username map behavior

Christian Barth barth at cck.uni-kl.de
Tue Oct 16 10:24:07 GMT 2001


>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Is there a way in samba 2.2.2-pre (SAMBA_2_2 latest CVS) to grant a user
> privileges as another user instead of just remapping the user to another
> user?  I set the "username map = /etc/samba/user.map" configuration option
> and added:
> 
> root = "DOMAIN+ at Domain Admins"
> 
> to the user.map file but whenever I create a file it is owned by root
> instead of my username...is there any way around this?  I would like to
> grant Domain Admins privileged access to the samba shares but still be able
> to make new files and folders as their own account.
This is going to be hard. The user name map maps the userid given 
from the client to the userid used by samba on the server. An this is 
one userid per smbd. This means: if you map your domain admins to 
root, there smbd runs as root an files are created as root.

What kind of privileged do you want to give them? Access to certain 
files / shares? Then you shoulb be fine with putting all admins into 
a group (or maping a domain group to a unix group (?)) and give this 
group file access privileged on the samba server. If the standard 
unix rights sheme doesn't fit your needs, acl's are your friend. If 
it's for shares you can use "valid users = @group" in smb.conf

Christian


> 
> I am using Red Hat 7.1 with kernel 2.4.9 with the ACL patch version 0.7.16.
> I am using winbindd to enumerate users and groups from the PDC which is
> running NT4 SP6a with all current security patches.  My workstation I am
> doing my testing from is Windows 2000 SP2 also with all current security
> patches.
> 
> Please send any responses directly to my e-mail as I am not currently
> subscribed to the list.
> 
> Thank you
> 
> <begin smb.conf>
> 
> [global]
>         winbind separator = +
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind cache time = 10
>         template shell = /bin/bash
>         template homedir = /home/profiles/%U
>         winbind uid = 10000-20000
>         winbind gid = 10000-20000
>         workgroup = DOMAIN
>         server string = Network Storage
>         security = DOMAIN
>         encrypt passwords = Yes
>         password server = *
>         domain logons = no
>         local master = no
>         domain master = no
>         preferred master = no
>         log file = /var/log/samba/%m.log
>         max log size = 0
>         name resolve order = wins lmhosts bcast
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         load printers = No
>         dns proxy = No
>         wins server = 10.1.1.5
>         remote announce = 10.1.1.255
>         remote browse sync = 10.1.1.2
>         hosts allow = 10.1.1. 127.
>         printing = lprng
>         add user script = /usr/sbin/useradd -g domain -d /home/samba -s
> /dev/null -c %u %u
>         delete user script = /usr/sbin/userdel %u
>         username map = /etc/samba/users.map
> 
> [public]
>         comment = Public Stuff
>         path = /home/samba
>         writeable = Yes
>         guest ok = No
>         createmode = 740
>         directory mode = 740
> 
> [public2]
>         comment = Test share
>         path = /usr/local/src
>         writeable = Yes
>         guest ok = No
> 
> [profiles]
>         comment = User Profiles
>         path = /home/profiles
>         create mask =0600
>         directory mask = 0700
> ;       restrict acl with mask = yes
>         force directory mode = 0700
>         force create mode = 0600
>         restrict acl with mask = yes
>         map hidden = yes
>         map system = yes
>         writeable = Yes
>         guest ok = No
> 
> [archives]
>         comment = Archives
>         path = /home/archives
>         writeable = Yes
>         guest ok = No
> 
> [forms]
>         comment = Forms
>         path = /home/forms
>         writeable = Yes
>         guest ok = No
> 
> [Test]
>         comment = Test
>         path = /tmp
>         writeable = Yes
>         guest ok = No
> 
> <end smb.conf>
> 
> .·°·»---------------------------------------------------------«·°·.
>     -If everyone throws in their two cents worth,             -     
>     -but its a penny for your thoughts...who keeps the profit?-
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.0.1
> 
> iQA/AwUBO8xCBcbgHXR4hb1iEQJtEgCgj2Nov00+Frg9CT9O4Tgb/Qzn9WUAoNGw
> 5sF/t9QJzoh21giTOLqLQv2G
> =PLvD
> -----END PGP SIGNATURE-----
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 


               _(_)_                          wWWWw   _
   @@@@       (_)@(_)   vVVVv     _     @@@@  (___) _(_)_
  @@()@@ wWWWw  (_)\    (___)   _(_)_  @@()@@   Y  (_)@(_)
   @@@@  (___)     `|/    Y    (_)@(_)  @@@@   \|/   (_)\
    /      Y       \|    \|/    /(_)    \|      |/      |
 \ |     \ |/       | / \ | /  \|/       |/    \|      \|/
jgs|//   \\|///  \\\|//\\\|/// \|///  \\\|//  \\|//  \\\|// 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^




More information about the samba mailing list