[Samba] Samba 2.2.8 doesn't allow to write to group share

[Buchan Milne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Message: 18
> Date: Mon, 1 Dec 2003 14:59:16 -0600
> From: "Eric Geater 11/26/03" <egeater at mscoinc.com>
> Subject: [Samba] Samba 2.2.8 doesn't allow to write to group share
> To: "'Samba Mailing List'" <samba at lists.samba.org>
> Message-ID: <007401c3b84d$fb59ba20$6300a8c0 at 93egeater>
> Content-Type: text/plain;	charset="us-ascii"
>
> Two issues, and I'll discuss them both:
>
> I created on my NT4 domain a group called "branch99".  They're a "local
> group" as far as NT is concerned, and it has two members; myself, and
> another fellow down the hall.  My end quest is to create a share on a
> Mandrake 9.2 box running Samba 2.2.8, and have it permit or deny file
> access based on NT's typical discretions.
>
> Using a recipe found in "Linux for Windows Administrators", I set up the
> following smb.conf file:

Hmm, you trust a Windows book more than the default configuration file,
which should give you many more, and better hints, than an outdated
Windows-centric book ...

>
> [global]
>    name resolve order = wins lmhosts bcast
>    wins server = 172.16.128.1
>    wins support = no
>    domain master = no
>    local master = no
>    os level = 10
>    preferred master = no
>    workgroup = MARTIN
>    server string = ZEKEJAX Test
>    netbios name = ZEKEJAX
>    security = domain
>    password server = *
>    encrypt passwords = yes
>    smb passwd file = /etc/samba/smbpasswd
>
> The group in question is this:
>
> [branch99test]
>    comment = Branch 99's Test Share
>    path = /home/branch99
>    valid users = @branch99
>    browseable = yes
>    read only = no
>    create mode = 0660
>    directory mode = 0770
>
> I have already successfully joined the domain.

Are you running winbind? If so, then, you (with the absence of 'winbind
use default domain = yes') should have groups named something like
MARTIN\branch99 (you an check with 'wbinfo -g'), so your 'valid users'
line should be something like:

valid users = @"MARTIN\branch99"

(the quotes may not be necessary in this case, but for other Windows
groups they may be).

> There is another (liberal rules) share that I can get to with no
> problems at all.  I can even double-click the "branch99test" share, and
> see the file that appears (a single text file created from the Mandrake
> box; even my Windows box can open it).  But I can't write (create) in
> the directory.  Can anyone postulate as to why?  I don't mind if
> kstovall (not a member of "branch99") can't do it, but I'm in that
> group, and I can't do it from an XP or 98 box joined to the domain.

Without seeing your share definition and/or the permissions of the
directory in question, it's difficult to postulate.

But, in general, here is some advice:

1)Whenever possible, use the filesystem to store access controls, rather
than configuration files. Next month you may give a user ssh access, and
then they may have greater or lesser access to the files than you
allowed with samba. If you use the filesystem permissions, they will be
identical.

Mandrake supports Posix-ACLs (not quite NT ACLs, but good enough for
most applications) on XFS (and has since Mandrake 8.1).

2)Please have a look at the default smb.conf (or maybe you still have an
intact /etc/samba/smb-winbind.conf to peruse), it would probably have
saved you a lot of hassle (IMHO).

3)You can setup winbind authentication during installation (at least for
Windows NT domains), which should do most things quite well for you.

Regards,
Buchan

- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/zLkYrJK6UGDSBKcRAlOIAKCIlQrlsieeckebRmEx9b/Tb55E1gCfcOcG
OeLQqaMfD394OGc7drI53jQ=
=zSO0
-----END PGP SIGNATURE-----