[Samba] Changing ACLs as administrator
Konkol, Josh
JKonkol at guidemail.com
Tue Jul 30 12:49:43 GMT 2002
I added my comments below.
> -----Original Message-----
> From: Eddie Lania [mailto:e.lania at home.nl]
> Sent: Tuesday, July 30, 2002 2:07 PM
> To: Konkol, Josh
> Cc: Samba list
> Subject: Re: [Samba] Changing ACLs as administrator
>
>
> Hi Josh and list.
>
> Thank you again for your help.
>
> Putting a sticky bit for the group on the folder helped.
> Now, I don't need a "force group" anymore in the service.
>
> But I still have te problem that the ownership is set to the
> users uid when
> creating new files or folders.
> Ofcourse, this is good when the user that is creating a
> folder or file is
> the owner (user) itself.
> But when he or she is not the owner (because he or she is an
> Administrator
> at that moment), the folders or files created by he/she are
> automatically
> set to him/her uid.
I don't understand why this is an issue. When would you want someone to
create a file and not own it?
>
> I tried to set a sticky bit for this problem to the owner of
> a folder (chmod
> u+s "folder") and after that created a subfolder in that
> folder and checked
> again to see if it had worked.
The sticky bit for users is for binary files so that any user that runs that
binary executes it as that owning user.
> But it didn't and I also good not set the ownership of the folder to a
> different user after doing this (permission denied).
Only two people can change ACL's. The owner and root.
>
> Then I tried it again but this time with "admin users =
> @"Administrator" in
> the service section and then the folder is being created with
> root uid, but
> like the previous attempts, I could not change the ownership
> on the folder
> from root to a different uid.
admin users has no affect on acl's.
>
> The only way to change ownership on a folder is to ssh to the
> linux machine
> and change it to a differnet user as the root user.
>
> It seems that I am still partly stuck with this problem but
> anyway I thank
> you for helping me and learning me the chmod "sticky bit"
> option which I
> didn't know before.
>
> Eddie.
Due to the limitation of who can and can't modify ACL's I use a hidden share
for ACL administration. Search the archives here, I've posted my solution
atleast 3 times.
Good Luck,
Josh
>
> ----- Original Message -----
> From: "Konkol, Josh" <JKonkol at guidemail.com>
> To: "'Eddie Lania'" <e.lania at elton.nl>
> Cc: <e.lania at home.nl>
> Sent: Tuesday, July 30, 2002 4:47 PM
> Subject: RE: [Samba] Changing ACLs as administrator
>
>
> > Use the chgrp command to set the group of the directory, i.e.
> >
> > chgrp @"DOMAINNAME+Domain Users" foldername
> >
> > Then use chmod to set the sticky bit.
> >
> > chmod g+s foldername
> >
> > HTH
> >
> > josh
> >
> >
> >
> > > -----Original Message-----
> > > From: Eddie Lania [mailto:e.lania at elton.nl]
> > > Sent: Tuesday, July 30, 2002 9:35 AM
> > > To: Konkol, Josh
> > > Subject: Re: [Samba] Changing ACLs as administrator
> > >
> > >
> > > Hi Josh,
> > >
> > > Thank you so very much for your response.
> > >
> > > I hope this isn't a dumb question but could you explain to me
> > > what you mean
> > > with the "group sticky bit" ?
> > > Because I want to try this as soon as I know how to put a
> > > "sticky bit" to
> > > the group.
> > > I will copy this mail to my home address and will be trying
> > > your solution
> > > later on this evening.
> > > If youre going to respond fast, would you then kindly be
> > > willing to send
> > > this to my home e-mail address?
> > >
> > > e.lania at home.nl
> > >
> > > Thank you once more!
> > >
> > > Eddie.
> > >
> > > ----- Original Message -----
> > > From: "Konkol, Josh" <JKonkol at guidemail.com>
> > > To: "'Eddie Lania'" <e.lania at elton.nl>; <samba at lists.samba.org>
> > > Sent: Tuesday, July 30, 2002 4:06 PM
> > > Subject: RE: [Samba] Changing ACLs as administrator
> > >
> > >
> > > > Eddie,
> > > >
> > > > There is no bug here, you just need to change a couple
> of things.
> > > Remember
> > > > ownership and permissions are two different things.
> > > "inherit acls" and
> > > > "inherit permissions" only deal with the acl piece of the
> > > security puzzle.
> > > > They do _NOT_ deal with ownership.
> > > >
> > > > Here's what I've done to allow users to create new files,
> > > set the file
> > > owner
> > > > to the user, set the group to the group of the parent
> > > folder, inherit
> > > ACL's
> > > > from the parent folder.
