[Samba] Quick question on adding Winbind/NIS groups to a Samb a ACL

JC Nou jc_nou at hotmail.com
Tue Mar 19 22:27:02 GMT 2002


G'Day,

Will this only work with the 2.14.18 Kernel (with the ACL patches) only? We
are using the 2.4.9-13SGI_XFS_1.0.2 kernel and what to deliver a similar
service.

TIA

JC


----- Original Message -----
From: "Noel Kelly" <nkelly at tarsus.co.uk>
To: "'Bill Town'" <bill at kontiki.com>; <samba at lists.samba.org>
Sent: Wednesday, March 20, 2002 3:44 PM
Subject: RE: [Samba] Quick question on adding Winbind/NIS groups to a Samb a
ACL


> Bill-
>
> Key point is that you need to be the owner to manage ACLs through the
> Windows GUI.  Try and create a new file so you are the owner of it and
then
> manipulate the ACLs.  Or chown and existing file so you are the owner.
You
> cannot use the 'take ownership' NT route.
>
> Check out the 'force user = root' setting - we use it for creating
> admin-only shares.  Root can do anything of course.
>
> Hope this helps a bit,
> Noel
>
> -----Original Message-----
> From: Bill Town [mailto:bill at kontiki.com]
> Sent: 19 March 2002 22:18
> To: samba at lists.samba.org
> Subject: [Samba] Quick question on adding Winbind/NIS groups to a Samba
> ACL
>
>
> Hi all-
>
> First a little background and infrastructure:
> After a long arduous road I got my Samba file server to authenticate
> with Winbind and/or NIS (synced with AD) in a Native Mode Active
> Directory.  I can logon to the Linux server locally and also gain access
> to a file share via a windows box with accounts in either.  Samba is
> running on a Linux 7.2 server with Kernel 2.14.18 with the ACL patches
> (using http://acl.bestbits.at/).  I built Samba with the
> --with-acl-support and --with-nis (--with-winbind is a default option).
> The Samba configuration file is below as well as the pam.d/login and
> pam.d/system-auth files.  The server is a member of the domain and
> [wbinfo -t] reports [security is good].  [Getent passwd] and [getent
> group] enumerate the users and groups correctly.
>
> Now the question:
> I can modify permissions through a Windows 2000 Security Interface if
> the group already has some sort of permissions assigned on the
> file/directory.  I cannot add groups to an ACL through the Windows 2000
> interface but must resort to adding them via setfacl on the Linux box.
> Any ideas?  I cannot add groups because it only wants DOMAIN\GROUP and
> the current permissions show up as FILE-SERVER\GROUP.  The Winbind
> groups do not show up at all in the Windows security interface but do in
> the getfacl on the Linux box.  Thanks in advance for your help.
>
> Cheers,
> -Bill
>
>
> smb.conf:
> ---------------------------------------------------------
> # Samba config file
> # Date: 2002/03/19
>
> # Global parameters
> [global]
>         workgroup = ZODIAC
>         netbios name = fs1-test
>         server string = Test File Server
>         security = DOMAIN
>         encrypt passwords = Yes
>         password server = *
>         preferred master = False
>         local master = No
>         domain master = False
>         wins server = 172.16.1.12 172.16.2.12
>         large readwrite = yes
>         winbind uid = 20000-29999
>         winbind gid = 2000-2999
> #       winbind separator = +
>         winbind enum users = yes
>         winbind enum groups = yes
>         template shell = /bin/bash
>
> [test]
>         comment = Test File Share
>         path = /export/test
>         read only = No
>         inherit permissions = yes
> ---------------------------------------------------------
>
> pam.d/login:
> ---------------------------------------------------------
>
> #%PAM-1.0
> auth       required     /lib/security/pam_securetty.so
> auth       required     /lib/security/pam_nologin.so
> auth       required     /lib/security/pam_stack.so service=system-auth
> auth       sufficient   /lib/security/pam_winbind.so use_first_pass
> auth       required     /lib/security/pam_pwdb.so use_first_pass shadow
> nullok
> #auth       sufficient  /lib/security/pam_unix.so use_first_pass
>
> #account    sufficient   /lib/security/pam_winbind.so
> account    required     /lib/security/pam_stack.so service=system-auth
>
> password   required     /lib/security/pam_stack.so service=system-auth
>
> session    required     /lib/security/pam_stack.so service=system-auth
> session    optional     /lib/security/pam_console.so
>
> ---------------------------------------------------------
>
> pam.d/system-auth:
> ---------------------------------------------------------
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/pam_env.so
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/pam_winbind.so use_first_pass
> auth        required      /lib/security/pam_deny.so
>
> account     required      /lib/security/pam_unix.so
>
> password    required      /lib/security/pam_cracklib.so retry=3 type=
> password    sufficient    /lib/security/pam_unix.so nullok use_authtok
> md5 shadow nis
> password    sufficient    /lib/security/pam_winbind.so use_authtok
> password    required      /lib/security/pam_deny.so
>
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
> session     required      /lib/security/pam_winbind.so
> ---------------------------------------------------------
>
> ----
> Bill Town
> Kontiki, Inc.
> Voice: 650.625.3065
> Fax: 650.623.0142
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>




More information about the samba mailing list