[Samba] acl's and samba

Noel Kelly nkelly at tarsus.co.uk
Sat Mar 16 11:33:04 GMT 2002


I think the nut of your problem is that it is only the owner of the
file/directory who can alter the ACLs on it.  It does not matter if you are
the member of a group with full rights - only the owner can change ACLs.
Root can of course do whatever he wants to anything.

I got round this by creating a special administrator share which has the
'force user = root' entry.  This causes all operations on the this share to
be done as root.  Obviously very dangerous but effective.  Limit the access
to this special share using 'valid users ='

Noel

[AdminShared]
        force user = root
        valid users = uk+nkelly
        path = /raid/shared/
        public = no
        read only = No
        inherit permissions = yes
        create mask = 777
        directory security mask = 777
        nt acl support = yes
        # Veto the Apple specific files that a NetAtalk server creates.
        veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
        delete veto files = yes


-----Original Message-----
From: Mahoney, Tom [mailto:tom.mahoney at riaco.com]
Sent: 15 March 2002 23:31
To: Samba generic mail list (E-mail)
Subject: [Samba] acl's and samba


I asked a long winded question before about ACL's on linux with bestbits
patches and how everying in samba was essentially working but I couldn't
change modify or add acls' from a 2k workstation also on the domain.

Well I have a two part question.

Should I ((HAVE)) to add a map to /etc/samba/smbusers like:	user =
domain/user	?
My impression from reading the docs and peoples posts is that winbindd
should figure this out ALL ON IT'S OWN.
Is that not the case? In which case I'm SUPPOSED to add the map but it's
either not mentioned or vaguely implied?

Second.

With my homedir accessible ( only because I did add the map, and yes I know
that if I add the map and it works most people would just give me a blank
stare on this over my question above, but I want someone to please confirm
this for me. ) I can go to my home share and set and remove acl's but on my
file shares on the samba box I can't.
Ok, confirmed that kernel and samba support acls' and fileutils/e2fsprogs do
too.
Can set acls' from cli and view them with ls or getfacl and see them through
samba. Samba just can't change them. (except for home share)
Now seeing that it works with my home share I have to think that samba is
perfectly ready and willing to set them but it must be I assume a unix
permission problem.
Now currently ALL files and directories under the file shares have
permissions set like so:
chown -R root /home/samba/<all file share dirs>
chgrp -R domain/Domain Admins /home/samba/<all file share dirs>
chmod -R ugo+rwx /home/samba/<all file share firs>



More information about the samba mailing list