[Samba] Changing ACLs as administrator
Eddie Lania
e.lania at home.nl
Tue Jul 30 12:09:02 GMT 2002
Hi Josh and list.
Thank you again for your help.
Putting a sticky bit for the group on the folder helped.
Now, I don't need a "force group" anymore in the service.
But I still have te problem that the ownership is set to the users uid when
creating new files or folders.
Ofcourse, this is good when the user that is creating a folder or file is
the owner (user) itself.
But when he or she is not the owner (because he or she is an Administrator
at that moment), the folders or files created by he/she are automatically
set to him/her uid.
I tried to set a sticky bit for this problem to the owner of a folder (chmod
u+s "folder") and after that created a subfolder in that folder and checked
again to see if it had worked.
But it didn't and I also good not set the ownership of the folder to a
different user after doing this (permission denied).
Then I tried it again but this time with "admin users = @"Administrator" in
the service section and then the folder is being created with root uid, but
like the previous attempts, I could not change the ownership on the folder
from root to a different uid.
The only way to change ownership on a folder is to ssh to the linux machine
and change it to a differnet user as the root user.
It seems that I am still partly stuck with this problem but anyway I thank
you for helping me and learning me the chmod "sticky bit" option which I
didn't know before.
Eddie.
----- Original Message -----
From: "Konkol, Josh" <JKonkol at guidemail.com>
To: "'Eddie Lania'" <e.lania at elton.nl>
Cc: <e.lania at home.nl>
Sent: Tuesday, July 30, 2002 4:47 PM
Subject: RE: [Samba] Changing ACLs as administrator
> Use the chgrp command to set the group of the directory, i.e.
>
> chgrp @"DOMAINNAME+Domain Users" foldername
>
> Then use chmod to set the sticky bit.
>
> chmod g+s foldername
>
> HTH
>
> josh
>
>
>
> > -----Original Message-----
> > From: Eddie Lania [mailto:e.lania at elton.nl]
> > Sent: Tuesday, July 30, 2002 9:35 AM
> > To: Konkol, Josh
> > Subject: Re: [Samba] Changing ACLs as administrator
> >
> >
> > Hi Josh,
> >
> > Thank you so very much for your response.
> >
> > I hope this isn't a dumb question but could you explain to me
> > what you mean
> > with the "group sticky bit" ?
> > Because I want to try this as soon as I know how to put a
> > "sticky bit" to
> > the group.
> > I will copy this mail to my home address and will be trying
> > your solution
> > later on this evening.
> > If youre going to respond fast, would you then kindly be
> > willing to send
> > this to my home e-mail address?
> >
> > e.lania at home.nl
> >
> > Thank you once more!
> >
> > Eddie.
> >
> > ----- Original Message -----
> > From: "Konkol, Josh" <JKonkol at guidemail.com>
> > To: "'Eddie Lania'" <e.lania at elton.nl>; <samba at lists.samba.org>
> > Sent: Tuesday, July 30, 2002 4:06 PM
> > Subject: RE: [Samba] Changing ACLs as administrator
> >
> >
> > > Eddie,
> > >
> > > There is no bug here, you just need to change a couple of things.
> > Remember
> > > ownership and permissions are two different things.
> > "inherit acls" and
> > > "inherit permissions" only deal with the acl piece of the
> > security puzzle.
> > > They do _NOT_ deal with ownership.
> > >
> > > Here's what I've done to allow users to create new files,
> > set the file
> > owner
> > > to the user, set the group to the group of the parent
> > folder, inherit
> > ACL's
> > > from the parent folder.
> > >
> > > My share in the smb.conf looks like this:
> > >
> > > [OS_files]
> > > comment = /export/lvm/OS_files
> > > path = /export/lvm/OS_files
> > > browseable = yes
> > > writeable = yes
> > > inherit acls = yes
> > > inherit permissions = yes
> > > valid users = @"PRFMSTR2+Domain Users"
> > >
> > > Here is what the OS_files permissions look like:
> > >
> > > drwxrwsr--+ 17 PRFMSTR2+username PRFMSTR2+Domain Admins
> > 4096 Jul 17
> > > 13:12 OS_files/
> > >
> > > Notice the group sticky bit. This makes it so that
> > files/folders under
> > the
> > > OS_files folder belong to the Domain Admins group. You of
> > course can set
> > > this to any group you want.
