[Samba] Samba trusted domains and access control lists problem
(cannot delete or rename)
Ian Clancy
clancyian at cel.ie
Thu Jun 2 20:12:01 GMT 2005
Hi,
I am having difficuly deleting and renaming files with users from a
foreign domain using acls.
My setup is as follows :
I have two Samba (3.0.14a)/LDAP domains connected via a VPN (OpenVPN)
with a bi-directional trust relationship established. The trust
relationship appears to be working correctly. I can log on onto PC's at
either end on either Domain :) and the browse lists of both domains are
syncronising properly.
I am using the same WINS server for both domains and this is located in
DomA on the Primary Domain Controller.
I want users on DomB to be able to access shares on Domain Member
servers on DomA.
Winbind is running on my fileservers and i am using ldap as an idmap
backend.
Users from DomA are mapped on my Domain member server using ldap and
DomB users are mapped using winbind. I have the following entry in my
nsswitch.conf file:
passwd: files ldap winbind
shadow: files ldap winbind
group: files ldap winbind
I have not seen anyone else do this so i am not sure if it is correct
:). It appears to work however as 'getent passwd' and 'getent group'
return users from both Domains. Users of DomB are prepended with DomB+
(as expected). So far so good ...
The following is a share on one of my Domain member server on DomA
[Materials]
comment = Materials Share
path = /var/shares/Materials
read only = No
inherit permissions = Yes
inherit acls = Yes
I can successfully set the acls's from the shell using setfacl. The
permissions on the above share are as follows
# file: Materials
# owner: root
# group: DomA Users
user::rwx
group::rwx
group:DomB+DomB users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::rwx
default:group:DomA Users:rwx
default:group:DomB+DomB users:rwx
default:mask::rwx
default:other::---
Users from DomB can successfully access the share. They can even create
files as follows in the root directory of the above share :
# file: New Text Document.txt
# owner: DomB+yorketom
# group: DomB+domain users
user::rwx
user:root:rwx #effective:rw-
group::rwx #effective:rw-
group:DomA Users:rwx #effective:rw-
group:DomB+DomB users:rwx #effective:rw-
mask::rw-
other::---
However, I cannot delete or rename this file ?!.
So to summerise i have two main questions:
1. Why are the effective permissions on the file above 'rw-' ?
2. In windows i can see permissions for the owner, group and also
Everyone but none of the other permissions, for example 'group:DomA
Users:rwx #effective:rw-' as listed above ?
If you've managed to get this far, thanks for reading :).
regards,
Ian
--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.
P : ++353 93 23151
F : ++353 93 23110
E : mailto:clancyian at cel.ie
W : http://www.cel-europe.com
More information about the samba
mailing list