RE [Samba] Samba group management understanding
Stéphane PURNELLE
stephane.purnelle at corman.be
Wed May 6 11:19:12 GMT 2009
bad rights
-rwxrw---- 1 gbayard enseign 8 avr 29 15:03 truc.txt
must be
-rwxrwx--- 1 gbayard enseign 8 avr 29 15:03 truc.txt
-----------------------------------
Stéphane PURNELLE Admin. Systèmes et Réseaux
Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
samba-bounces+stephane.purnelle=corman.be at lists.samba.org a écrit sur
06/05/2009 12:50:51 :
> Hello all,
>
> I want to set up a share for a project (enseign)
> First thing I did is to create a group for that project (with
> smbldap-groupadd) and add project members to that group.
> Then I created a test_smb directory on my linux server with the
> following access rights:
>
> drwxrwx--- 2 gbayard enseign 4096 avr 29 15:03 /test_smb
>
> Note: the idea is that only group members should be able to
> create/destroy files in this share (the user value should not be used)
>
> Then I added the following to smb.conf:
>
> [test]
> path = /test_smb
> writable = yes
> # browseable = no
> # create mask = 0770
> # valid users = @enseign
> # directory mask = 0775
> # force group = enseign
>
> Commented values work fine but are not required to expose my problem so
> I use very basic share settings
>
> Under linux I create the following file in /test_smb:
> -rwxrw---- 1 gbayard enseign 8 avr 29 15:03 truc.txt
>
> After I restart smb with /etc/init.d/smb restart I switch to XP and go
> to my share \\server\test and here is what's happening:
> - if I connect with user gbayard (who is the share user) everything is
> right. I can create/edit/destroy files
> - if I connect with user javerage who belongs to group enseign then I
> can modify the content of truc.txt (so group membership seems
> acknowledged by windows) but I can't destroy the file (seems like
> directory 'write' right to the group enseign is ignored). If I want to
> create a new file it works but I can't rename or destroy it (I end up
> with a "new document.txt" file that I can edit but not rename or
> destroy)... Mmm. I'm puzzled!
>
> I've check access to the share from a linux client (through gvfs on
> ubuntu) and it works as expected. So it seems like a windows XP client
> problem. I've checked all smb.conf options and could not find any
> workaround option.
>
> As additionnal info I'm attaching samba log for file deletion trial from
> XP (failure) and from linux (success). And also my server's options
> (testparm -sv)
>
> Any ideas?
>
> Gildas
>
>
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Processing section "[projects]"
> Processing section "[test]"
> Processing section "[web]"
> Processing section "[netlogon]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_PDC
> [global]
> dos charset = CP850
> unix charset = UTF-8
> display charset = LOCALE
> workgroup = HDS
> realm =
> netbios name = NEO
> netbios aliases =
> netbios scope =
> server string = storage
> interfaces = 172.17.1.42/16
> bind interfaces only = Yes
> security = USER
> auth methods =
> encrypt passwords = Yes
> update encrypted = No
> client schannel = Auto
> server schannel = Auto
> allow trusted domains = Yes
> map to guest = Never
> null passwords = No
> obey pam restrictions = No
> password server = *
> smb passwd file = /etc/samba/smbpasswd
> private dir = /etc/samba
> passdb backend = ldapsam:ldap://ldap.gi.utc:983
> algorithmic rid base = 1000
> root directory =
> guest account = ftp
> enable privileges = Yes
> pam password change = No
> passwd program =
> passwd chat = *new*password* %n\n *new*password* %n\n *changed*
> passwd chat debug = No
> passwd chat timeout = 2
> check password script =
> username map = /etc/samba/smbusers
> password level = 8
> username level = 8
> unix password sync = No
> restrict anonymous = 0
> lanman auth = Yes
> ntlm auth = Yes
> client NTLMv2 auth = No
> client lanman auth = Yes
> client plaintext auth = Yes
> preload modules =
> use kerberos keytab = No
> log level = 4
> syslog = 1
> syslog only = No
> log file = /var/log/samba/%m.log
> max log size = 50
> debug timestamp = Yes
> debug prefix timestamp = No
> debug hires timestamp = No
> debug pid = No
> debug uid = No
> enable core files = Yes
> smb ports = 445 139
> large readwrite = Yes
> max protocol = NT1
> min protocol = CORE