> > >
> > > Please respond and let me know if this works for you.
> > >
> > > Josh
> > >
> > >
> > > > -----Original Message-----
> > > > From: Eddie Lania [mailto:e.lania at elton.nl]
> > > > Sent: Tuesday, July 30, 2002 8:20 AM
> > > > To: samba at lists.samba.org
> > > > Subject: [Samba] Changing ACLs as administrator
> > > >
> > > >
> > > > Hello all.
> > > >
> > > > Has somebody found a solution yet?
> > > > I can't figure it out.
> > > > I am beginning to wonder if it might be a bug in samba?
> > > > This is what I have now:
> > > >
> > > > [netlogon]
> > > > comment = Network Logon Service
> > > > path = /home/netlogon
> > > > read only = Yes
> > > > guest ok = Yes
> > > > write list = @"Administrators"
> > > > force group = "+Administrators"
> > > > inherit acls = Yes
> > > > inherit permissions = Yes
> > > >
> > > > [homes]
> > > > path = /home/users/%U
> > > > read only = No
> > > > browseable = No
> > > > inherit acls = Yes
> > > > inherit permissions = Yes
> > > >
> > > > [users]
> > > > comment = Users share
> > > > path = /home/users
> > > > read only = No
> > > > force group = "+Administrators"
> > > > inherit acls = Yes
> > > > inherit permissions = Yes
> > > >
> > > > [profiles]
> > > > comment = User profiles share
> > > > path = /home/profiles
> > > > read only = No
> > > > force group = "+Administrators"
> > > > inherit acls = Yes
> > > > inherit permissions = Yes
> > > > csc policy = disable
> > > > -----
> > > >
> > > > All user directories and files in [users] and [profiles] are
> > > > owned by the
> > > > "user", their group has been set to Administrators and
> > user and group
> > > > permissions are set to rwx for directories and rw for files.
> > > >
> > > > The world permissions have been set to none because I want
> > > > only the "user"
> > > > or the Adminstrator equiv to be able to access the
> > directories in the
> > > > [users] or the [profiles] share.
> > > >
> > > > When I check the acls and permission from a logged-in windows
> > > > XP client
> > > > verything looks really good.
> > > > No errors.
> > > >
> > > > So far so good......but then:
> > > >
> > > > When a user creates a new file or directory, it should
> > > > inherit it's acl and
> > > > permissions from the parent directory, this doesn't work,
> > > > currently the
> > > > owner and group get set to the user itself.
> > > >
> > > > If an Administrator equiv creates a new file or directory, I
> > > > would like it
> > > > to be set to a default acl where the group should be at least
> > > > "Administrators" and, if needed, I would like to change the
> > > > owner later.
> > > > With the "force group" parameter set to "+Administrators"
> > > > this works almost
> > > > ok, the groups get set well but I get a "permission denied"
> > > > when I try to
> > > > change the owner of the directory.
> > > >
> > > > In order to be able to succeed in changing the ownership:
> > > > I also have been playing with the "username map" file but
> > > > when I add a line
> > > > there like:
> > > > root = @"Administrators"
> > > > then the result is that the Administrator equiv is being
> > > > logged in as root
> > > > at login time, and still isn't able to change the ownership
> > > > of an file or
> > > > directory.
> > > >
> > > > I also tried the "admin users = @"Administrators" in the
> > > > service section but
> > > > this doesn't work either.
> > > >
> > > > So, I am out of options now.
> > > >
> > > > I hope that some other list member can give me the right solution.
> > > > Or maybe one of the members of the samba team?
> > > >
> > > > Thank you for any reply.
> > > >
> > > > Eddie.
> > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions: http://lists.samba.org/mailman/listinfo/samba
> > > >
> >
>
More information about the samba
mailing list