[Samba] Samba PDC + ACL : default ACLs ignored on directory
sylvain.david at etranges-libellules.fr
sylvain.david at etranges-libellules.fr
Fri Jun 30 16:29:15 GMT 2006
I'm sorry, perhaps you don't understand my poor english - I'm french...
- but did someone know how to force ACLs to be apply particulary in the
case described below ? Or is there a way to execute script at directory
creation (a kind of trigger) ?
Thank you,
Sylvain DAVID.
sylvain.david at etranges-libellules.fr a écrit :
> Hi all,
>
> I use Debian Sarge and Samba 3.0.22 with ACLs. The server is a PDC. I
> have about 70 clients workstation running both Windows XP SP1 and SP2.
>
> All works pretty good, all but the directory copy, wich forget ACLs in
> a particular case :
> When a client copy a local directory on a samba share, the defaults
> ACLs aren't applied. But this problem comes only when the client local
> directory owner is DOMAIN\USER. If the client local directory owner is
> LOCALPC\USER, the default ACLs are applied during the copy.
> In fact I wonder if this is the normal behavior of Samba : if the
> owner is the domain user, perhaps samba try to copy the ACLs with the
> file? But that's not what I want samba does. I would like that the
> only the default ACLs to be applied. And the things which makes me
> think that it's a bug, is that this behavior is not appening on a file
> copy : a local file owner DOMAIN\USER copied on a samba share gets the
> default ACLs of the directory in which they are copied.
>
> So, I think I have 3 solutions :
> - create all the group and all users on all the workstations, and then
> sets the local security correctly on every workstation directory tree.
> but this is impossible because i'm alone to manage all the
> workstation, and new users are created and old deleted every month
> - make a script watching the ACLs on the server. But this is dirty...
> - Hope there's a solution in configuration or a patch. I tried
> "security mask" and "directory security mode" to prevent user from
> modifying ACLs, it works, but only on POSIX and the default ACLs are
> still forget. inherit permission is neither the solution.
>
> In fact the dream solution is a way wich makes the samba behavior
> totally ignoring local security and applying the server security. But
> how ?
>
> Here's my smb.conf :
>
> #
> -----------------------------------------------------------------------------
>
> # Global parameters
> #
> -----------------------------------------------------------------------------
>
> [global]
> dos charset = 850
> unix charset = ISO8859-1
> workgroup = elb-lyon
> netbios name = server02
> server string = server02.elb-lyon
> os level = 65
> domain logons = Yes
> domain master = Yes
> local master = Yes
> preferred master = Yes
> wins support = Yes
>
> obey pam restrictions = Yes
> passdb backend = tdbsam, guest
> passwd program = /usr/bin/passwd %u
> passwd chat = *New*UNIX*password* %n\n
> *ReType*new*UNIX*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
> passwd chat debug = Yes
> pam password change = Yes
> unix password sync = Yes
>
> syslog = 0
> log level = 2
> # log level max = 10
> log file = /var/log/samba/log.%m
> max log size = 25600
> dns proxy = No
> panic action = /usr/share/samba/panic-action %d
> invalid users = root2
>
> # paramètres samba utilisateur par defaut
> logon drive = P:
> logon home = \\server02\%U
> logon path = \\server02\profiles\%U
> logon script = %U.cmd
>
> # gestion des comptes posix automatique :)
> # Gestion des comptes POSIX
> add machine script = /usr/sbin/useradd -g sambamachines -c
> Machine -d /dev/null -s /bin/false '%u'
> add user script = /usr/sbin/useradd -g sambausers -c
> Utilisateur -d /dev/null -s /bin/false '%u'
> add group script = /usr/sbin/groupadd '%g'
> add user to group script = /usr/bin/gpasswd -a '%u' '%g'
> delete user script = /usr/sbin/userdel -r '%u'
> delete group script = /usr/sbin/groupdel '%g'
> delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
> set primary group script = /usr/sbin/usermod -g '%g' '%u'
>
> veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/
>
> guest account = guest
>
> hosts allow = 192.168.0. 127.
