[Samba] ACL

[Collen Blijenberg]

Did you also setup ACL in your fstab ??

the mounted partition needs acl to make samba use it.

Cheers, Collen

Clinton Mills wrote:
> Hi samba group,
>
>  
>
> I'm trying to get samba to act like Windows in the Security tab (to be able
> to add, remove, and modify ACLs on certain files/folders). We are running
> Centos 5.2 (2.6.18-92.1.22.el5) with XFS installed for the /share partition.
>
>  
>
> I currently have these versions of samba installed:
>
> samba-3.0.28-1.el5_2.1
>
> samba-common-3.0.28-1.el5_2.1
>
>  
>
> I am pretty sure the ACL is all setup and working correctly. I can maintain
> ACL from Linux and I can even see them in the security tab for windows. I
> can also remove users from the security tab in Windows.
>
>  
>
> These are the things I need help with
>
> .         When I try and add a user it ask me for a username and password. I
> cannot get this to accept my password.
>
> .         When I first load up the security tab it shows a long number
> "S-1-5-21-..." This screen takes a while to change these numbers to names.
> Is there a way to speed this up?
>
> .         Is there a way to restrict people from adding them self to
> files/folder they do not have access to?
>
>  
>
> I have looked all over and cannot find clear instructions on how to set ACL
> up in a user environment. If you could point me to one of these documents
> that would be very helpful.
>
>  
>
> We currently have Samba setup to work without a domain. I have read on other
> websites that this is not a good idea:
>
>  
>
> One problem with Samba ACL support is that listing users to use for access
> control entries (ACEs) within ACLs can be troublesome. Specifically, if
> you're using Samba in a standalone mode (i.e., configured with "user"
> security mode), Windows 2000 and Windows XP users might not be able to
> consistently list Samba users when configuring an ACL.
>
>  
>
> We really don't have the option of doing a PDC. Is this a bad idea to try
> and get this to work without using PDC?
>
>  
>
> smbd -b | grep ACL
>
>    HAVE_SYS_ACL_H
>
>    HAVE_ACL_LIBACL_H
>
>    HAVE_POSIX_ACLS
>
>  
>
> smb.conf
>
> [global]
>
>  
>
>  
>
> passdb backend = tdbsam
>
>  
>
> add user script = /usr/sbin/useradd -m %u
>
> delete user script = /usr/sbin/userdel -r %u
>
> add group script = /usr/sbin/groupadd %g
>
> delete group script = /usr/sbin/groupdel %g
>
> add user to group script = /usr/sbin/groupmod -A %u %g
>
> delete user from group script = /usr/sbin/groupmod -R %u %g
>
> add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u
>
>  
>
> security = user
>
> encrypt passwords = yes
>
>  
>
> preferred master = Yes
>
> domain master = Yes
>
> domain logons = Yes
>
>  
>
> debuglevel = 3 
>
>  
>
> workgroup = Workgroup
>
> workgroup = temp
>
> netbios name = hitsnap
>
> bind interfaces only = True
>
> interfaces = eth1 lo
>
>  
>
> max disk size = 990000   ;some programs (like PS7) can't deal with more than
> 1TB 
>
>  
>
> allow hosts = 192.168.0.0/16
>
> socket options = TCP_NODELAY
>
> server string = Hitsnap
>
> smb ports = 139
>
>  
>
> syslog = 0
>
> log level = 2 
>
> log file = /var/log/samba/log.%m
>
>  
>
> vfs objects = recycle
>
>  
>
> client ntlmv2 auth = yes
>
> ;recycle:repository = .recycle
>
> ;recycle:keeptree = Yes
>
> ;recycle:versions = Yes
>
> ;recycle:touch = Yes
>
>  
>
> [netlogon]
>
> path = /var/lib/samba/netlogon
>
> read only = yes
>
>  
>
>  
>
>  
>
> [homes]
>
> read only = no
>
> browseable = no
>
>  
>
> [share1]
>
> ;minauth=none
>
> path = /share/hdrive/share1
>
> read only = no
>
> browseable = yes
>
> writable = yes
>
> admin users = admin1
>
> valid users = admin1
>
> public = no
>
> create mask = 0777
>
> directory mask = 0777
>
> nt acl support = yes
>
> acl map full control = yes
>
>  
>
> dont descend = .recycle
>
>  
>
> Thanks
>
> Clinton Mills
>
>  
>
>