Réf. : Re: [Samba] SAMBA Groups and Permissions
Michael Gasch
gasch at eva.mpg.de
Thu Dec 4 11:34:51 GMT 2003
> Samba is compiled with acl support option ?
yes it is, i can e.g. set ACL's in windows clients on samba shares
but i think, that's not the fact
permissions are checked not via samba!
samba just asks the FS/posix-side, if it can access "share" with uid/gid xxx
greez
stephane.purnelle at corman.be wrote:
> Samba is compiled with acl support option ?
>
> ./configure --with-acl-support
>
> -----------------------------------
> Stéphane PURNELLE stephane.purnelle at corman.be
> Service Informatique Corman S.A. Tel : 00 32 087/342467
>
>
>
> Michael Gasch <gasch at eva.mpg.de>
> Envoyé par : Pour : samba at lists.samba.org
> samba-bounces+stephane.purnelle=corman.be at lists cc :
> .samba.org Objet : Re: [Samba] SAMBA Groups and Permissions
>
>
> 04/12/2003 12:21
>
>
>
>
>
>
> hi,
>
> sorry, if i was too unprecise...
>
> of course i'm working with acl's - otherwise i could hardly define those
> fine granulated rules
>
> this is, what getfacls on /home/board gives:
>
> ~# getfacl /home/board
>
> # file: home/board
> # owner: root
> # group: root
> user::rwx
> group::r-x
> group:kids:r-x
> mask::r-x
> other::---
> default:user::rwx
> default:group::r-x
> default:group:kids:r-x
> default:mask::r-x
> default:other::---
>
>
> for some reasons, i don't want to work with "valid users" parameter,
> especially while working with scripts
> so this solution doesn't meet my expectations (as i already mentioned)
>
> the problem is on the samba-side
> on unix-side the user "test_user" has access on /home/board, cause he's
> in group "kids", too
>
> but samba just recognised group "users" for "test_user" because
> sambaPrimaryGroupSID maps to -> "users"
> so samba establishes a connection as user "testuser" / group "users",
> which fails because of my restrictive acl :/
>
> so: is "valid users" my only chance?
>
> no way of adding more GroupSIDs for samba-users in LDAP, that samba
> recognises, that user "test_user" is in more than one group ?
>
> i mean: unix-side sees this...
>
> ~# id test_user
> uid=596(test_user) gid=500(users) groups=500(users),522(kids)
>
> thx for your help!!!
>
> greez
>
>
>
> stephane.purnelle at corman.be wrote:
>
>>I confirm that Malte Müller says.
>>If you want to set multiple group acces, you must use ACL.
>>the valid user parameter in smb.conf force the right of directory but the
>>unix right is only for group user.
>>
>>
>>
>>
>>
>>-----------------------------------
>>Stéphane PURNELLE stephane.purnelle at corman.be
>>Service Informatique Corman S.A. Tel : 00 32 087/342467
>>
>>
>>
>
>
>> mamue at lb-bbs1.emd.ni.schule.de
>
>
>> Envoyé par :
>
> Pour : "Michael Gasch" <gasch at eva.mpg.de>
>
>> samba-bounces+stephane.purnelle=corman.be at lists
>
> cc : samba at lists.samba.org
>
>> .samba.org
>
> Objet : Re: [Samba] SAMBA Groups and Permissions
>
>
>
>> 04/12/2003 11:41
>
>
>
>
>>
>>
>>
>>I am not shure if i got you right. You do not tell us the access rights
>
> of
>
>>the directory concerned.
>>If you'r primary uninx group is user and your dir. has:
>>drwx---rwx root user board
>>they forbid your access. then you are not allowed to access, because
>
> group
>
>>rights match first and If you weren't user but world, then you would be
>>allowed. This has nothing to do with samba.
>>You might want to change the group to nogroup and work with acls (if
>
> ext3,
>
>>XFS and alike). Or if you have plenty of CPU-cycles to waste you might
>>work with "valid users" in smb.conf.
>>But i'm not a security or filesystem-expert and may be completely wrong.
>>
>>Kind regards,
>>Malte Müller
>>
>>
>>
>>>hi
>>>
>>>i have a user
>>>
>>>~# id test_user
>>>uid=500,gid=500 (users),groups (users,kids)
>>>
>>>as you can see, this user is in primary group "users" and also member of
>>>group "kids"
>>>
>>>if he tries to access /home/board via smb (Samba 3.0 + openldap) from a
>>>windows client (XP), he fails, because his
>>>
>>>sambaPrimaryGroupSID maps to -> "users"
>>>
>>>and /home/board is not accessible for group "users" - just for "kids"
>>>if i add
>>>
>>>valid users = @kids
>>>
>>>to /home/board - share, access is granted
>>>
>>>isn't it possible in samba, that the user "test_user" gets an attribute
>>>like
>>>
>>>sambaSecondaryGroup in ldap ????
>>>
>>>so that samba knows: "this user is in group users AND kids, so i have to
>>>try connections to share /home/board as group users AND kids" ???
>>>
>>>if i login locally to the samba PDC with a console as "test_user",
>>>access to /home/board is granted, 'cause i'm member of "kids"
>>>
>>>so there's no permission problem
>>>
>>>please help me !!!
>>>
>>>greez
>>>
>>>--
>>>To unsubscribe from this list go to the following URL and read the
>>>instructions: http://lists.samba.org/mailman/listinfo/samba
>>>
>>>
>>>
>>
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: http://lists.samba.org/mailman/listinfo/samba
>>
>>
>>
>>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
>
>
>
--
"Matrix - more than a vision"
**************************************************
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Deutscher Platz 6
04103 Leipzig
Germany
**************************************************
More information about the samba
mailing list