[Samba-it] Capitolo 10 "Active Directory, Kerberos, and Security".

[Meli Marco]

Scuate ma l'ho postato anche in "inglesondo" e ve lo giro com'è, 
grazie:

Hi all,
Referred to Samba-3 by Example I don't have clear one point on Chapter 
10
"Active Directory, Kerberos, and Security":
How to set Windows 200x ACLs in 10.3.4.2 section you wrote at point 2:

"Be very carefully. Many problems have been created by people who 
decided
that Everyone should be rejected but one particular group should have 
full
control. This is a catch-22 situation because members of that 
particular
group also belong to the group Everyone, which therefore overrules any
permissions set for the permitted group".

So, about this matter I have some questions:

I want to set ACL on my share as you said above not for a particular 
group
but for a defined user. I have tried to set "Full Control" for this 
user to
his personal folder and get off any permissions to "Everyone" group. 
The
result is that the user cannot list his personal folder.
Since it's clear what I should expect from my settings I would like to 
I ask
you how can I set these ACLs to allow the user to list his folder, 
avoiding
to others users to see them (Everyone).
Also, why setting this rights on to samba box connected to an W3K ADS 
server
in Chicago, ACL works as I expected, while when my samba box is 
replicated
on my W3K ADS in Italy the behavior of ACL changes:
In the first case each user can see personal's folder even if ACLs are
"wrong" setted by me as I described above, while after replication the 
user
login again to the same share and can't list his personal folder any 
more.
I thougth the cause was probably due to some differences on both 
servers but
they belong to the same realm and share the same policy, except that AD
Chicago server is a normal pc while AD Italy server is a power edge 
2500
with array controller (samba box with Suse9.2 is in Italy).
Note: I've a mixed pc on my network but this problem persist only with 
W2K
and XP workstation not with Win9X.
Any help will be appreciated.
I don't want to set a section share in smb.conf, for a particular user 
, I
have only declared [data] share.
Below my smb.conf file:

[global]
        netbios name = MILLX01
        os level = 16
        wins server = xxx
        socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
        workgroup = GKNSMI
        realm = SINTER.GKN.COM
        security = ADS
        password server = xxx.sinter.gkn.com
        encrypt passwords = yes
        allow trusted domains = Yes
        winbind use default domain = Yes
        winbind separator = /
        winbind enum users = Yes
        winbind enum groups = yes
        idmap uid = 10000-100000
        idmap gid = 10000-100000
        hide unreadable = Yes
        template homedir = /data/user/%U
        template shell = /bin/false
        use sendfile = No
        printer admin = xxx
        admin users = xxx
        log file = /var/log/samba/log.%m
        log level = 1 auth:5 sam:5
        max log size = 50
        printing = cups
        printcap name = cups
        load printers = Yes
        map acl inherit = Yes
        nt acl support = Yes
        client schannel = No
[data]
        comment = %D Share
        path = /data
        read only = No
        create mask = 0775
        security mask = 0777
        force security mode = 0
        directory mask = 0775
        directory security mask = 0777
        force directory security mode = 0
        dos filetimes = Yes
        valid users = xxx

Thanks a lot.
Marco.



--- StripMime Report -- processed MIME parts ---
multipart/alternative
  text/plain (text body -- kept)
  text/html
---