FW: [Samba] acl's and samba

Noel Kelly nkelly at tarsus.co.uk
Mon Mar 18 14:51:09 GMT 2002


----Original Message-----
From: Mahoney, Tom [mailto:tom.mahoney at riaco.com]
Sent: 18 March 2002 21:38
To: 'Noel Kelly'
Subject: RE: [Samba] acl's and samba


Thank you Thank you Thank you!
I don't want to try and make seperate admin shares for each user share but
removing the additional share directives from the user shares and creating
one top level admin share worked.
I set the admin share un browseable so users aren't gripping why they can't
see it and then just typed the path in after verifying that the normal
shares worked properly again and it worked. I was able to add the acl and
remove it. I'm curious though whether seperate admin shares would work and
for that matter why the first share with the non working config stated that
my password was wrong. Oh well.
Now assuming that Wayne wasn't referring to my ACL problems I need to now
look at the unix side of tying samba, ftp, ssh, etc.. to the domain via pam.

Thank you again as well as Andrew and Wayne.
Thanks for all your help.
I'll try not to bug you guys too much and get the rest going my self if I
can.
You guy's are life savers.
We were going to have to go to 2k for this if I couldn't get this working.

Again THANK YOU!!! =)

-----Original Message-----
From: Noel Kelly [mailto:nkelly at tarsus.co.uk]
Sent: Monday, March 18, 2002 2:14 PM
To: 'Mahoney, Tom'; Noel Kelly
Cc: Samba generic mail list (E-mail)
Subject: RE: [Samba] acl's and samba


I did actually mean two shares but that it just the way we work.  You can
still of course administrate from any workstation - simply do a 'net use *
\\samba\adminsharename' - only takes a few seconds.  I deliberately carve up
the network shares so that the users have their environ and the admins have
theirs (usually a top level share at the root of all the user's shares.)

The '@' should be used for all group references.

To make sure that your Samba setup is functioning, change the winbind
separator to be '+'.  This will make things a lot clearer.  One you can see
authentication is working you can then play with the separator character.

Logging onto the samba shares from a windows machine, you should be able to
use 'standard' M$ - domainname\tom in any username prompts.  You only need
to do domain+username when working in Linux.  This should only be necessary
you are not logged onto the domain however - the currently logged on user's
details should be sent before authenication boxes appear.  If you really
want to push it though then I would avoid gui stuff and go straight for :

net use * \\sambaserver\sharename /user:domainname\username

and enter the correct password.


Noel



-----Original Message-----
From: Mahoney, Tom [mailto:tom.mahoney at riaco.com]
Sent: 18 March 2002 21:05
To: 'Noel Kelly'
Cc: Samba generic mail list (E-mail)
Subject: RE: [Samba] acl's and samba


So create two share definetions for each logical share? One for admin use
and the other for users?

The problem is that I setup this box to replace a 2k machine serving files.
Some shares are used really only by users and others only by admins and some
by both.
I simply need for my self and the rest of my IT team to be able to go in at
our leasure and add additional users to directories as they need access from
any 2k machine which we are logged in from anywhere on our network.

I tried adding the commas to all shares and samba doesn't seem to care on
way or the other.
Also aren't you only supposed to add @ to the beginning of unix or domain
groups? I'm adding domain user accounts.

Also when your connecting to samba from 2k and are prompted for your login
info. Do you login as domain\user or domain/user? I have / used as the
seperator on samba but don't know if it's 2k that interprets the username
typped at the 2k prompt or if it's samba which interprets it.

Do you also by any chance have an idea of why my first share says invalid
passwords while all others prompt for login info and then say invalid user?

Please let me know if you would like me to include my smb.conf as I would be
more than happy to.
I only have to edit out networks for security.

Thanks for your help so far. =)

-----Original Message-----
From: Noel Kelly [mailto:nkelly at tarsus.co.uk]
Sent: Monday, March 18, 2002 1:50 PM
To: 'Mahoney, Tom'
Cc: Samba generic mail list (E-mail)
Subject: RE: [Samba] acl's and samba


Tom,

It might be a small thing, but I think your 'valid users =' list needs to be
comma delimited - not spaces.  eg: valid users = @uk+it, at uk+developers

Also, the ability to act as root on a share is pretty dangerous.  I only use
it as an administrative thing to alter permissions even on files/directories
created by the users (and therefore owned by them).  Perhaps your users need
to alter permissions themselves but otherwise I would create a normal share
for your users and a special, 'force user =' share for the admins only.

