[Samba] Samba-ldap permission and access using Microsoft Management
Console -
persmission to change folder and file access with MS full accees option
Silas Wind
swi at clipper-group.com
Thu Nov 2 13:45:56 GMT 2006
Hi
I want the following share setup in samba 3.0.10 without the use of POSIX
ACL kernel support on the /dev/sdi01 partition:
A group should be able to be "Windows owner" when ever a windows file or
folder is created.
A group should be able to be have windows full access when ever a file
or folder is created.
Only group should have login access to the hidden share [sharename$]
Group members should be able to control windows permission's on file and
folders in the [sharename$] basically be able to give a specific user
from the allowed group full access to a given folder - eg. user1 from
group1 [consist of user1 and user2) should be able to give user1
fullaccess to folder1 and remove all other users and groups from that
folder, so only user1 (in [sharename$] ) will be able to access the
folder..
I keep getting this error every-time I try and do what is described in
POINT 4
if we look at the share definitions in smb.conf
[sharename$]
path = /home/sharename
public = yes
valid users = @group1 (now as I understand the POINT 3
in above, valid users, is the samba share fix for this access request)
writable = yes (provides access to create files and
folder on [sharename$])
create mask = 0666 (now as I understand the POINT 2
in above, create mask, is the samba share fix for this access request)
directory mask = 0777 (now as I understand the POINT 2 in
above, directory mask, is the samba share fix for this access request)
force group = group1 (now as I understand the POINT 3 in
above, valid users, is the samba share fix for this access request)
dos filemode = yes (now as I understand the POINT 4
in above, dos filemode, is the samba share fix for this access request)
nt acl support = yes (now as I understand the POINT 4
in above, nt acl support, is the samba share fix for this access request)
Now this is not working, windows keeps coming up with the folowing error:
"unable to save permission changes on [sharename] access is denied"
Here is my samba ldap info
I am using and a RHES 4 update 3 kernel 2.6.9-34
samba-3.0.10-1.4E.6
samba-client-3.0.10-1.4E.6
samba-common-3.0.10-1.4E.6
openldap-devel-2.2.13-4
openldap-servers-2.2.13-4
openldap-clients-2.2.13-4
openldap-2.2.13-4
nss_ldap-226-10
My PDC /etc/samba/smb.conf file look like this
[global]
workgroup = DOMAINNAME
netbios name = TNGCPH01
username map = /etc/samba/smbusers
server string = Samba Server %v
security = user
encrypt passwords = yes
domain logons = Yes
os level = 65
preferred master = yes
local master = yes
domain master = yes
wins support = yes
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
obey pam restrictions = No
ldap passwd sync = Yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=Manager,dc=domainname,dc=com
# Ldap suffix
ldap suffix = dc=clipper-group,dc=com
ldap group suffix = ou=_GROUPS_
ldap user suffix = ou=_USERS_
ldap machine suffix = ou=_COMPUTERS_
ldap idmap suffix = ou=_USERS_
ldap ssl = no
add user script = /usr/local/sbin/smbldap-useradd.pl -m "%u"
ldap delete dn = Yes
delete user script = /usr/local/sbin/smbldap-userdel.pl "%u"
add machine script = /usr/local/sbin/smbldap-useradd.pl -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd.pl -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel.pl "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m
"%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod.pl
-x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod.pl -g
"%g" "%u"
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
More information about the samba
mailing list