Réf. : Re: Réf. : Re: [Samba] SAMBA Groups and Permissions
Michael Gasch
gasch at eva.mpg.de
Thu Dec 4 12:22:44 GMT 2003
damn....
now everything works
samba recognises user "test_user" in group "users" AND "kids"....
i dunno why ?!?!!?
i did nothing, i just removed "valid users" from this share and reloaded
smb-conf...nothing special !
if i could reproduce it, it would be better then seeing it working now
and not knowing why....
but
thx very much for your patiance
greez
stephane.purnelle at corman.be wrote:
> what samba log says ?
>
> -----------------------------------
> Stéphane PURNELLE stephane.purnelle at corman.be
> Service Informatique Corman S.A. Tel : 00 32 087/342467
>
>
>
> Michael Gasch <gasch at eva.mpg.de>
> Envoyé par : Pour : samba at lists.samba.org
> samba-bounces+stephane.purnelle=corman.be at lists cc :
> .samba.org Objet : Re: Réf. : Re: [Samba] SAMBA Groups and Permissions
>
>
> 04/12/2003 12:34
>
>
>
>
>
>
> > Samba is compiled with acl support option ?
> yes it is, i can e.g. set ACL's in windows clients on samba shares
> but i think, that's not the fact
> permissions are checked not via samba!
> samba just asks the FS/posix-side, if it can access "share" with uid/gid
> xxx
>
> greez
>
>
> stephane.purnelle at corman.be wrote:
>
>>Samba is compiled with acl support option ?
>>
>>./configure --with-acl-support
>>
>>-----------------------------------
>>Stéphane PURNELLE stephane.purnelle at corman.be
>>Service Informatique Corman S.A. Tel : 00 32 087/342467
>>
>>
>>
>
>
>> Michael Gasch <gasch at eva.mpg.de>
>
>
>> Envoyé par :
>
> Pour : samba at lists.samba.org
>
>> samba-bounces+stephane.purnelle=corman.be at lists
>
> cc :
>
>> .samba.org
>
> Objet : Re: [Samba] SAMBA Groups and Permissions
>
>
>
>> 04/12/2003 12:21
>
>
>
>
>>
>>
>>
>>hi,
>>
>>sorry, if i was too unprecise...
>>
>>of course i'm working with acl's - otherwise i could hardly define those
>>fine granulated rules
>>
>>this is, what getfacls on /home/board gives:
>>
>>~# getfacl /home/board
>>
>># file: home/board
>># owner: root
>># group: root
>>user::rwx
>>group::r-x
>>group:kids:r-x
>>mask::r-x
>>other::---
>>default:user::rwx
>>default:group::r-x
>>default:group:kids:r-x
>>default:mask::r-x
>>default:other::---
>>
>>
>>for some reasons, i don't want to work with "valid users" parameter,
>>especially while working with scripts
>>so this solution doesn't meet my expectations (as i already mentioned)
>>
>>the problem is on the samba-side
>>on unix-side the user "test_user" has access on /home/board, cause he's
>>in group "kids", too
>>
>>but samba just recognised group "users" for "test_user" because
>>sambaPrimaryGroupSID maps to -> "users"
>>so samba establishes a connection as user "testuser" / group "users",
>>which fails because of my restrictive acl :/
>>
>>so: is "valid users" my only chance?
>>
>>no way of adding more GroupSIDs for samba-users in LDAP, that samba
>>recognises, that user "test_user" is in more than one group ?
>>
>>i mean: unix-side sees this...
>>
>>~# id test_user
>>uid=596(test_user) gid=500(users) groups=500(users),522(kids)
>>
>>thx for your help!!!
>>
>>greez
>>
>>
>>
>>stephane.purnelle at corman.be wrote:
>>
>>
>>>I confirm that Malte Müller says.
>>>If you want to set multiple group acces, you must use ACL.
>>>the valid user parameter in smb.conf force the right of directory but the
>>>unix right is only for group user.
>>>
>>>
>>>
>>>
>>>
>>>-----------------------------------
>>>Stéphane PURNELLE stephane.purnelle at corman.be
>>>Service Informatique Corman S.A. Tel : 00 32 087/342467
>>>
>>>
>>>
>>
>>
>>> mamue at lb-bbs1.emd.ni.schule.de
>>
>>
>>> Envoyé par :
>>
>>Pour : "Michael Gasch" <gasch at eva.mpg.de>
>>
>>> samba-bounces+stephane.purnelle=corman.be at lists
>>
>>cc : samba at lists.samba.org
>>
>>
>>> .samba.org
>>
>>Objet : Re: [Samba] SAMBA Groups and Permissions
>>
>>
>>
>>
>>> 04/12/2003 11:41
>>
>>
>>
>>
>>>
>>>
>>>I am not shure if i got you right. You do not tell us the access rights
>>
>>of
>>
>>
>>>the directory concerned.
>>>If you'r primary uninx group is user and your dir. has:
>>>drwx---rwx root user board
>>>they forbid your access. then you are not allowed to access, because
>>
>>group
>>
>>
>>>rights match first and If you weren't user but world, then you would be
>>>allowed. This has nothing to do with samba.
>>>You might want to change the group to nogroup and work with acls (if
>>
>>ext3,
>>
>>
>>>XFS and alike). Or if you have plenty of CPU-cycles to waste you might
>>>work with "valid users" in smb.conf.
>>>But i'm not a security or filesystem-expert and may be completely wrong.
>>>
>>>Kind regards,
>>>Malte Müller
>>>
>>>
>>>
>>>
>>>>hi
>>>>
>>>>i have a user
>>>>
>>>>~# id test_user
>>>>uid=500,gid=500 (users),groups (users,kids)
>>>>
>>>>as you can see, this user is in primary group "users" and also member of
>>>>group "kids"
>>>>
>>>>if he tries to access /home/board via smb (Samba 3.0 + openldap) from a
>>>>windows client (XP), he fails, because his
>>>>
>>>>sambaPrimaryGroupSID maps to -> "users"
>>>>
>>>>and /home/board is not accessible for group "users" - just for "kids"
>>>>if i add
>>>>
>>>>valid users = @kids
>>>>
>>>>to /home/board - share, access is granted
>>>>
>>>>isn't it possible in samba, that the user "test_user" gets an attribute
>>>>like
>>>>
>>>>sambaSecondaryGroup in ldap ????
>>>>
>>>>so that samba knows: "this user is in group users AND kids, so i have to
>>>>try connections to share /home/board as group users AND kids" ???
>>>>
>>>>if i login locally to the samba PDC with a console as "test_user",
>>>>access to /home/board is granted, 'cause i'm member of "kids"
>>>>
>>>>so there's no permission problem
>>>>
>>>>please help me !!!
>>>>
>>>>greez
>>>>
>>>>--
>>>>To unsubscribe from this list go to the following URL and read the
>>>>instructions: http://lists.samba.org/mailman/listinfo/samba
>>>>
>>>>
>>>>
>>>
>>>
>>>--
>>>To unsubscribe from this list go to the following URL and read the
>>>instructions: http://lists.samba.org/mailman/listinfo/samba
>>>
>>>
>>>
>>>
>>
>>
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: http://lists.samba.org/mailman/listinfo/samba
>>
>>
>>
>>
>
>
> --
>
>
> "Matrix - more than a vision"
>
> **************************************************
> Michael Gasch
> Max Planck Institute for Evolutionary Anthropology
> Deutscher Platz 6
> 04103 Leipzig
>
> Germany
> **************************************************
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
>
>
>
More information about the samba
mailing list