[Samba] Share Permissions on an ADS member server [NOT PROTECTIVELY MARKED]
Nigel.Pain at scotland.gsi.gov.uk
Nigel.Pain at scotland.gsi.gov.uk
Wed Feb 24 09:16:04 MST 2010
Classification: NOT PROTECTIVELY MARKED
Samba 3.4.5
Solaris 9
Windows 2000 AD domain
Heimdal Kerberos 1.3.1
Samba is configured and the server is joined to the domain. wbinfo works
as it should do, and so did getent when I had enumeration turned on. I
can view and change security properties from a Windows client (as a
member of the owner group).
I've created a share and set permissions to directories within it.
However, Samba does not seem to be honouring permissions for domain
users.
For example, from Windows clients any domain user can write to the
directory /testshare/Communities/HASS which has the following POSIX
acls:
# file: Communities/HASS
# owner: u101529
# group: dl raes b isis css
user::rwx
group::rwx #effective:rwx
group:sdmu:rwx #effective:rwx
group:housing:rwx #effective:rwx
group:dl just v cas:r-x #effective:r-x
group:dl just b cas hass:rwx #effective:rwx
mask:rwx
other:---
default:user::rwx
default:group::rwx
default:group:sdmu:rwx
default:group:housing:rwx
default:group:dl just v cas:r-x
default:group:dl just b cas hass:rwx
default:mask:rwx
default:other:---
Groups "dl raes b isis css", "dl just v cas" and "dl just b cas hass"
and user u101529 are from the domain, the other groups are native UNIX
ones. My understanding is that only the owner and members of sdmu,
housing, "dl raes b isis css" and "dl just b cas hass" should be able to
write to this directory and nobody in groups not listed in the ACLs
should even be able to open it. Native UNIX users and groups are still
bound by these permissions.
This is doing my head in so any insights would be welcome!
smb.conf:
Top of Form 1
[global]
unix charset = LOCALE
workgroup = OURDOMAIN
realm = OUR.REALM
server string = MC18UNXA
bind interfaces only = Yes
security = ADS
password server = dc.our.realm
ntlm auth = No
client NTLMv2 auth = Yes
log level = 3
log file = /usr/local/samba/var/log.%m
max log size = 100
domain master = No
idmap alloc backend = tdb
idmap uid = 70000-200000
idmap gid = 70000-200000
winbind use default domain = Yes
[testshare]
path = /testshare
read only = No
acl group control = Yes
inherit permissions = Yes
inherit acls = Yes
Bottom of Form 1
----------------------------------------
Nigel Pain
The Scottish Government
********************************************************
This e-mail (and any files or other attachments transmitted with it) is intended solely for the attention of the addressee(s). Unauthorised use, disclosure, storage, copying or distribution of any part of this e-mail is not permitted. If you are not the intended recipient please destroy the email, remove any copies from your system and inform the sender immediately by return.
Communications with the Scottish Government may be monitored or recorded in order to secure the effective operation of the system and for other lawful purposes. The views or opinions contained within this e-mail may not necessarily reflect those of the Scottish Government.
********************************************************
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
More information about the samba
mailing list