[Samba] Everyone group.

Meli Marco Marco.Meli at gknsintermetals.com
Tue Oct 25 08:55:09 GMT 2005

Last year I worked with samba connected as domain member to an NT4 PDC.
I setted rights and permission on folders with ACL settings, in a structure
like below:
/data ---> samba share
	/user ---> same as "home" dir
		/marco	---> users's personal folder.

"Everyone" group is always present in the windows security tab it is mapped
on (o)thers/world unix account on /data.
Also "Domain users" have read/list on /data and /user folders.
But on each personal folder (marco,john...) I had get off any "Everyone" and
"Domain Users" rights and permissions leaving "Full controll" only on the
owner's folder.     
When I browsed data share login as John I looked only john's personal folder
and his content and this is the behaviour that I'm expected when I'm in user
This behaviours also worked with groups folders.
This year we have replaced NT4 PDC with Windows Server 2003 working not in
native mode.
I've leave the same rights and permissions on the folders but ACL behaviour
is changed.
In the case above now if I login with John account and try to list shares I
cannot view John's personal folder and any others.
I have investigate and I discover a point on THOSHARG that tell about to
leave rights and permissions on "Everyone" group because all users belongs
to this group and even if John have "Full controll" but "Everyone" group
doesn't have any permissions (= deny) neither John can't look at his folder.
Noticed that I have also try to connected to ADS with "net ads join ..."
command On a ADS test server I try to connect via the NT4 style "net rpc
..." join command and all seems to work as I'm expected like in NT4 style.
So what you suggest me?
Probably I have to connect with net ads join only when my ADS will work in
"native mode" or could be something parameters that I can change on my
Windows 2003 server?
Probably a parameter that regards authentication mode or whatever?
Below I have attached my smb.conf:
        netbios name = MILLX01
        os level = 16
        wins server = xxx.xxx.xxx.xxx
        workgroup = GKNSMI
        realm = SINTER.GKN.COM
        security = ADS
        password server = milad01.sinter.gkn.com
        encrypt passwords = yes
        allow trusted domains = Yes
        winbind use default domain = Yes
        winbind separator = /
        winbind enum users = Yes
        winbind enum groups = yes
        idmap uid = 10000-100000
        idmap gid = 10000-100000
        hide unreadable = Yes
        template homedir = /data/user/%U
        template shell = /bin/false
        use sendfile = No
        printer admin = xxx
        admin users = xxx
        log file = /var/log/samba/log.%m
        log level = 1 auth:5 sam:5
        max log size = 50
        printing = cups
        printcap name = cups
        load printers = Yes
        map acl inherit = Yes
        nt acl support = Yes
        client schannel = No
        comment = %D Share
        path = /data
        read only = No
        create mask = 0775
        security mask = 0777
        force security mode = 0
        directory mask = 0775
        directory security mask = 0777
        force directory security mode = 0
        dos filetimes = Yes
        valid users = xxx

It's very important for me.

-----Original Message-----
From: Jeremy Allison [mailto:jra at samba.org] 
Sent: lunedì 24 ottobre 2005 22.05
To: Meli Marco
Cc: 'samba at lists.samba.org'
Subject: Re: [Samba] Everyone group.

On Mon, Oct 24, 2005 at 04:12:39PM +0200, Meli Marco wrote:
> Hi all,
> I have a problem setting ACL on a share like below:
> /data
> 	/user
> 		/user_1
> 		/user_2
> 		/user_ ... 
> Particularry if I want to get complete control to a user on his 
> personal folder but get off any permission to Everyone group also this 
> user (that belongs to Everyone) cannot list and access to his folder.
> When I was connected to NT4 server I didn't have this kind of problem.
> I have check also connecting via security = domain to W2K3 and it 
> works fine like previously, maybe because my AD server works in mixed 
> mode and in this way it works in NT4 style.
> But how can I have this behaviour with security = ads, it is probably 
> any parameters on my ADS W2k3?
> Also why it works as I expected working with security = domain and not 
> with security = ads?
> How can I play around this?

This post is a little confusing to me. Can you explain *exactly* what you're
trying to do please ?


More information about the samba mailing list