Noel



-----Original Message-----
From: Mahoney, Tom [mailto:tom.mahoney at riaco.com]
Sent: 18 March 2002 18:47
To: 'Noel Kelly'
Cc: Samba generic mail list (E-mail)
Subject: RE: [Samba] acl's and samba


Hmm I tried what you suggested and I'm sure it should work if not for this
problem.
I added the following options to each of my shares:

force user = root
valid users = domain/users to add seperated by space
read only = No
inherit permissions = Yes
create mask = 777
directory mask = 777
nt acl support = Yes
veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
delte veto files = Yes

directory mask is in global and was removed from the shares when I passed
the alterations through testparm to clean it up. It also has the same mask
set as before I passed it through testparm.

Now my problem is this.
The first share defined after homes give me this error from 2k:
\\server\share is not accesible.
The specified network password is not correct.

All other shares prompt for a user
I enter my domain user as domain/user and then my password and get the
error:
\\server\share is not accesible.
The specified username is invalid.

My homes share works without a hitch.

I also don't have a /etc/pam.d/samba configured to use winbindd which might
be my whole problem.
I'm not clear on how to properly configure /etc/pam.d/samba with
pam_winbind.so with redhat7.2.
I did try altering /etc/pam.d/samba to point to system-auth-winbind which I
created and added the auth and account pam_winbind.so lines to and then
restarted samba but this didn't change anything at all. system-auth-winbind
was created by copying the system system-auth and adding the auth and
account lines.

The share following the homes share also did not contain any funky
characters either which is the only explenation I could come up with for it
behaving differently than all the other shares.
Very odd. ?=/

If you or anyone would like I can include the full contents of my smb.conf
file minus network ips etc.. for security for you to examine.

Thanks for everyone's help so far. =)

-----Original Message-----
From: Noel Kelly [mailto:nkelly at tarsus.co.uk]
Sent: Saturday, March 16, 2002 12:32 PM
To: 'Mahoney, Tom'; Samba generic mail list (E-mail)
Subject: RE: [Samba] acl's and samba


I think the nut of your problem is that it is only the owner of the
file/directory who can alter the ACLs on it.  It does not matter if you are
the member of a group with full rights - only the owner can change ACLs.
Root can of course do whatever he wants to anything.

I got round this by creating a special administrator share which has the
'force user = root' entry.  This causes all operations on the this share to
be done as root.  Obviously very dangerous but effective.  Limit the access
to this special share using 'valid users ='

Noel

[AdminShared]
        force user = root
        valid users = uk+nkelly
        path = /raid/shared/
        public = no
        read only = No
        inherit permissions = yes
        create mask = 777
        directory security mask = 777
        nt acl support = yes
        # Veto the Apple specific files that a NetAtalk server creates.
        veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
        delete veto files = yes


-----Original Message-----
From: Mahoney, Tom [mailto:tom.mahoney at riaco.com]
Sent: 15 March 2002 23:31
To: Samba generic mail list (E-mail)
Subject: [Samba] acl's and samba


I asked a long winded question before about ACL's on linux with bestbits
patches and how everying in samba was essentially working but I couldn't
change modify or add acls' from a 2k workstation also on the domain.

Well I have a two part question.

Should I ((HAVE)) to add a map to /etc/samba/smbusers like:	user =
domain/user	?
My impression from reading the docs and peoples posts is that winbindd
should figure this out ALL ON IT'S OWN.
Is that not the case? In which case I'm SUPPOSED to add the map but it's
either not mentioned or vaguely implied?

Second.

With my homedir accessible ( only because I did add the map, and yes I know
that if I add the map and it works most people would just give me a blank
stare on this over my question above, but I want someone to please confirm
this for me. ) I can go to my home share and set and remove acl's but on my
file shares on the samba box I can't.
Ok, confirmed that kernel and samba support acls' and fileutils/e2fsprogs do
too.
Can set acls' from cli and view them with ls or getfacl and see them through
samba. Samba just can't change them. (except for home share)
Now seeing that it works with my home share I have to think that samba is
perfectly ready and willing to set them but it must be I assume a unix
permission problem.
Now currently ALL files and directories under the file shares have
permissions set like so:
chown -R root /home/samba/<all file share dirs>
chgrp -R domain/Domain Admins /home/samba/<all file share dirs>
chmod -R ugo+rwx /home/samba/<all file share firs>



More information about the samba mailing list