[Samba] Samba and file system permissions
(secondary/auxillary/non-primary groups)
list at mischievousmonkey.co.uk
list at mischievousmonkey.co.uk
Tue Sep 2 20:59:14 GMT 2008
Hi
I have a problem with samba integrated with Active Directory (2003).
I wish to have one share containing different folders and I wish access to
these folders to be controlled at the file system level. So that if a
connecting user is in the group(s) specified at the filesystem level he or
she is permitted access to that folder according to the folders
permissions.
I'm running Ubuntu 8.04.1, Likewise-open and Samba 3.0.28a .
I have successfully gotten to the point where by samba recognises the
groups at the share level but not at the folder level unless the users
primary group is set to the folder group.
Can anyone shed any light as to why this is so?
I really need to be able to set permissions via group by folder in order
to directly replace a windows file server.
Below are sanitised versions of my config files.
Thanks in advance for any help
Regards
Jon
smb.conf
---------------------
[global]
security = ads
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
idmap backend = lwopen
idmap uid = 50 - 999999999
idmap gid = 50 - 999999999
server string = %h server (Samba, Ubuntu)
wins server = server1.mydomain.local
dns proxy = no
interfaces = 127.0.0.0/8 eth0
bind interfaces only = true
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
passdb backend = tdbsam
encrypt passwords = yes
obey pam restrictions = yes
invalid users = root
unix password sync = no
socket options = TCP_NODELAY
domain master = no
map acl inherit = yes
veto files = /.DS_Store/._*/
winbind use default domain = no
#======================= Share Definitions =======================
[srv]
path = /srv/
comment = DEV
browseable = no
valid users = @MYDOMAIN\group
write list = @MYDOMAIN\group
writable = yes
create mask = 0775
directory mask = 0775
guest ok = no
inherit permissions = yes
nt acl support = yes
lwiauthd.conf
---------------------
[global]
workgroup = MYDOMAIN
security = ads
passdb backend = tdbsam
disable netbios = yes
idmap domains = default
idmap config default:default = yes
idmap config default:backend = lwopen
idmap config default:readonly = yes
idmap alloc backend = tdb
idmap alloc config:range = 9000 - 9999
idmap cache time = 3600
idmap negative cache time = 300
winbind cache time = 900
winbind offline logon = yes
winbind refresh tickets = yes
winbind replacement character = ^
winbind normalize names = yes
winbind expand groups = 10
winbind enum users = Yes
winbind enum groups = Yes
template shell = /bin/bash
template homedir = /home/%D/%U
machine password timeout = 2592000
realm = MYDOMAIN.LOCAL
use kerberos keytab = yes
nt acl support = yes
map acl inherit = yes
veto files = /.DS_Store/._*/
winbind nss info = sfu
More information about the samba
mailing list