[Samba] Quick question on adding Winbind/NIS groups to a Samb a ACL
JC Nou
jc_nou at hotmail.com
Tue Mar 19 22:27:02 GMT 2002
G'Day,
Will this only work with the 2.14.18 Kernel (with the ACL patches) only? We
are using the 2.4.9-13SGI_XFS_1.0.2 kernel and what to deliver a similar
service.
TIA
JC
----- Original Message -----
From: "Noel Kelly" <nkelly at tarsus.co.uk>
To: "'Bill Town'" <bill at kontiki.com>; <samba at lists.samba.org>
Sent: Wednesday, March 20, 2002 3:44 PM
Subject: RE: [Samba] Quick question on adding Winbind/NIS groups to a Samb a
ACL
> Bill-
>
> Key point is that you need to be the owner to manage ACLs through the
> Windows GUI. Try and create a new file so you are the owner of it and
then
> manipulate the ACLs. Or chown and existing file so you are the owner.
You
> cannot use the 'take ownership' NT route.
>
> Check out the 'force user = root' setting - we use it for creating
> admin-only shares. Root can do anything of course.
>
> Hope this helps a bit,
> Noel
>
> -----Original Message-----
> From: Bill Town [mailto:bill at kontiki.com]
> Sent: 19 March 2002 22:18
> To: samba at lists.samba.org
> Subject: [Samba] Quick question on adding Winbind/NIS groups to a Samba
> ACL
>
>
> Hi all-
>
> First a little background and infrastructure:
> After a long arduous road I got my Samba file server to authenticate
> with Winbind and/or NIS (synced with AD) in a Native Mode Active
> Directory. I can logon to the Linux server locally and also gain access
> to a file share via a windows box with accounts in either. Samba is
> running on a Linux 7.2 server with Kernel 2.14.18 with the ACL patches
> (using http://acl.bestbits.at/). I built Samba with the
> --with-acl-support and --with-nis (--with-winbind is a default option).
> The Samba configuration file is below as well as the pam.d/login and
> pam.d/system-auth files. The server is a member of the domain and
> [wbinfo -t] reports [security is good]. [Getent passwd] and [getent
> group] enumerate the users and groups correctly.
>
> Now the question:
> I can modify permissions through a Windows 2000 Security Interface if
> the group already has some sort of permissions assigned on the
> file/directory. I cannot add groups to an ACL through the Windows 2000
> interface but must resort to adding them via setfacl on the Linux box.
> Any ideas? I cannot add groups because it only wants DOMAIN\GROUP and
> the current permissions show up as FILE-SERVER\GROUP. The Winbind
> groups do not show up at all in the Windows security interface but do in
> the getfacl on the Linux box. Thanks in advance for your help.
>
> Cheers,
> -Bill
>
>
> smb.conf:
> ---------------------------------------------------------
> # Samba config file
> # Date: 2002/03/19
>
> # Global parameters
> [global]
> workgroup = ZODIAC
> netbios name = fs1-test
> server string = Test File Server
> security = DOMAIN
> encrypt passwords = Yes
> password server = *
> preferred master = False
> local master = No
> domain master = False
> wins server = 172.16.1.12 172.16.2.12
> large readwrite = yes
> winbind uid = 20000-29999
> winbind gid = 2000-2999
> # winbind separator = +
> winbind enum users = yes
> winbind enum groups = yes
> template shell = /bin/bash
>
> [test]
> comment = Test File Share
> path = /export/test
> read only = No
> inherit permissions = yes
> ---------------------------------------------------------
>
> pam.d/login:
> ---------------------------------------------------------
>
> #%PAM-1.0
> auth required /lib/security/pam_securetty.so
> auth required /lib/security/pam_nologin.so
> auth required /lib/security/pam_stack.so service=system-auth
> auth sufficient /lib/security/pam_winbind.so use_first_pass
> auth required /lib/security/pam_pwdb.so use_first_pass shadow
> nullok
> #auth sufficient /lib/security/pam_unix.so use_first_pass
>
> #account sufficient /lib/security/pam_winbind.so
> account required /lib/security/pam_stack.so service=system-auth
>
> password required /lib/security/pam_stack.so service=system-auth
>
> session required /lib/security/pam_stack.so service=system-auth
> session optional /lib/security/pam_console.so
>
> ---------------------------------------------------------
>
> pam.d/system-auth:
> ---------------------------------------------------------
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/pam_env.so
> auth sufficient /lib/security/pam_unix.so likeauth nullok
> auth sufficient /lib/security/pam_winbind.so use_first_pass
> auth required /lib/security/pam_deny.so
>
> account required /lib/security/pam_unix.so
>
> password required /lib/security/pam_cracklib.so retry=3 type=
> password sufficient /lib/security/pam_unix.so nullok use_authtok
> md5 shadow nis
> password sufficient /lib/security/pam_winbind.so use_authtok
> password required /lib/security/pam_deny.so
>
> session required /lib/security/pam_limits.so
> session required /lib/security/pam_unix.so
> session required /lib/security/pam_winbind.so
> ---------------------------------------------------------
>
> ----
> Bill Town
> Kontiki, Inc.
> Voice: 650.625.3065
> Fax: 650.623.0142
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list