[Samba-it] Capitolo 10 "Active Directory, Kerberos, and Security".
Meli Marco
Marco.Meli at gknsintermetals.com
Thu Oct 20 12:21:01 MDT 2005
Scuate ma l'ho postato anche in "inglesondo" e ve lo giro com'è,
grazie:
Hi all,
Referred to Samba-3 by Example I don't have clear one point on Chapter
10
"Active Directory, Kerberos, and Security":
How to set Windows 200x ACLs in 10.3.4.2 section you wrote at point 2:
"Be very carefully. Many problems have been created by people who
decided
that Everyone should be rejected but one particular group should have
full
control. This is a catch-22 situation because members of that
particular
group also belong to the group Everyone, which therefore overrules any
permissions set for the permitted group".
So, about this matter I have some questions:
I want to set ACL on my share as you said above not for a particular
group
but for a defined user. I have tried to set "Full Control" for this
user to
his personal folder and get off any permissions to "Everyone" group.
The
result is that the user cannot list his personal folder.
Since it's clear what I should expect from my settings I would like to
I ask
you how can I set these ACLs to allow the user to list his folder,
avoiding
to others users to see them (Everyone).
Also, why setting this rights on to samba box connected to an W3K ADS
server
in Chicago, ACL works as I expected, while when my samba box is
replicated
on my W3K ADS in Italy the behavior of ACL changes:
In the first case each user can see personal's folder even if ACLs are
"wrong" setted by me as I described above, while after replication the
user
login again to the same share and can't list his personal folder any
more.
I thougth the cause was probably due to some differences on both
servers but
they belong to the same realm and share the same policy, except that AD
Chicago server is a normal pc while AD Italy server is a power edge
2500
with array controller (samba box with Suse9.2 is in Italy).
Note: I've a mixed pc on my network but this problem persist only with
W2K
and XP workstation not with Win9X.
Any help will be appreciated.
I don't want to set a section share in smb.conf, for a particular user
, I
have only declared [data] share.
Below my smb.conf file:
[global]
netbios name = MILLX01
os level = 16
wins server = xxx
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
workgroup = GKNSMI
realm = SINTER.GKN.COM
security = ADS
password server = xxx.sinter.gkn.com
encrypt passwords = yes
allow trusted domains = Yes
winbind use default domain = Yes
winbind separator = /
winbind enum users = Yes
winbind enum groups = yes
idmap uid = 10000-100000
idmap gid = 10000-100000
hide unreadable = Yes
template homedir = /data/user/%U
template shell = /bin/false
use sendfile = No
printer admin = xxx
admin users = xxx
log file = /var/log/samba/log.%m
log level = 1 auth:5 sam:5
max log size = 50
printing = cups
printcap name = cups
load printers = Yes
map acl inherit = Yes
nt acl support = Yes
client schannel = No
[data]
comment = %D Share
path = /data
read only = No
create mask = 0775
security mask = 0777
force security mode = 0
directory mask = 0775
directory security mask = 0777
force directory security mode = 0
dos filetimes = Yes
valid users = xxx
Thanks a lot.
Marco.
--- StripMime Report -- processed MIME parts ---
multipart/alternative
text/plain (text body -- kept)
text/html
---
More information about the samba-it
mailing list