Seeking clarification
John H Terpstra - Samba Team
jht at samba.org
Fri May 22 15:29:27 GMT 2009
simo wrote:
> On Thu, 2009-05-21 at 23:51 -0500, John H Terpstra - Samba Team wrote:
>> Can someone please clarify if the following behavior is a bug or an
>> expected feature.
>>
>> Samba-3.3.4 - ADS Domain Member server. Obviously, running winbind.
>> The following describes the problem as reported by the Samba admin."
>>
>> There are several domain users that are members of the Domain Admins group.
>>
>> Execution on the Linux (RHEL5.3) system of the following command shows
>> that two users have the Domain Admins group as their primary group, the
>> other users' primary group is Domain Users, with secondary membership in
>> Domain Admins.
>>
>> The problem the site is complaining about is the regardless, any user
>> who is a member of the Domain Admins group creates files and folders on
>> the RHEL5.3 Linux system - but the owner and group are set to UID is
>> root, GID is "Domain Admins". The problem then is that users who are
>> not members of the Domain Admins group can not manage permissions on the
>> root owned and "Domain Admins" group owned files, nor can they write to
>> folders so owned. I know this can be changed by opening up the UGO
>> permissions or by setting POSIX ACLs - but that is undesirable for other
>> reasons.
>>
>> When the same users who are Domain Admins members create files and
>> folders on a Windows Server 2003 system, they end up being owned by the
>> correct user, and that users' primary group. The same happens with
>> Samba 3.2.7.
>>
>> It seems that Samba-3.3.4 behaves differently from 3.2.7 and differently
>> from Windows Server 2003.
>>
>> Is this a bug? If so, should I file a bug report?
>>
>> Thanks for tuning in, and thanks for any responses provided.
>
> Can't say w/o seeing smb.conf, are you sure they have not put these
> users in the 'admin users' list ?
> That would make them be root on the machine, and would explain why files
> are created as root.
>
> Simo.
>
Simo,
Here is the smb.conf file. As you can see, no "admin users" have been
defined.
Cheers,
John T.
[global]
workgroup = HOSTREL
realm = HOSTREL.LCL
netbios name = RES-CIFS-00
server string = RES CIFS
security = ADS
restrict anonymous = 2
client NTLMv2 auth = Yes
log level = 1
log file = /var/log/samba/log.%L.%m
max log size = 0
load printers = No
disable spoolss = Yes
kernel oplocks = No
os level = 0
wins server = 10.150.0.60
ldap ssl = no
idmap backend = tdb
idmap uid = 2000000-2999999
idmap gid = 2000000-2999999
winbind separator = +
winbind cache time = 3000
winbind enum users = Yes
winbind enum groups = Yes
idmap config HOSTREL:backend = tdb
winbind:ignore domains = HOSTREACT.LOCAL
fileid:mapping = fsname
force unknown acl user = Yes
include = /etc/samba/.conf
vfs objects = fileid
[cifs1]
comment = Relativity Share1
path = /mnt/cifs1/toplevel
valid users = "@HOSTREL+Domain Users"
read only = No
fileid:mapping = fsname
[cifs2]
comment = Relativity Share2
path = /mnt/cifs2/toplevel
valid users = "@HOSTREL+Domain Users"
read only = No
fileid:mapping = fsname
More information about the samba-technical
mailing list