[Samba] RE: More help on ACLproblemplease...Problem solved.....thanks to all.....

Travis Bullock tbullock at avmax.ca
Mon Jan 24 20:13:19 GMT 2005


Dude,

Thanks for your help.  I made the modifications to the "valid users=" line
in the smb.conf but was still not able to browse to the directory without
being a member of the primary group AVMAX+Planning. However there was also a
problem with the way I set up the ACL which I have now discovered and
corrected. The details are as follows:

Along with having to list all allowed groups in the "valid users=" line in
the smb.conf file for the share I also had to modify each shares ACL
permissions as well.  Originally I had given "AVMAX+Domain Users" a :r
permission in that directories ACL.  I aslo needed to put in a :x permission
to allow browsing to work on that folder.  So I fixed the problem by doing:

setfacl -m group:"AVMAX+Domain Users":rx Planning

This allows me to now browse to the directory problem free without being a
member of the primary domain group AVMAX+Planning.

I am also able to leave the "valid users=" parameter out of the smb.conf
share detail and let winbind and the ACL's work on the security of the
directory.

So anyway thanks to those who replied to my request for assistance.

Cheers,

Travis

-----Original Message-----
From: samba-bounces+tbullock=avmax.ca at lists.samba.org
[mailto:samba-bounces+tbullock=avmax.ca at lists.samba.org]On Behalf Of
spu at corman.be
Sent: Monday, January 24, 2005 9:33 AM
To: samba at samba.org
Subject: RE: RE [Samba] More help on
ACLproblemplease...anyone...anyone...Bueller?






Extract of smb.conf :

valid users (S)
      This is a list of users that should be allowed to login to this
      service. Names starting with '@', '+' and '&' are interpreted using
      the same rules as described in the invalid users parameter.


      If this is empty (the default) then any user can login. If a username
      is in both this list and the invalid users list then access is denied
      for that user.


      The current servicename is substituted for %S . This is useful in the
      [homes] section.


      Default: valid users = # No valid users list (anyone can login)


      Example: valid users = greg, @pcusers









             "Travis Bullock"
             <tbullock at avmax.c
             a>                                                          A
                                       <spu at corman.be>
             24/01/2005 17:28                                           cc

                                                                     Objet
                                       RE: RE [Samba] More help on ACL
                                       problemplease...anyone...anyone...B
                                       ueller?








I modified your setting

Sure:

[Planning]
   comment = Avmax Domain Shares
   browseable = yes
   writable = yes
   read only = no
   # valid users = AVMAX+Planning
   create mode = 0664
   directory mode = 0775
   path = /usr/avamx_shares/Planning

There she is.  Do I have to include all groups in 'valid users'?  If so
what
would the separator be?

-----Original Message-----
From: samba-bounces+tbullock=avmax.ca at lists.samba.org
[mailto:samba-bounces+tbullock=avmax.ca at lists.samba.org]On Behalf Of
spu at corman.be
Sent: Monday, January 24, 2005 9:03 AM
To: Samba (E-mail)
Subject: RE [Samba] More help on ACL
problemplease...anyone...anyone...Bueller?






Hi,

I think is not a ACL problem, it's a smb.conf share configuration problem,
could you sent a part of your smb.conf which about of this share.

-----------------------------------
Stéphane PURNELLE                         stephane.purnelle at corman.be
Service Informatique       Corman S.A.           Tel : 00 32 087/342467



             "Travis Bullock"
             <tbullock at avmax.c
             a>                                                          A
             Envoyé par :              "Samba (E-mail)"
             samba-bounces+ste         <samba at lists.samba.org>
             phane.purnelle=co                                          cc
             rman.be at lists.sam
             ba.org                                                  Objet
                                       [Samba] More help on ACL problem
                                       please...anyone...anyone...Bueller?
             24/01/2005 16:59









Hello,

I am running Fedora Core 2.

Kernel: linux-2.6.5-1.358

Kernel supports ACL:

[root at atlas configs]# grep FS_SECURITY kernel-2.6.5-i686-smp.config
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_XFS_SECURITY=y
CONFIG_DEVPTS_FS_SECURITY=y
[root at atlas configs]# grep XATTR kernel-2.6.5-i686-smp.config
CONFIG_EXT2_FS_XATTR=y
CONFIG_EXT3_FS_XATTR=y
CONFIG_DEVPTS_FS_XATTR=y

Have extended attributes set in /etc/fstab is as follows:

/dev/Goliath/root       /                       ext3    acl,user_xattr  1 1

I have a directory called Planning with ACL permissions assigned via the
setfacl command:

drwxrwx---+  2 root           AVMAX+Planning     4096 Jan 14 09:55 Planning

which looks like this with getfacl:

[root at atlas avamx_shares]# getfacl Planning/
# file: Planning
# owner: root
# group: AVMAX+Planning
user::rwx
group::rwx
group:AVMAX+Domain Users:r--
mask::rwx
other::---

Problem:

If I add my user to the AVMAX+Planning group on my NT DOMAIN PDC there is
no
problem. I can browse to the Planning directory via My Network Places.
However if I remove my account from the AVMAX+Planning group and browse to
the Planning directory it prompts me for a password.  Because my account is
by default a member of the AVMAX+Domain Users and I have configured (i
think) the Planning directory ACL to allow read access to the AVMAX+Domain
Users group.....I should be able to browse this directory without being
prompted for a username and password....

QUESTION:  What did I do wrong or not do at all to make the applied ACL
function correctly and allow all users in the AVMAX+Domain Users group read
acces to the Planning samba share?

Cheers,

Travis

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

-----------------------------------
Stéphane PURNELLE                         stephane.purnelle at corman.be
Service Informatique       Corman S.A.           Tel : 00 32 087/342467

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba



More information about the samba mailing list