[Samba] Changing ACLs as administrator

Konkol, Josh JKonkol at guidemail.com
Tue Jul 30 07:08:02 GMT 2002


Eddie,

There is no bug here, you just need to change a couple of things.  Remember
ownership and permissions are two different things.  "inherit acls" and
"inherit permissions" only deal with the acl piece of the security puzzle.
They do _NOT_ deal with ownership.

Here's what I've done to allow users to create new files, set the file owner
to the user, set the group to the group of the parent folder, inherit ACL's
from the parent folder.

My share in the smb.conf looks like this:

[OS_files]
  comment = /export/lvm/OS_files
  path = /export/lvm/OS_files
  browseable = yes
  writeable = yes
  inherit acls = yes
  inherit permissions = yes
  valid users = @"PRFMSTR2+Domain Users"

Here is what the OS_files permissions look like:

drwxrwsr--+  17 PRFMSTR2+username PRFMSTR2+Domain Admins     4096 Jul 17
13:12 OS_files/

Notice the group sticky bit.  This makes it so that files/folders under the
OS_files folder belong to the Domain Admins group.  You of course can set
this to any group you want.

Please respond and let me know if this works for you.

Josh


> -----Original Message-----
> From: Eddie Lania [mailto:e.lania at elton.nl]
> Sent: Tuesday, July 30, 2002 8:20 AM
> To: samba at lists.samba.org
> Subject: [Samba] Changing ACLs as administrator
> 
> 
> Hello all.
> 
> Has somebody found a solution yet?
> I can't figure it out.
> I am beginning to wonder if it might be a bug in samba?
> This is what I have now:
> 
> [netlogon]
>         comment = Network Logon Service
>         path = /home/netlogon
>         read only = Yes
>         guest ok = Yes
>         write list = @"Administrators"
>         force group = "+Administrators"
>         inherit acls = Yes
>         inherit permissions = Yes
> 
> [homes]
>         path = /home/users/%U
>         read only = No
>         browseable = No
>         inherit acls = Yes
>         inherit permissions = Yes
> 
> [users]
>         comment = Users share
>         path = /home/users
>         read only = No
>         force group = "+Administrators"
>         inherit acls = Yes
>         inherit permissions = Yes
> 
> [profiles]
>         comment = User profiles share
>         path = /home/profiles
>         read only = No
>         force group = "+Administrators"
>         inherit acls = Yes
>         inherit permissions = Yes
>         csc policy = disable
> -----
> 
> All user directories and files in [users] and [profiles] are 
> owned by the
> "user", their group has been set to Administrators and user and group
> permissions are set to rwx for directories and rw for files.
> 
> The world permissions have been set to none because I want 
> only the "user"
> or the Adminstrator equiv to be able to access the directories in the
> [users] or the [profiles] share.
> 
> When I check the acls and permission from a logged-in windows 
> XP client
> verything looks really good.
> No errors.
> 
> So far so good......but then:
> 
> When a user creates a new file or directory, it should 
> inherit it's acl and
> permissions from the parent directory, this doesn't work, 
> currently the
> owner and group get set to the user itself.
> 
> If an Administrator equiv creates a new file or directory, I 
> would like it
> to be set to a default acl where the group should be at least
> "Administrators" and, if needed, I would like to change the 
> owner later.
> With the "force group" parameter set to "+Administrators" 
> this works almost
> ok, the groups get set well but I get a "permission denied" 
> when I try to
> change the owner of the directory.
> 
> In order to be able to succeed in changing the ownership:
> I also have been playing with the "username map" file but 
> when I add a line
> there like:
> root = @"Administrators"
> then the result is that the Administrator equiv is being 
> logged in as root
> at login time, and still isn't able to change the ownership 
> of an file or
> directory.
> 
> I also tried the "admin users = @"Administrators" in the 
> service section but
> this doesn't work either.
> 
> So, I am out of options now.
> 
> I hope that some other list member can give me the right solution.
> Or maybe one of the members of the samba team?
> 
> Thank you for any reply.
> 
> Eddie.
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 




More information about the samba mailing list