[Samba] problem upgrading 3.0.23->3.0.26

Linda W samba at tlinx.org
Wed Jul 30 02:43:19 GMT 2008


John H Terpstra wrote:
> 
> This parameter should be changed from:
>>          write list = @admin, root
> to:
> 	write list = @"BLISS\admin", BLISS\root
----
	Ahh....interesting.

> add:
> 	guest ok = Yes 
> Also make sure that the guest account (nobody) is able to access 
> the /home/samba/netlogon/%u folders.  In general, use of the %u parameter in 
> a resource that should be accessible by the guest account is potentially 
> problematic.
-----
	guest is supposed to be 'nobody'?  Cuz, I have
guest as uid 998,  and 'nobody'=65534.
	Would this create unexpected problems for samba?

As for /home/samba/netlogon/%u:
/home/samba  is 750, u=root, g=samba
/home/samba/profiles has 755  u+g=root
I don't have a profile entry for 'nobody' nor 'guest'...do I need one ?  even if
empty?


> Why these parameters on the profiles share?
>>          create mask = 0600
>>          directory mask = 0700
>>          store dos attributes = Yes
-----
	(They come from the default suse 10.3 file).  I didn't mess w/them.
	I don't have any profile dirs anyway, but they seem 'ok'...
	(delete?)


> >Why these parameters?
>          csc policy = disable
>>          share modes = No

	Artifacts (deleting)

----	
> 
> Add this one:
> 	profile acls = Yes
--ok





>> [homes]
>>          comment = Home Dir
>>          valid users = %S, %D%w%S
>>          read only = No
> 
> Why these parameters? Should not be needed.
>>          create mask = 0750
>>          inherit acls = Yes
----
	Hmmm.....I may not understand what is meant by acls...  see below where you
ask why...(answered there)...



> 
>> [home]
>>          comment = /home (allhomes)
>>          path = /home
> 
> What is this? Do you have a group named "trusted_local_net_users"?
>>          valid users = @trusted_local_net_users, law
(yes; user=trusted & only on local net)...I do on the linux server --
not on the windows side ....
note -- several of the places where I have 'law', I was adding the 'id'
   explicitly, for testing, since groups didn't appear to be working...
   (i.e. law is in trusted_local_net_users...)....

> Change to:
> 	valid users = @"BLISS\trusted_local_net_users", BLISS\law
---ok



> What are the ownership and permissions settings on the /home directory?
"drwxr-xr-x"  root/root


> Are you seriously allowing users to write to each other's home directories?
>>          read only = No
---
	Intent was for it to remain under user control -- that's why I use
the create mask of 0750 (next)....


> Why these two parameters? What are you trying to achieve with them?
>>          create mask = 0750
>>          inherit acls = Yes
----
	My manpage says inherit acls defaults to off, but the create mask is to
override the inherit acls setting mode to 0777.  My presumption was that acls can be
inherited separately.

	I was thinking of acls in a linux sense -- where file mode bits are a
separate access mechanism from an acl list that uses extended-attributes.

	At one point, during kernel discussions, acl lists (as with all security model
insertion points) could only further limit bits set by file mode bits -- not give
exceptions.  Not sure if it is still that way -- I and others argued against it, but
were overridden at the time, because the other group didn't want the security 
model insertion
points to be able to allow more privilege than normal discretionary security 
model would
allow.  So I was propagating me understanding of how they worked....


> 
>>          browseable = No
> 
> What ist he purpose of this share? Is this not covered by the homes service?
-----
	That's a good question -- I was trying to get
/home/user to point to a given user's directory

But I also wanted to export the parent as "/homes"....

I kept having problems in this area -- like /homes/ is reserved for 'home', but
I think I could use /home to mean everyone's home directories -- the opposite of 
what
I wanted, but that's what I was trying for anyway....

>> [%U]
>>          comment = Home Directory
>>          path = /home/%U
>>          valid users = %S, %D%w%S
>>          read only = No
>>          create mask = 0750
>>          inherit acls = Yes
>>
>> [Share]
>>          comment = Share
>>          path = /Share
>>          read only = No
> 
> What are the permissions on the /Share directory?  Why do you need to permit 
> the nobody account to set ACLs on this directory?
>>          inherit acls = Yes
>>          guest ok = Yes
---
	I thought I was saying any acls that were created under share would propgate 
downward
from their locations.  And that guest would be allowed to look at share, but by 
file-
definitions on /Share, they can't write to them.

permissions on /Share=
755, u=law, g=wheel;  below /Share any dir's I don't want guest to have access 
to, are
mode 750, (or 700)...


>> [backups]
>>          comment = Host backup-dirs
>>          path = /backups/%m
> 
> Again, add the domain specifier  (@BLISS\admin). What is the purpose of 
> the "%m" parameter here? It makes no sense/
>>          write list = @admin, @%m
----
	Oh poo...yeah...  meant to (never got around to it) creating
groups for each machine name that accessed the Share to include userid's that were
not admin's (like 'backup'); but never got around to creating a user 'backup' to do
backups with -- just use an admin signin....

> 
> For the remaining shares, the same questions as above apply.  It is best to 
> keep your configuration simple, then add complexity only as it is proven to 
> be necessary.
---

	Well....that's how it started out -- it's just grown warts over time...:-)
the setup works under the old samba 3.0.23...just haven't kept up with the times
so well on this server...

> Please show us the output of executing on both servers: 
> 	net groupmap list
----
	Null (no output)
> 
> Also, what is the output of?:
> 	net getdomainsid
SID for domain ISHTAR is: S-1-5-21-3865964499-331234528-1442996297
SID for domain BLISS is: S-1-5-21-3865964499-331234528-1442996297
> 
> - John T.


More information about the samba mailing list