Réf. : Re: [Samba] SAMBA Groups and Permissions

Michael Gasch gasch at eva.mpg.de
Thu Dec 4 11:34:51 GMT 2003


 > Samba is compiled with acl support option ?
yes it is, i can e.g. set ACL's in windows clients on samba shares
but i think, that's not the fact
permissions are checked not via samba!
samba just asks the FS/posix-side, if it can access "share" with uid/gid xxx

greez


stephane.purnelle at corman.be wrote:
> Samba is compiled with acl support option ?
> 
> ./configure --with-acl-support
> 
> -----------------------------------
> Stéphane PURNELLE                         stephane.purnelle at corman.be
> Service Informatique       Corman S.A.           Tel : 00 32 087/342467
> 
> 
>                                                                                                                                                      
>                     Michael Gasch <gasch at eva.mpg.de>                                                                                                 
>                     Envoyé par :                                           Pour :  samba at lists.samba.org                                             
>                     samba-bounces+stephane.purnelle=corman.be at lists        cc :                                                                      
>                     .samba.org                                             Objet :      Re: [Samba] SAMBA Groups and Permissions                     
>                                                                                                                                                      
>                                                                                                                                                      
>                     04/12/2003 12:21                                                                                                                 
>                                                                                                                                                      
>                                                                                                                                                      
> 
> 
> 
> 
> hi,
> 
> sorry, if i was too unprecise...
> 
> of course i'm working with acl's - otherwise i could hardly define those
> fine granulated rules
> 
> this is, what getfacls on /home/board gives:
> 
> ~# getfacl /home/board
> 
> # file: home/board
> # owner: root
> # group: root
> user::rwx
> group::r-x
> group:kids:r-x
> mask::r-x
> other::---
> default:user::rwx
> default:group::r-x
> default:group:kids:r-x
> default:mask::r-x
> default:other::---
> 
> 
> for some reasons, i don't want to work with "valid users" parameter,
> especially while working with scripts
> so this solution doesn't meet my expectations (as i already mentioned)
> 
> the problem is on the samba-side
> on unix-side the user "test_user" has access on /home/board, cause he's
> in group "kids", too
> 
> but samba just recognised group "users" for "test_user" because
> sambaPrimaryGroupSID maps to -> "users"
> so samba establishes a connection as user "testuser" / group "users",
> which fails because of my restrictive acl :/
> 
> so: is "valid users" my only chance?
> 
> no way of adding more GroupSIDs for samba-users in LDAP, that samba
> recognises, that user "test_user" is in more than one group ?
> 
> i mean: unix-side sees this...
> 
> ~# id test_user
> uid=596(test_user) gid=500(users) groups=500(users),522(kids)
> 
> thx for your help!!!
> 
> greez
> 
> 
> 
> stephane.purnelle at corman.be wrote:
> 
>>I confirm that Malte Müller says.
>>If you want to set multiple group acces, you must use ACL.
>>the valid user parameter in smb.conf force the right of directory but the
>>unix right is only for group user.
>>
>>
>>
>>
>>
>>-----------------------------------
>>Stéphane PURNELLE                         stephane.purnelle at corman.be
>>Service Informatique       Corman S.A.           Tel : 00 32 087/342467
>>
>>
>>
> 
> 
>>                    mamue at lb-bbs1.emd.ni.schule.de
> 
> 
>>                    Envoyé par :
> 
> Pour :  "Michael Gasch" <gasch at eva.mpg.de>
> 
>>                    samba-bounces+stephane.purnelle=corman.be at lists
> 
> cc :    samba at lists.samba.org
> 
>>                    .samba.org
> 
> Objet :      Re: [Samba] SAMBA Groups and Permissions
> 
> 
> 
>>                    04/12/2003 11:41
> 
> 
> 
> 
>>
>>
>>
>>I am not shure if i got you right. You do not tell us the access rights
> 
> of
> 
>>the directory concerned.
>>If you'r primary uninx group is user and your dir. has:
>>drwx---rwx   root user board
>>they forbid your access. then you are not allowed to access, because
> 
> group
> 
>>rights match first and If you weren't user but world, then you would be
>>allowed. This has nothing to do with samba.
>>You might want to change the group to nogroup and work with acls (if
> 
> ext3,
> 
>>XFS and alike). Or if you have plenty of CPU-cycles to waste you might
>>work with "valid users" in smb.conf.
>>But i'm not a security or filesystem-expert and may be completely wrong.
>>
>>Kind regards,
>>Malte Müller
>>
>>
>>
>>>hi
>>>
>>>i have a user
>>>
>>>~# id test_user
>>>uid=500,gid=500 (users),groups (users,kids)
>>>
>>>as you can see, this user is in primary group "users" and also member of
>>>group "kids"
>>>
>>>if he tries to access /home/board via smb (Samba 3.0 + openldap) from a
>>>windows client (XP), he fails, because his
>>>
>>>sambaPrimaryGroupSID maps to -> "users"
>>>
>>>and /home/board is not accessible for group "users" - just for "kids"
>>>if i add
>>>
>>>valid users = @kids
>>>
>>>to /home/board - share, access is granted
>>>
>>>isn't it possible in samba, that the user "test_user" gets an attribute
>>>like
>>>
>>>sambaSecondaryGroup in ldap ????
>>>
>>>so that samba knows: "this user is in group users AND kids, so i have to
>>>try connections to share /home/board as group users AND kids" ???
>>>
>>>if i login locally to the samba PDC with a console as "test_user",
>>>access to /home/board is granted, 'cause i'm member of "kids"
>>>
>>>so there's no permission problem
>>>
>>>please help me !!!
>>>
>>>greez
>>>
>>>--
>>>To unsubscribe from this list go to the following URL and read the
>>>instructions:  http://lists.samba.org/mailman/listinfo/samba
>>>
>>>
>>>
>>
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  http://lists.samba.org/mailman/listinfo/samba
>>
>>
>>
>>
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
> 
> 
> 

-- 


          "Matrix - more than a vision"

**************************************************
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Deutscher Platz 6
04103 Leipzig

Germany
**************************************************




More information about the samba mailing list