[Samba] ACL
Clinton Mills
Clinton at Hitcents.com
Thu Jan 29 17:21:38 GMT 2009
Hi samba group,
I'm trying to get samba to act like Windows in the Security tab (to be able
to add, remove, and modify ACLs on certain files/folders). We are running
Centos 5.2 (2.6.18-92.1.22.el5) with XFS installed for the /share partition.
I currently have these versions of samba installed:
samba-3.0.28-1.el5_2.1
samba-common-3.0.28-1.el5_2.1
I am pretty sure the ACL is all setup and working correctly. I can maintain
ACL from Linux and I can even see them in the security tab for windows. I
can also remove users from the security tab in Windows.
These are the things I need help with
. When I try and add a user it ask me for a username and password. I
cannot get this to accept my password.
. When I first load up the security tab it shows a long number
"S-1-5-21-..." This screen takes a while to change these numbers to names.
Is there a way to speed this up?
. Is there a way to restrict people from adding them self to
files/folder they do not have access to?
I have looked all over and cannot find clear instructions on how to set ACL
up in a user environment. If you could point me to one of these documents
that would be very helpful.
We currently have Samba setup to work without a domain. I have read on other
websites that this is not a good idea:
One problem with Samba ACL support is that listing users to use for access
control entries (ACEs) within ACLs can be troublesome. Specifically, if
you're using Samba in a standalone mode (i.e., configured with "user"
security mode), Windows 2000 and Windows XP users might not be able to
consistently list Samba users when configuring an ACL.
We really don't have the option of doing a PDC. Is this a bad idea to try
and get this to work without using PDC?
smbd -b | grep ACL
HAVE_SYS_ACL_H
HAVE_ACL_LIBACL_H
HAVE_POSIX_ACLS
smb.conf
[global]
passdb backend = tdbsam
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/groupmod -A %u %g
delete user from group script = /usr/sbin/groupmod -R %u %g
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u
security = user
encrypt passwords = yes
preferred master = Yes
domain master = Yes
domain logons = Yes
debuglevel = 3
workgroup = Workgroup
workgroup = temp
netbios name = hitsnap
bind interfaces only = True
interfaces = eth1 lo
max disk size = 990000 ;some programs (like PS7) can't deal with more than
1TB
allow hosts = 192.168.0.0/16
socket options = TCP_NODELAY
server string = Hitsnap
smb ports = 139
syslog = 0
log level = 2
log file = /var/log/samba/log.%m
vfs objects = recycle
client ntlmv2 auth = yes
;recycle:repository = .recycle
;recycle:keeptree = Yes
;recycle:versions = Yes
;recycle:touch = Yes
[netlogon]
path = /var/lib/samba/netlogon
read only = yes
[homes]
read only = no
browseable = no
[share1]
;minauth=none
path = /share/hdrive/share1
read only = no
browseable = yes
writable = yes
admin users = admin1
valid users = admin1
public = no
create mask = 0777
directory mask = 0777
nt acl support = yes
acl map full control = yes
dont descend = .recycle
Thanks
Clinton Mills
More information about the samba
mailing list