[Samba] Re: Re: Re: ACL not working

Leonid Zeitlin lz at csltd.com.ua
Wed Apr 26 16:18:28 GMT 2006


You are welcome, Travis :-)

"Travis Bullock" <tbullock at avmaxgrp.com> 
news:200604261604.k3QG4xxU021821 at mail.avmaxgrp.com...
> Damn Leonid...what a brainfart that was...lol
>
> Thanks for pointing me in the right direction man!
>
> Cheers,
>
> Travis
>
> -----Original Message-----
> From: samba-bounces+tbullock=avmax.ca at lists.samba.org
> [mailto:samba-bounces+tbullock=avmax.ca at lists.samba.org] On Behalf Of 
> Leonid
> Zeitlin
> Sent: April 26, 2006 9:43 AM
> To: samba at lists.samba.org
> Subject: [Samba] Re: Re: ACL not working
>
> Hi Travis,
> I see Domain\040Users on my Samba server, so this should be fine.
>
> Are you sure that Domain Users group can access the entire path to the
> share, including all parent directories? If you log in as one of such 
> users
> (or su to it), can you "cd" to the share directory?
>
> Regards,
>  Leonid
>
> "Travis Bullock" <tbullock at avmaxgrp.com>
> news:200604261514.k3QFErxU018925 at mail.avmaxgrp.com...
>> It was the 040 that was concerning me. I do not see that on my other 
>> Samba
>> server so I thought it may be the cause of the problem.
>>
>> The problem I am having is that only an account belonging to the owner's
>> group, in this case Domain Admins, can access my Samba shares on this
>> server. If a member of the Domain Users group, applied through ACL,
>> attempts
>> to access shares on this server the "Network Path is not Found". When I
>> check the smbd log, when attempting to connect to GF_Scans, for example,
>> is
>> see this:
>>
>> [2006/04/26 08:16:26, 2] smbd/sesssetup.c:setup_new_vc_session(608)
>>  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
>> all
>> old resources.
>> [2006/04/26 08:16:26, 2] auth/auth.c:check_ntlm_password(305)
>>  check_ntlm_password:  authentication for user [AVTrain] -> [AVTrain] ->
>> [AVMAX+avtrain] succeeded
>> [2006/04/26 08:16:26, 2] lib/access.c:check_access(324)
>>  Allowed connection from  (10.4.8.244)
>> [2006/04/26 08:16:26, 0] smbd/service.c:make_connection_snum(615)
>>  '/usr/GFM_Shares/GF_Scans' does not exist or is not a directory, when
>> connecting to [GF_Scans]
>>
>> Here is the ACL on GF_Scans:
>>
>> [root at gfm-atlas GFM_Shares]# getfacl GF_Scans/
>> # file: GF_Scans
>> # owner: root
>> # group: AVMAX+domainadmins
>> user::rwx
>> group::rwx
>> group:AVMAX+gf_users:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:group::rwx
>> default:group:AVMAX+gf_users:rwx
>> default:mask::rwx
>> default:other::---
>>
>> So a member of the Domain Admins can access no problem. A member of
>> GF_Users, gets the error in smbd log.
>>
>> Cheers,
>>
>> Travis
>>
>>
>>
>> -----Original Message-----
>> From: samba-bounces+tbullock=avmaxgrp.com at lists.samba.org
>> [mailto:samba-bounces+tbullock=avmaxgrp.com at lists.samba.org] On Behalf Of
>> Leonid Zeitlin
>> Sent: April 26, 2006 7:45 AM
>> To: samba at lists.samba.org
>> Subject: [Samba] Re: ACL not working
>>
>>
>> "Travis Bullock" <tbullock at avmaxgrp.com> ???????/???????? ? ????????
>> ?????????: news:200604260129.k3Q1TxxU019842 at mail.avmaxgrp.com...
>>> Has anyone seen this when they do a getfacl on a samba share?
>>>
>>>
>>>
>>> [root at gfm-atlas GFM_Shares]# getfacl Installpoint/
>>>
>>> # file: Installpoint
>>>
>>> # owner: root
>>>
>>> # group: AVMAX+domainadmins
>>>
>>> user::rwx
>>>
>>> group::rwx
>>>
>>> group:AVMAX+domain\040users:r-x
>>>
>>> mask::rwx
>>>
>>> other::---
>>>
>>> default:user::rwx
>>>
>>> default:group::rwx
>>>
>>> default:group:AVMAX+domain\040users:r-x
>>>
>>> default:mask::rwx
>>>
>>> default:other::---
>>>
>>>
>>>
>>> Notice the AVMAX+domain\040users anomaly. I have another Samba/Winbind
>>> server on the same domain and I do not get that when I apply ACL's.
>>
>> Hi Travis,
>> What exactly are you concerned about? If it's the + sign, probably you
>> have
>> winbind separator set to + in smb.conf. If it's the \040 sequence, it 
>> just
>> denotes space.
>>
>> Regards,
>>  Leonid
>>
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 





More information about the samba mailing list