> > > >
> > > > My share in the smb.conf looks like this:
> > > >
> > > > [OS_files]
> > > > comment = /export/lvm/OS_files
> > > > path = /export/lvm/OS_files
> > > > browseable = yes
> > > > writeable = yes
> > > > inherit acls = yes
> > > > inherit permissions = yes
> > > > valid users = @"PRFMSTR2+Domain Users"
> > > >
> > > > Here is what the OS_files permissions look like:
> > > >
> > > > drwxrwsr--+ 17 PRFMSTR2+username PRFMSTR2+Domain Admins
> > > 4096 Jul 17
> > > > 13:12 OS_files/
> > > >
> > > > Notice the group sticky bit. This makes it so that
> > > files/folders under
> > > the
> > > > OS_files folder belong to the Domain Admins group. You of
> > > course can set
> > > > this to any group you want.
> > > >
> > > > Please respond and let me know if this works for you.
> > > >
> > > > Josh
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Eddie Lania [mailto:e.lania at elton.nl]
> > > > > Sent: Tuesday, July 30, 2002 8:20 AM
> > > > > To: samba at lists.samba.org
> > > > > Subject: [Samba] Changing ACLs as administrator
> > > > >
> > > > >
> > > > > Hello all.
> > > > >
> > > > > Has somebody found a solution yet?
> > > > > I can't figure it out.
> > > > > I am beginning to wonder if it might be a bug in samba?
> > > > > This is what I have now:
> > > > >
> > > > > [netlogon]
> > > > > comment = Network Logon Service
> > > > > path = /home/netlogon
> > > > > read only = Yes
> > > > > guest ok = Yes
> > > > > write list = @"Administrators"
> > > > > force group = "+Administrators"
> > > > > inherit acls = Yes
> > > > > inherit permissions = Yes
> > > > >
> > > > > [homes]
> > > > > path = /home/users/%U
> > > > > read only = No
> > > > > browseable = No
> > > > > inherit acls = Yes
> > > > > inherit permissions = Yes
> > > > >
> > > > > [users]
> > > > > comment = Users share
> > > > > path = /home/users
> > > > > read only = No
> > > > > force group = "+Administrators"
> > > > > inherit acls = Yes
> > > > > inherit permissions = Yes
> > > > >
> > > > > [profiles]
> > > > > comment = User profiles share
> > > > > path = /home/profiles
> > > > > read only = No
> > > > > force group = "+Administrators"
> > > > > inherit acls = Yes
> > > > > inherit permissions = Yes
> > > > > csc policy = disable
> > > > > -----
> > > > >
> > > > > All user directories and files in [users] and [profiles] are
> > > > > owned by the
> > > > > "user", their group has been set to Administrators and
> > > user and group
> > > > > permissions are set to rwx for directories and rw for files.
> > > > >
> > > > > The world permissions have been set to none because I want
> > > > > only the "user"
> > > > > or the Adminstrator equiv to be able to access the
> > > directories in the
> > > > > [users] or the [profiles] share.
> > > > >
> > > > > When I check the acls and permission from a logged-in windows
> > > > > XP client
> > > > > verything looks really good.
> > > > > No errors.
> > > > >
> > > > > So far so good......but then:
> > > > >
> > > > > When a user creates a new file or directory, it should
> > > > > inherit it's acl and
> > > > > permissions from the parent directory, this doesn't work,
> > > > > currently the
> > > > > owner and group get set to the user itself.
> > > > >
> > > > > If an Administrator equiv creates a new file or directory, I
> > > > > would like it
> > > > > to be set to a default acl where the group should be at least
> > > > > "Administrators" and, if needed, I would like to change the
> > > > > owner later.
> > > > > With the "force group" parameter set to "+Administrators"
> > > > > this works almost
> > > > > ok, the groups get set well but I get a "permission denied"
> > > > > when I try to
> > > > > change the owner of the directory.
> > > > >
> > > > > In order to be able to succeed in changing the ownership:
> > > > > I also have been playing with the "username map" file but
> > > > > when I add a line
> > > > > there like:
> > > > > root = @"Administrators"
> > > > > then the result is that the Administrator equiv is being
> > > > > logged in as root
> > > > > at login time, and still isn't able to change the ownership
> > > > > of an file or
> > > > > directory.
> > > > >
> > > > > I also tried the "admin users = @"Administrators" in the
> > > > > service section but
> > > > > this doesn't work either.
> > > > >
> > > > > So, I am out of options now.
> > > > >
> > > > > I hope that some other list member can give me the
> right solution.
> > > > > Or maybe one of the members of the samba team?
> > > > >
> > > > > Thank you for any reply.
> > > > >
> > > > > Eddie.
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > To unsubscribe from this list go to the following URL
> and read the
> > > > > instructions: http://lists.samba.org/mailman/listinfo/samba
> > > > >
> > >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list