[Samba] winbind user vs group permission deny
Paul Ryan
pryan at lssdata.com
Wed Sep 29 17:23:44 GMT 2004
Samba List -
Like most people new to Samba, I'm having the most trouble setting up permissions.
First of all, let me get this straight: if you use security = domain, you do not need to set up individual users on the Linux box (in an NT domain), correct?
I want all users to be able to read the files in LSSNET, and only specific users allowed to write to it. If the folder is 775 and the group owner is LSS_A+Domain Users everyone has read and write access. Then to deny the write access I add read list and write list as below. Now even though I am in all the groups and my individual user is in write list, I don't have write access. This is because I'm also in Domain Users and the read list overrides all Samba permissions
The other options is to change the folder to 755, but then no matter what groups I add to write access, they will not override the Unix permissions. This means I have no way to give all users read access and only some users write access without actually creating the users on the local linux box...and that defeats the purpose of the security = domain ? ? ?
Thanks in advance for anybody who can solve this.
Paul
#####SETUP#####
root# ls -lah
drwxrwxr-x 36 root LSS_A+Domain Users 4.0K Sep 29 08:46 lssnet
[global]
workgroup = LSS_A
server string = Intranet Server
log file = /var/log/samba/%m.log
max log size = 500
security = domain
password server = lss_pdc bdc1 bdc2
encrypt passwords = yes
smb passwd file = /usr/local/samba/private/smbpasswd
####Winbind####
# This section added by PJR 5/25/04
# Include winbind NT domain support
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = no
winbind cache time = 20
winbind enum users = yes
winbind enum groups = yes
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
local master = no
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
wins server = 206.145.30.12
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no
force create mode = 0775
force directory mode = 0775
read only = yes
veto oplock files = /*.cgi/
guest ok = no
browseable = no
writable = no
# Note: This line is added for security purposes. The following
# users should never have access to the Samba shares
invalid users = root,bin,daemon,adm,sync,shutdown,halt,mail,news,uucp,operator,gopher
[lssnet]
path = /www/lssnet
comment = Intranet Web Files
read list = 'LSS_A+Domain Users'
write list = LSS_A+pryan, 'LSS_A+Corp Tech', 'LSS_A+Domain Admins'
Paul Ryan, Technology Specialist
LSS Data Systems
6423 City West Parkway, Eden Prairie, MN 55344
952.941.1000
More information about the samba
mailing list