Réf. : Re: [Samba] SAMBA Groups and Permissions
stephane.purnelle at corman.be
stephane.purnelle at corman.be
Thu Dec 4 11:22:27 GMT 2003
Samba is compiled with acl support option ?
./configure --with-acl-support
-----------------------------------
Stéphane PURNELLE stephane.purnelle at corman.be
Service Informatique Corman S.A. Tel : 00 32 087/342467
Michael Gasch <gasch at eva.mpg.de>
Envoyé par : Pour : samba at lists.samba.org
samba-bounces+stephane.purnelle=corman.be at lists cc :
.samba.org Objet : Re: [Samba] SAMBA Groups and Permissions
04/12/2003 12:21
hi,
sorry, if i was too unprecise...
of course i'm working with acl's - otherwise i could hardly define those
fine granulated rules
this is, what getfacls on /home/board gives:
~# getfacl /home/board
# file: home/board
# owner: root
# group: root
user::rwx
group::r-x
group:kids:r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:group:kids:r-x
default:mask::r-x
default:other::---
for some reasons, i don't want to work with "valid users" parameter,
especially while working with scripts
so this solution doesn't meet my expectations (as i already mentioned)
the problem is on the samba-side
on unix-side the user "test_user" has access on /home/board, cause he's
in group "kids", too
but samba just recognised group "users" for "test_user" because
sambaPrimaryGroupSID maps to -> "users"
so samba establishes a connection as user "testuser" / group "users",
which fails because of my restrictive acl :/
so: is "valid users" my only chance?
no way of adding more GroupSIDs for samba-users in LDAP, that samba
recognises, that user "test_user" is in more than one group ?
i mean: unix-side sees this...
~# id test_user
uid=596(test_user) gid=500(users) groups=500(users),522(kids)
thx for your help!!!
greez
stephane.purnelle at corman.be wrote:
> I confirm that Malte Müller says.
> If you want to set multiple group acces, you must use ACL.
> the valid user parameter in smb.conf force the right of directory but the
> unix right is only for group user.
>
>
>
>
>
> -----------------------------------
> Stéphane PURNELLE stephane.purnelle at corman.be
> Service Informatique Corman S.A. Tel : 00 32 087/342467
>
>
>
> mamue at lb-bbs1.emd.ni.schule.de
> Envoyé par :
Pour : "Michael Gasch" <gasch at eva.mpg.de>
> samba-bounces+stephane.purnelle=corman.be at lists
cc : samba at lists.samba.org
> .samba.org
Objet : Re: [Samba] SAMBA Groups and Permissions
>
>
> 04/12/2003 11:41
>
>
>
>
>
>
> I am not shure if i got you right. You do not tell us the access rights
of
> the directory concerned.
> If you'r primary uninx group is user and your dir. has:
> drwx---rwx root user board
> they forbid your access. then you are not allowed to access, because
group
> rights match first and If you weren't user but world, then you would be
> allowed. This has nothing to do with samba.
> You might want to change the group to nogroup and work with acls (if
ext3,
> XFS and alike). Or if you have plenty of CPU-cycles to waste you might
> work with "valid users" in smb.conf.
> But i'm not a security or filesystem-expert and may be completely wrong.
>
> Kind regards,
> Malte Müller
>
>
>>hi
>>
>>i have a user
>>
>>~# id test_user
>>uid=500,gid=500 (users),groups (users,kids)
>>
>>as you can see, this user is in primary group "users" and also member of
>>group "kids"
>>
>>if he tries to access /home/board via smb (Samba 3.0 + openldap) from a
>>windows client (XP), he fails, because his
>>
>>sambaPrimaryGroupSID maps to -> "users"
>>
>>and /home/board is not accessible for group "users" - just for "kids"
>>if i add
>>
>>valid users = @kids
>>
>>to /home/board - share, access is granted
>>
>>isn't it possible in samba, that the user "test_user" gets an attribute
>>like
>>
>>sambaSecondaryGroup in ldap ????
>>
>>so that samba knows: "this user is in group users AND kids, so i have to
>>try connections to share /home/board as group users AND kids" ???
>>
>>if i login locally to the samba PDC with a console as "test_user",
>>access to /home/board is granted, 'cause i'm member of "kids"
>>
>>so there's no permission problem
>>
>>please help me !!!
>>
>>greez
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: http://lists.samba.org/mailman/listinfo/samba
>>
>>
>>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list