[Samba] Re: Re: ACL not working

Travis Bullock tbullock at avmaxgrp.com
Wed Apr 26 16:06:44 GMT 2006


Leonid,

I have not checked the permissions on the parent directory in which the
shared directory resides.

I will do so now...

Thanks

Travis

-----Original Message-----
From: samba-bounces+tbullock=avmax.ca at lists.samba.org
[mailto:samba-bounces+tbullock=avmax.ca at lists.samba.org] On Behalf Of Leonid
Zeitlin
Sent: April 26, 2006 9:43 AM
To: samba at lists.samba.org
Subject: [Samba] Re: Re: ACL not working

Hi Travis,
I see Domain\040Users on my Samba server, so this should be fine.

Are you sure that Domain Users group can access the entire path to the 
share, including all parent directories? If you log in as one of such users 
(or su to it), can you "cd" to the share directory?

Regards,
  Leonid

"Travis Bullock" <tbullock at avmaxgrp.com> 
news:200604261514.k3QFErxU018925 at mail.avmaxgrp.com...
> It was the 040 that was concerning me. I do not see that on my other Samba
> server so I thought it may be the cause of the problem.
>
> The problem I am having is that only an account belonging to the owner's
> group, in this case Domain Admins, can access my Samba shares on this
> server. If a member of the Domain Users group, applied through ACL, 
> attempts
> to access shares on this server the "Network Path is not Found". When I
> check the smbd log, when attempting to connect to GF_Scans, for example, 
> is
> see this:
>
> [2006/04/26 08:16:26, 2] smbd/sesssetup.c:setup_new_vc_session(608)
>  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
> old resources.
> [2006/04/26 08:16:26, 2] auth/auth.c:check_ntlm_password(305)
>  check_ntlm_password:  authentication for user [AVTrain] -> [AVTrain] ->
> [AVMAX+avtrain] succeeded
> [2006/04/26 08:16:26, 2] lib/access.c:check_access(324)
>  Allowed connection from  (10.4.8.244)
> [2006/04/26 08:16:26, 0] smbd/service.c:make_connection_snum(615)
>  '/usr/GFM_Shares/GF_Scans' does not exist or is not a directory, when
> connecting to [GF_Scans]
>
> Here is the ACL on GF_Scans:
>
> [root at gfm-atlas GFM_Shares]# getfacl GF_Scans/
> # file: GF_Scans
> # owner: root
> # group: AVMAX+domainadmins
> user::rwx
> group::rwx
> group:AVMAX+gf_users:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::rwx
> default:group:AVMAX+gf_users:rwx
> default:mask::rwx
> default:other::---
>
> So a member of the Domain Admins can access no problem. A member of
> GF_Users, gets the error in smbd log.
>
> Cheers,
>
> Travis
>
>
>
> -----Original Message-----
> From: samba-bounces+tbullock=avmaxgrp.com at lists.samba.org
> [mailto:samba-bounces+tbullock=avmaxgrp.com at lists.samba.org] On Behalf Of
> Leonid Zeitlin
> Sent: April 26, 2006 7:45 AM
> To: samba at lists.samba.org
> Subject: [Samba] Re: ACL not working
>
>
> "Travis Bullock" <tbullock at avmaxgrp.com> ???????/???????? ? ????????
> ?????????: news:200604260129.k3Q1TxxU019842 at mail.avmaxgrp.com...
>> Has anyone seen this when they do a getfacl on a samba share?
>>
>>
>>
>> [root at gfm-atlas GFM_Shares]# getfacl Installpoint/
>>
>> # file: Installpoint
>>
>> # owner: root
>>
>> # group: AVMAX+domainadmins
>>
>> user::rwx
>>
>> group::rwx
>>
>> group:AVMAX+domain\040users:r-x
>>
>> mask::rwx
>>
>> other::---
>>
>> default:user::rwx
>>
>> default:group::rwx
>>
>> default:group:AVMAX+domain\040users:r-x
>>
>> default:mask::rwx
>>
>> default:other::---
>>
>>
>>
>> Notice the AVMAX+domain\040users anomaly. I have another Samba/Winbind
>> server on the same domain and I do not get that when I apply ACL's.
>
> Hi Travis,
> What exactly are you concerned about? If it's the + sign, probably you 
> have
> winbind separator set to + in smb.conf. If it's the \040 sequence, it just
> denotes space.
>
> Regards,
>  Leonid
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba



More information about the samba mailing list