[Samba] Chapter 10 "Active Directory, Kerberos, and Security" .

Meli Marco Marco.Meli at gknsintermetals.com
Fri Oct 21 10:19:50 GMT 2005 

Hi all,
I'm going on my tests and I've tried followings tasks:
I have stop nmb smb winbind service.
I have rm -f /etc/samba/secrets.tdb and /var/lib/samba*.tdb files.
I have modified smb.conf file as I wanted to connect to NT4 server instead
ADS so:

netbios name = MILLX01
wins server = xxx
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
workgroup = GKNSMI
#realm = SINTER.GKN.COM
#security = ADS
Security = DOMAIN
#password server = xxx.sinter.gkn.com
encrypt passwords = yes
allow trusted domains = Yes
winbind use default domain = Yes
winbind separator = /
winbind enum users = Yes
winbind enum groups = yes
...

I have joined samba box with: net rpc join -Uadm%***secret***.
I have started nmbd smbd winbind again.
Result: ACL works fine just as I expected!
Anyway this is not the solution because I have an W3K ADS server that works
like an NT4 server and it is possible only because W3K server works in mixed
mode, but when It will works in native mode?
I will have to change on security = ADS and Kerberos authentication.
So I would ask you where is the problem?
Is it in the Kerberos configuration? But kinit and others net ads tools
seems works fine ...
Please help me.
Thanks.
Marco.

 

-----Original Message-----
From: samba-bounces+marco.meli=gknsintermetals.com at lists.samba.org
[mailto:samba-bounces+marco.meli=gknsintermetals.com at lists.samba.org] On
Behalf Of Meli Marco
Sent: giovedì 20 ottobre 2005 11.30
To: 'samba at lists.samba.org'
Subject: [Samba] Chapter 10 "Active Directory, Kerberos, and Security".

Hi all,
Referred to Samba-3 by Example I don't have clear one point on Chapter 10
"Active Directory, Kerberos, and Security":
How to set Windows 200x ACLs in 10.3.4.2 section you wrote at point 2:

"Be very carefully. Many problems have been created by people who decided
that Everyone should be rejected but one particular group should have full
control. This is a catch-22 situation because members of that particular
group also belong to the group Everyone, which therefore overrules any
permissions set for the permitted group".

So, about this matter I have some questions:

I want to set ACL on my share as you said above not for a particular group
but for a defined user. I have tried to set "Full Control" for this user to
his personal folder and get off any permissions to "Everyone" group. The
result is that the user cannot list his personal folder.
Since it's clear what I should expect from my settings I would like to I ask
you how can I set these ACLs to allow the user to list his folder, avoiding
to others users to see them (Everyone).
Also, why setting this rights on to samba box connected to an W3K ADS server
in Chicago, ACL works as I expected, while when my samba box is replicated
on my W3K ADS in Italy the behavior of ACL changes:
In the first case each user can see personal's folder even if ACLs are
"wrong" setted by me as I described above, while after replication the user
login again to the same share and can't list his personal folder any more.
I thougth the cause was probably due to some differences on both servers but
they belong to the same realm and share the same policy, except that AD
Chicago server is a normal pc while AD Italy server is a power edge 2500
with array controller (samba box with Suse9.2 is in Italy).
Note: I've a mixed pc on my network but this problem persist only with W2K
and XP workstation not with Win9X.
Any help will be appreciated.
I don't want to set a section share in smb.conf, for a particular user , I
have only declared [data] share.
Below my smb.conf file:

[global]
        netbios name = MILLX01
        os level = 16
        wins server = xxx
        socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
        workgroup = GKNSMI
        realm = SINTER.GKN.COM
        security = ADS
        password server = xxx.sinter.gkn.com
        encrypt passwords = yes
        allow trusted domains = Yes
        winbind use default domain = Yes
        winbind separator = /
        winbind enum users = Yes
        winbind enum groups = yes
        idmap uid = 10000-100000
        idmap gid = 10000-100000
        hide unreadable = Yes
        template homedir = /data/user/%U
        template shell = /bin/false
        use sendfile = No
        printer admin = xxx
        admin users = xxx
        log file = /var/log/samba/log.%m
        log level = 1 auth:5 sam:5
        max log size = 50
        printing = cups
        printcap name = cups
        load printers = Yes
        map acl inherit = Yes
        nt acl support = Yes
        client schannel = No
[data]
        comment = %D Share
        path = /data
        read only = No
        create mask = 0775
        security mask = 0777
        force security mode = 0
        directory mask = 0775
        directory security mask = 0777
        force directory security mode = 0
        dos filetimes = Yes
        valid users = xxx

Thanks a lot.
Marco.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list