that folder for the pupil they are interested in. Pupils can also use this to set up there own websites.
Another possible solution is to make a link ln - s from the group folder to somewhere on a staff share. If permissions are set to other read execute on the home drives then surely you can browse these from that share.
Early in the morning for me so i probably have missed the plot ;)
regards Simon
On Wednesday 06 October 2004 03:26, David Poleshuck wrote:
I would like teachers to be able to see students directories from a Windows machine through Samba--but only directories inside the home directory. Later I want to refine it to only their students.
Teachers are in a group called staff.
Students are in 4 groups (s2005, s2006 etc)
I really don't want all of them on the server itself with root access.
Thanks.
__________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail
-- To unsubscribe, e-mail: suse-linux-uk-schools-unsubscribe@suse.com For additional commands, e-mail: suse-linux-uk-schools-help@suse.com
----- Paul Graydon Network Technician Haywards Heath College http://www.hhc.ac.uk (01444) 456281 In the end, we will remember not the words of our enemies, but the silence of our friends. - Martin Luther King Jr. (1929 - 1968)
Hi More awake now. Sorry for the there when I meant their earlier ;) On Wednesday 06 October 2004 09:13, Paul Graydon wrote:
Wouldn't this allow everyone to see each others home directory? Not if the staff share is only viewable by the staff group. That is how it is set up here.
That could add another dimension to copying someones answers.. At the end of the day this can be done at any level at any time. We have actually got a swap drive for pupils to share work ideas etc. Can be a pain but more useful than a problem. Very useful if you are half way through a task and one of the little darlings hoses their work. I normally introduce it to them with the comment "this will help you cheat". At the end of the day it is about training them not to do it. Plus I'd be extremely cautious about what was being hosted in the way of websites by the dearly beloved clientel. We have enough hassles keeping an eye out on what they're sharing using pen drives, let alone giving them an easier method like their own website.
I really would like to host the pupils' sites so they can be seen from home. "Look at what I did today mum". However, this is a great leap of faith. I guess ISPs have the same problem. If I do open it up I will get parental permission and disclaimers set up - only pupils that have signed up would be able to publish sites. At the moment the pupils websites can only be viewed internally. They can set up websites with LAMP (Linux Apache PHP MySQL) so I have KS4s experimenting with forums, content managed websites, programming etc.
participants (6)
-
David Poleshuck
-
Matt Johnson
-
Paul Graydon
-
Simon Marsden
-
Thomas Adam
-
Tony Whitmore