[Samba] Quick question on adding Winbind/NIS groups to a Samb a ACL

Noel Kelly nkelly at tarsus.co.uk
Tue Mar 19 22:15:04 GMT 2002 

Bill-

Key point is that you need to be the owner to manage ACLs through the
Windows GUI.  Try and create a new file so you are the owner of it and then
manipulate the ACLs.  Or chown and existing file so you are the owner.  You
cannot use the 'take ownership' NT route.  

Check out the 'force user = root' setting - we use it for creating
admin-only shares.  Root can do anything of course.

Hope this helps a bit,
Noel

-----Original Message-----
From: Bill Town [mailto:bill at kontiki.com]
Sent: 19 March 2002 22:18
To: samba at lists.samba.org
Subject: [Samba] Quick question on adding Winbind/NIS groups to a Samba
ACL


Hi all- 

First a little background and infrastructure:
After a long arduous road I got my Samba file server to authenticate
with Winbind and/or NIS (synced with AD) in a Native Mode Active
Directory.  I can logon to the Linux server locally and also gain access
to a file share via a windows box with accounts in either.  Samba is
running on a Linux 7.2 server with Kernel 2.14.18 with the ACL patches
(using http://acl.bestbits.at/).  I built Samba with the
--with-acl-support and --with-nis (--with-winbind is a default option).
The Samba configuration file is below as well as the pam.d/login and
pam.d/system-auth files.  The server is a member of the domain and
[wbinfo -t] reports [security is good].  [Getent passwd] and [getent
group] enumerate the users and groups correctly.

Now the question:
I can modify permissions through a Windows 2000 Security Interface if
the group already has some sort of permissions assigned on the
file/directory.  I cannot add groups to an ACL through the Windows 2000
interface but must resort to adding them via setfacl on the Linux box.
Any ideas?  I cannot add groups because it only wants DOMAIN\GROUP and
the current permissions show up as FILE-SERVER\GROUP.  The Winbind
groups do not show up at all in the Windows security interface but do in
the getfacl on the Linux box.  Thanks in advance for your help.

Cheers,
	-Bill


smb.conf:
---------------------------------------------------------
# Samba config file
# Date: 2002/03/19

# Global parameters
[global]
        workgroup = ZODIAC
        netbios name = fs1-test
        server string = Test File Server
        security = DOMAIN
        encrypt passwords = Yes
        password server = *
        preferred master = False
        local master = No
        domain master = False
        wins server = 172.16.1.12 172.16.2.12
        large readwrite = yes
        winbind uid = 20000-29999
        winbind gid = 2000-2999
#       winbind separator = +
        winbind enum users = yes
        winbind enum groups = yes
        template shell = /bin/bash

[test]
        comment = Test File Share
        path = /export/test
        read only = No
        inherit permissions = yes
---------------------------------------------------------

pam.d/login:
---------------------------------------------------------

#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       sufficient   /lib/security/pam_winbind.so use_first_pass
auth       required     /lib/security/pam_pwdb.so use_first_pass shadow
nullok
#auth       sufficient  /lib/security/pam_unix.so use_first_pass

#account    sufficient   /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth

password   required     /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so

---------------------------------------------------------

pam.d/system-auth:
---------------------------------------------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_winbind.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shadow nis
password    sufficient    /lib/security/pam_winbind.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     required      /lib/security/pam_winbind.so
---------------------------------------------------------

----
Bill Town
Kontiki, Inc.
Voice: 650.625.3065
Fax: 650.623.0142

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list