[Samba] Samba PDC + ACL : default ACLs ignored on directory
sylvain.david at etranges-libellules.fr
sylvain.david at etranges-libellules.fr
Thu Jun 29 07:57:59 GMT 2006
Hi all,
I use Debian Sarge and Samba 3.0.22 with ACLs. The server is a PDC. I
have about 70 clients workstation running both Windows XP SP1 and SP2.
All works pretty good, all but the directory copy, wich forget ACLs in a
particular case :
When a client copy a local directory on a samba share, the defaults ACLs
aren't applied. But this problem comes only when the client local
directory owner is DOMAIN\USER. If the client local directory owner is
LOCALPC\USER, the default ACLs are applied during the copy.
In fact I wonder if this is the normal behavior of Samba : if the owner
is the domain user, perhaps samba try to copy the ACLs with the file?
But that's not what I want samba does. I would like that the only the
default ACLs to be applied. And the things which makes me think that
it's a bug, is that this behavior is not appening on a file copy : a
local file owner DOMAIN\USER copied on a samba share gets the default
ACLs of the directory in which they are copied.
So, I think I have 3 solutions :
- create all the group and all users on all the workstations, and then
sets the local security correctly on every workstation directory tree.
but this is impossible because i'm alone to manage all the workstation,
and new users are created and old deleted every month
- make a script watching the ACLs on the server. But this is dirty...
- Hope there's a solution in configuration or a patch. I tried "security
mask" and "directory security mode" to prevent user from modifying ACLs,
it works, but only on POSIX and the default ACLs are still forget.
inherit permission is neither the solution.
In fact the dream solution is a way wich makes the samba behavior
totally ignoring local security and applying the server security. But how ?
Here's my smb.conf :
#
-----------------------------------------------------------------------------
# Global parameters
#
-----------------------------------------------------------------------------
[global]
dos charset = 850
unix charset = ISO8859-1
workgroup = elb-lyon
netbios name = server02
server string = server02.elb-lyon
os level = 65
domain logons = Yes
domain master = Yes
local master = Yes
preferred master = Yes
wins support = Yes
obey pam restrictions = Yes
passdb backend = tdbsam, guest
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n
*ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
passwd chat debug = Yes
pam password change = Yes
unix password sync = Yes
syslog = 0
log level = 2
# log level max = 10
log file = /var/log/samba/log.%m
max log size = 25600
dns proxy = No
panic action = /usr/share/samba/panic-action %d
invalid users = root2
# paramètres samba utilisateur par defaut
logon drive = P:
logon home = \\server02\%U
logon path = \\server02\profiles\%U
logon script = %U.cmd
# gestion des comptes posix automatique :)
# Gestion des comptes POSIX
add machine script = /usr/sbin/useradd -g sambamachines -c
Machine -d /dev/null -s /bin/false '%u'
add user script = /usr/sbin/useradd -g sambausers -c Utilisateur
-d /dev/null -s /bin/false '%u'
add group script = /usr/sbin/groupadd '%g'
add user to group script = /usr/bin/gpasswd -a '%u' '%g'
delete user script = /usr/sbin/userdel -r '%u'
delete group script = /usr/sbin/groupdel '%g'
delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
set primary group script = /usr/sbin/usermod -g '%g' '%u'
veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/
guest account = guest
hosts allow = 192.168.0. 127.
#
-----------------------------------------------------------------------------
# Necessaire Domaine
#
-----------------------------------------------------------------------------
[homes]
path = /mnt/SAN01/vd3_home2/home2/%u
comment = Home Directories
valid users = %S
guest ok = No
writable = Yes
create mask = 0700
directory mask = 0700
browseable = No
[netlogon]
path = /mnt/SAN01/vd3_home2/netlogon
comment = Partage NetLogon
valid users = @sambausers @sambaguests root
guest ok = No
read only = Yes
browseable = No
[profiles]
path = /mnt/SAN01/vd3_home2/profiles
comment = Profils utilisateurs
valid users = @sambausers @sambaguests root
guest ok = No
writable = Yes
create mode = 0700
browseable = No
#
-----------------------------------------------------------------------------
# Imprimantes
#
-----------------------------------------------------------------------------
[printers]
path = /tmp
comment = All printers
valid users = @sambausers
guest ok = No
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
#
-----------------------------------------------------------------------------
# Partages :)
#
-----------------------------------------------------------------------------
[vd1_echange]
comment = Zone d'echange interne et FTP Pantin.
path = /mnt/SAN01/vd1_echange
valid users = root @sambaadmins @sambaguests @User_Standard
guest ok = No
writable = Yes
create mask = 0770
directory mask = 0770
browseable = yes
inherit acls = yes
hide unreadable = Yes
# directory security mask = 0000
# force directory security mode = 0777
[vd2_gestion]
comment = Administration, compta, gestion.
path = /mnt/SAN01/vd2_gestion
valid users = root @sambaadmins @Gestion_Level0,
@Gestion_Level1, @Gestion_Level2, @Gestion_Level3
guest ok = No
writable = Yes
create mask = 0770
directory mask = 0770
browseable = Yes
inherit acls = yes
hide unreadable = Yes
[vd3_home2]
comment = Dossiers privés
path = /mnt/SAN01/vd3_home2
valid users = root @sambaadmins
guest ok = No
writable = Yes
create mask = 0770
directory mask = 0770
browseable = Yes
inherit acls = yes
hide unreadable = Yes
csc policy = disable
[vd4_archive]
comment = Archives Design, Develop, Graphisme, Logiciels
path = /mnt/SAN01/vd4_archive
valid users = root @sambaadmins @User_Standard,
@Archive_Develop, @Archive_Design, @Archive_Graphisme, @Archive_Logiciels
guest ok = No
writable = Yes
create mask = 0770
directory mask = 0770
browseable = Yes
inherit acls = yes
hide unreadable = Yes
[vd5_projet]
comment = Les Projets
path = /mnt/SAN01/vd5_projet
valid users = root @sambaadmins @Projet_one @Projet_two
@Projet_three @Projet_four
guest ok = No
writable = Yes
create mask = 0770
directory mask = 0770
browseable = Yes
inherit acls = yes
hide unreadable = Yes
[vd6_backup]
comment = Backups [reservé admin]
path = /mnt/SAN01/vd6_backup
valid users = root @sambaadmins
guest ok = No
writable = Yes
create mask = 0770
directory mask = 0770
browseable = Yes
inherit acls = yes
hide unreadable = Yes
[vd7_video]
comment = Montages Videos
path = /mnt/SAN01/vd7_video
valid users = root @sambaadmins @User_MontageVideo
guest ok = No
writable = Yes
create mask = 0770
directory mask = 0770
browseable = Yes
inherit acls = yes
hide unreadable = Yes
--
Sylvain DAVID / administrateur réseau
adr : Etranges Libellules
.~. 17 Rue des Archers
/v\ 69002 LYON
/(°)\ tel : 04 72 40 24 72
^^-^^ fax : 04 72 40 27 19
www.etranges-libellules.fr
--
More information about the samba
mailing list