[Samba] acl's and samba

Mon Mar 18 10:43:07 GMT 2002

Hmm I tried what you suggested and I'm sure it should work if not for this
problem.
I added the following options to each of my shares:

force user = root
valid users = domain/users to add seperated by space
read only = No
inherit permissions = Yes
create mask = 777
directory mask = 777
nt acl support = Yes
veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
delte veto files = Yes

directory mask is in global and was removed from the shares when I passed
the alterations through testparm to clean it up. It also has the same mask
set as before I passed it through testparm.

Now my problem is this.
The first share defined after homes give me this error from 2k:
\\server\share is not accesible.
The specified network password is not correct.

All other shares prompt for a user
I enter my domain user as domain/user and then my password and get the
error:
\\server\share is not accesible.
The specified username is invalid.

My homes share works without a hitch.

I also don't have a /etc/pam.d/samba configured to use winbindd which might
be my whole problem.
I'm not clear on how to properly configure /etc/pam.d/samba with
pam_winbind.so with redhat7.2.
I did try altering /etc/pam.d/samba to point to system-auth-winbind which I
created and added the auth and account pam_winbind.so lines to and then
restarted samba but this didn't change anything at all. system-auth-winbind
was created by copying the system system-auth and adding the auth and
account lines.

The share following the homes share also did not contain any funky
characters either which is the only explenation I could come up with for it
behaving differently than all the other shares.
Very odd. ?=/

If you or anyone would like I can include the full contents of my smb.conf
file minus network ips etc.. for security for you to examine.

Thanks for everyone's help so far. =)

-----Original Message-----
From: Noel Kelly [mailto:nkelly at tarsus.co.uk]
Sent: Saturday, March 16, 2002 12:32 PM
To: 'Mahoney, Tom'; Samba generic mail list (E-mail)
Subject: RE: [Samba] acl's and samba

I think the nut of your problem is that it is only the owner of the
file/directory who can alter the ACLs on it.  It does not matter if you are
the member of a group with full rights - only the owner can change ACLs.
Root can of course do whatever he wants to anything.

I got round this by creating a special administrator share which has the
'force user = root' entry.  This causes all operations on the this share to
be done as root.  Obviously very dangerous but effective.  Limit the access
to this special share using 'valid users ='

Noel

[AdminShared]
        force user = root
        valid users = uk+nkelly
        path = /raid/shared/
        public = no
        read only = No
        inherit permissions = yes
        create mask = 777
        directory security mask = 777
        nt acl support = yes
        # Veto the Apple specific files that a NetAtalk server creates.
        veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
        delete veto files = yes

-----Original Message-----
From: Mahoney, Tom [mailto:tom.mahoney at riaco.com]
Sent: 15 March 2002 23:31
To: Samba generic mail list (E-mail)
Subject: [Samba] acl's and samba

I asked a long winded question before about ACL's on linux with bestbits
patches and how everying in samba was essentially working but I couldn't
change modify or add acls' from a 2k workstation also on the domain.

Well I have a two part question.

Should I ((HAVE)) to add a map to /etc/samba/smbusers like:	user =
domain/user	?
My impression from reading the docs and peoples posts is that winbindd
should figure this out ALL ON IT'S OWN.
Is that not the case? In which case I'm SUPPOSED to add the map but it's
either not mentioned or vaguely implied?

Second.

With my homedir accessible ( only because I did add the map, and yes I know
that if I add the map and it works most people would just give me a blank
stare on this over my question above, but I want someone to please confirm
this for me. ) I can go to my home share and set and remove acl's but on my
file shares on the samba box I can't.
Ok, confirmed that kernel and samba support acls' and fileutils/e2fsprogs do
too.
Can set acls' from cli and view them with ls or getfacl and see them through
samba. Samba just can't change them. (except for home share)
Now seeing that it works with my home share I have to think that samba is
perfectly ready and willing to set them but it must be I assume a unix
permission problem.
Now currently ALL files and directories under the file shares have
permissions set like so:
chown -R root /home/samba/<all file share dirs>
chgrp -R domain/Domain Admins /home/samba/<all file share dirs>
chmod -R ugo+rwx /home/samba/<all file share firs>