>
> #
> -----------------------------------------------------------------------------
>
> # Necessaire Domaine
> #
> -----------------------------------------------------------------------------
>
> [homes]
> path = /mnt/SAN01/vd3_home2/home2/%u
> comment = Home Directories
> valid users = %S
> guest ok = No
> writable = Yes
> create mask = 0700
> directory mask = 0700
> browseable = No
>
> [netlogon]
> path = /mnt/SAN01/vd3_home2/netlogon
> comment = Partage NetLogon
> valid users = @sambausers @sambaguests root
> guest ok = No
> read only = Yes
> browseable = No
>
> [profiles]
> path = /mnt/SAN01/vd3_home2/profiles
> comment = Profils utilisateurs
> valid users = @sambausers @sambaguests root
> guest ok = No
> writable = Yes
> create mode = 0700
> browseable = No
>
> #
> -----------------------------------------------------------------------------
>
> # Imprimantes
> #
> -----------------------------------------------------------------------------
>
> [printers]
> path = /tmp
> comment = All printers
> valid users = @sambausers
> guest ok = No
> create mask = 0700
> printable = Yes
> browseable = No
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
>
> #
> -----------------------------------------------------------------------------
>
> # Partages :)
> #
> -----------------------------------------------------------------------------
>
> [vd1_echange]
> comment = Zone d'echange interne et FTP Pantin.
> path = /mnt/SAN01/vd1_echange
> valid users = root @sambaadmins @sambaguests @User_Standard
> guest ok = No
> writable = Yes
> create mask = 0770
> directory mask = 0770
> browseable = yes
> inherit acls = yes
> hide unreadable = Yes
> # directory security mask = 0000
> # force directory security mode = 0777
>
> [vd2_gestion]
> comment = Administration, compta, gestion.
> path = /mnt/SAN01/vd2_gestion
> valid users = root @sambaadmins @Gestion_Level0,
> @Gestion_Level1, @Gestion_Level2, @Gestion_Level3
> guest ok = No
> writable = Yes
> create mask = 0770
> directory mask = 0770
> browseable = Yes
> inherit acls = yes
> hide unreadable = Yes
>
> [vd3_home2]
> comment = Dossiers privés
> path = /mnt/SAN01/vd3_home2
> valid users = root @sambaadmins
> guest ok = No
> writable = Yes
> create mask = 0770
> directory mask = 0770
> browseable = Yes
> inherit acls = yes
> hide unreadable = Yes
> csc policy = disable
>
> [vd4_archive]
> comment = Archives Design, Develop, Graphisme, Logiciels
> path = /mnt/SAN01/vd4_archive
> valid users = root @sambaadmins @User_Standard,
> @Archive_Develop, @Archive_Design, @Archive_Graphisme, @Archive_Logiciels
> guest ok = No
> writable = Yes
> create mask = 0770
> directory mask = 0770
> browseable = Yes
> inherit acls = yes
> hide unreadable = Yes
>
> [vd5_projet]
> comment = Les Projets
> path = /mnt/SAN01/vd5_projet
> valid users = root @sambaadmins @Projet_one @Projet_two
> @Projet_three @Projet_four
> guest ok = No
> writable = Yes
> create mask = 0770
> directory mask = 0770
> browseable = Yes
> inherit acls = yes
> hide unreadable = Yes
>
> [vd6_backup]
> comment = Backups [reservé admin]
> path = /mnt/SAN01/vd6_backup
> valid users = root @sambaadmins
> guest ok = No
> writable = Yes
> create mask = 0770
> directory mask = 0770
> browseable = Yes
> inherit acls = yes
> hide unreadable = Yes
>
> [vd7_video]
> comment = Montages Videos
> path = /mnt/SAN01/vd7_video
> valid users = root @sambaadmins @User_MontageVideo
> guest ok = No
> writable = Yes
> create mask = 0770
> directory mask = 0770
> browseable = Yes
> inherit acls = yes
> hide unreadable = Yes
>
>
More information about the samba
mailing list