[Samba] ACL

[Clinton Mills]

Hi samba group,

 

I'm trying to get samba to act like Windows in the Security tab (to be able
to add, remove, and modify ACLs on certain files/folders). We are running
Centos 5.2 (2.6.18-92.1.22.el5) with XFS installed for the /share partition.

 

I currently have these versions of samba installed:

samba-3.0.28-1.el5_2.1

samba-common-3.0.28-1.el5_2.1

 

I am pretty sure the ACL is all setup and working correctly. I can maintain
ACL from Linux and I can even see them in the security tab for windows. I
can also remove users from the security tab in Windows.

 

These are the things I need help with

.         When I try and add a user it ask me for a username and password. I
cannot get this to accept my password.

.         When I first load up the security tab it shows a long number
"S-1-5-21-..." This screen takes a while to change these numbers to names.
Is there a way to speed this up?

.         Is there a way to restrict people from adding them self to
files/folder they do not have access to?

 

I have looked all over and cannot find clear instructions on how to set ACL
up in a user environment. If you could point me to one of these documents
that would be very helpful.

 

We currently have Samba setup to work without a domain. I have read on other
websites that this is not a good idea:

 

One problem with Samba ACL support is that listing users to use for access
control entries (ACEs) within ACLs can be troublesome. Specifically, if
you're using Samba in a standalone mode (i.e., configured with "user"
security mode), Windows 2000 and Windows XP users might not be able to
consistently list Samba users when configuring an ACL.

 

We really don't have the option of doing a PDC. Is this a bad idea to try
and get this to work without using PDC?

 

smbd -b | grep ACL

   HAVE_SYS_ACL_H

   HAVE_ACL_LIBACL_H

   HAVE_POSIX_ACLS

 

smb.conf

[global]

 

 

passdb backend = tdbsam

 

add user script = /usr/sbin/useradd -m %u

delete user script = /usr/sbin/userdel -r %u

add group script = /usr/sbin/groupadd %g

delete group script = /usr/sbin/groupdel %g

add user to group script = /usr/sbin/groupmod -A %u %g

delete user from group script = /usr/sbin/groupmod -R %u %g

add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u

 

security = user

encrypt passwords = yes

 

preferred master = Yes

domain master = Yes

domain logons = Yes

 

debuglevel = 3 

 

workgroup = Workgroup

workgroup = temp

netbios name = hitsnap

bind interfaces only = True

interfaces = eth1 lo

 

max disk size = 990000   ;some programs (like PS7) can't deal with more than
1TB 

 

allow hosts = 192.168.0.0/16

socket options = TCP_NODELAY

server string = Hitsnap

smb ports = 139

 

syslog = 0

log level = 2 

log file = /var/log/samba/log.%m

 

vfs objects = recycle

 

client ntlmv2 auth = yes

;recycle:repository = .recycle

;recycle:keeptree = Yes

;recycle:versions = Yes

;recycle:touch = Yes

 

[netlogon]

path = /var/lib/samba/netlogon

read only = yes

 

 

 

[homes]

read only = no

browseable = no

 

[share1]

;minauth=none

path = /share/hdrive/share1

read only = no

browseable = yes

writable = yes

admin users = admin1

valid users = admin1

public = no

create mask = 0777

directory mask = 0777

nt acl support = yes

acl map full control = yes

 

dont descend = .recycle

 

Thanks

Clinton Mills