Réf. : Re: [Samba] SAMBA Groups and Permissions

stephane.purnelle at corman.be stephane.purnelle at corman.be
Thu Dec 4 11:22:27 GMT 2003


Samba is compiled with acl support option ?

./configure --with-acl-support

-----------------------------------
Stéphane PURNELLE                         stephane.purnelle at corman.be
Service Informatique       Corman S.A.           Tel : 00 32 087/342467


                                                                                                                                                     
                    Michael Gasch <gasch at eva.mpg.de>                                                                                                 
                    Envoyé par :                                           Pour :  samba at lists.samba.org                                             
                    samba-bounces+stephane.purnelle=corman.be at lists        cc :                                                                      
                    .samba.org                                             Objet :      Re: [Samba] SAMBA Groups and Permissions                     
                                                                                                                                                     
                                                                                                                                                     
                    04/12/2003 12:21                                                                                                                 
                                                                                                                                                     
                                                                                                                                                     




hi,

sorry, if i was too unprecise...

of course i'm working with acl's - otherwise i could hardly define those
fine granulated rules

this is, what getfacls on /home/board gives:

~# getfacl /home/board

# file: home/board
# owner: root
# group: root
user::rwx
group::r-x
group:kids:r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:group:kids:r-x
default:mask::r-x
default:other::---


for some reasons, i don't want to work with "valid users" parameter,
especially while working with scripts
so this solution doesn't meet my expectations (as i already mentioned)

the problem is on the samba-side
on unix-side the user "test_user" has access on /home/board, cause he's
in group "kids", too

but samba just recognised group "users" for "test_user" because
sambaPrimaryGroupSID maps to -> "users"
so samba establishes a connection as user "testuser" / group "users",
which fails because of my restrictive acl :/

so: is "valid users" my only chance?

no way of adding more GroupSIDs for samba-users in LDAP, that samba
recognises, that user "test_user" is in more than one group ?

i mean: unix-side sees this...

~# id test_user
uid=596(test_user) gid=500(users) groups=500(users),522(kids)

thx for your help!!!

greez



stephane.purnelle at corman.be wrote:
> I confirm that Malte Müller says.
> If you want to set multiple group acces, you must use ACL.
> the valid user parameter in smb.conf force the right of directory but the
> unix right is only for group user.
>
>
>
>
>
> -----------------------------------
> Stéphane PURNELLE                         stephane.purnelle at corman.be
> Service Informatique       Corman S.A.           Tel : 00 32 087/342467
>
>
>

>                     mamue at lb-bbs1.emd.ni.schule.de

>                     Envoyé par :
Pour :  "Michael Gasch" <gasch at eva.mpg.de>
>                     samba-bounces+stephane.purnelle=corman.be at lists
cc :    samba at lists.samba.org
>                     .samba.org
Objet :      Re: [Samba] SAMBA Groups and Permissions
>

>

>                     04/12/2003 11:41

>

>

>
>
>
>
> I am not shure if i got you right. You do not tell us the access rights
of
> the directory concerned.
> If you'r primary uninx group is user and your dir. has:
> drwx---rwx   root user board
> they forbid your access. then you are not allowed to access, because
group
> rights match first and If you weren't user but world, then you would be
> allowed. This has nothing to do with samba.
> You might want to change the group to nogroup and work with acls (if
ext3,
> XFS and alike). Or if you have plenty of CPU-cycles to waste you might
> work with "valid users" in smb.conf.
> But i'm not a security or filesystem-expert and may be completely wrong.
>
> Kind regards,
> Malte Müller
>
>
>>hi
>>
>>i have a user
>>
>>~# id test_user
>>uid=500,gid=500 (users),groups (users,kids)
>>
>>as you can see, this user is in primary group "users" and also member of
>>group "kids"
>>
>>if he tries to access /home/board via smb (Samba 3.0 + openldap) from a
>>windows client (XP), he fails, because his
>>
>>sambaPrimaryGroupSID maps to -> "users"
>>
>>and /home/board is not accessible for group "users" - just for "kids"
>>if i add
>>
>>valid users = @kids
>>
>>to /home/board - share, access is granted
>>
>>isn't it possible in samba, that the user "test_user" gets an attribute
>>like
>>
>>sambaSecondaryGroup in ldap ????
>>
>>so that samba knows: "this user is in group users AND kids, so i have to
>>try connections to share /home/board as group users AND kids" ???
>>
>>if i login locally to the samba PDC with a console as "test_user",
>>access to /home/board is granted, 'cause i'm member of "kids"
>>
>>so there's no permission problem
>>
>>please help me !!!
>>
>>greez
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  http://lists.samba.org/mailman/listinfo/samba
>>
>>
>>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>
>
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba






More information about the samba mailing list