> read bmpx = No
> read raw = Yes
> write raw = Yes
> disable netbios = No
> reset on zero vc = No
> acl compatibility = auto
> defer sharing violations = Yes
> nt pipe support = Yes
> nt status support = Yes
> announce version = 4.9
> announce as = NT
> max mux = 50
> max xmit = 16644
> name resolve order = host wins lmhosts
> max ttl = 259200
> max wins ttl = 518400
> min wins ttl = 21600
> time server = No
> unix extensions = Yes
> use spnego = Yes
> client signing = auto
> server signing = No
> client use spnego = Yes
> enable asu support = No
> svcctl list =
> deadtime = 60
> getwd cache = Yes
> keepalive = 300
> lpq cache time = 30
> max smbd processes = 0
> paranoid server security = Yes
> max disk size = 0
> max open files = 101
> open files database hash size = 10007
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
IPTOS_LOWDELAY
> use mmap = Yes
> hostname lookups = No
> name cache timeout = 660
> load printers = Yes
> printcap cache time = 750
> printcap name =
> cups server =
> iprint server =
> disable spoolss = No
> addport command =
> enumports command =
> addprinter command =
> deleteprinter command =
> show add printer wizard = Yes
> os2 driver map =
> mangling method = hash2
> mangle prefix = 1
> max stat cache size = 1024
> stat cache = Yes
> machine password timeout = 604800
> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
> rename user script =
> delete user script = /usr/local/sbin/smbldap-userdel "%u"
> add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
> delete group script = /usr/local/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
> delete user from group script = /usr/local/sbin/smbldap-groupmod
> -x "%u" "%g"
> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
"%u"
> add machine script = /usr/local/sbin/smbldap-useradd -w -i '%u'
> shutdown script =
> abort shutdown script =
> username map script =
> logon script = logon.bat
> logon path = \\%N\%U\profile
> logon drive =
> logon home = \\%N\%U
> domain logons = Yes
> os level = 33
> lm announce = Auto
> lm interval = 60
> preferred master = Yes
> local master = Yes
> domain master = Yes
> browse list = Yes
> enhanced browsing = Yes
> dns proxy = Yes
> wins proxy = No
> wins server = 172.17.1.23
> wins support = No
> wins hook =
> kernel oplocks = Yes
> lock spin time = 200
> oplock break wait time = 0
> ldap admin dn = "cn=Manager,dc=gi,dc=utc"
> ldap delete dn = No
> ldap group suffix = ou=Groups
> ldap idmap suffix =
> ldap machine suffix = ou=Computers
> ldap passwd sync = Yes
> ldap replication sleep = 1000
> ldap suffix = dc=gi,dc=utc
> ldap ssl = no
> ldap timeout = 15
> ldap page size = 1024
> ldap user suffix = ou=people
> add share command =
> change share command =
> delete share command =
> eventlog list =
> config file =
> preload =
> lock directory = /var/cache/samba
> pid directory = /var/run
> utmp directory =
> wtmp directory =
> utmp = No
> default service =
> message command =
> get quota command =
> set quota command =
> remote announce =
> remote browse sync =
> socket address = 0.0.0.0
> homedir map = auto.home
> afs username map =
> afs token lifetime = 604800
> log nt token command =
> time offset = 0
> NIS homedir = No
> usershare allow guests = No
> usershare max shares = 0
> usershare owner only = Yes
> usershare path = /var/cache/samba/usershares
> usershare prefix allow list =
> usershare prefix deny list =
> usershare template share =
> panic action =
> host msdfs = Yes
> passdb expand explicit = No
> idmap domains =
> idmap backend =
> idmap alloc backend =
> idmap cache time = 900
> idmap negative cache time = 120
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template homedir = /home/%D/%U
> template shell = /bin/false
> winbind separator = \
> winbind cache time = 300
> winbind enum users = No
> winbind enum groups = No
> winbind use default domain = No
> winbind trusted domains only = No
> winbind nested groups = Yes
> winbind nss info = template
> winbind refresh tickets = No
> winbind offline logon = No
> winbind normalize names = No
> comment =
> path =
> username =
> invalid users =
> valid users =
> admin users =
> read list =
> write list =
> printer admin =
> force user =
> force group =
> read only = Yes
> acl check permissions = Yes
> acl group control = No
> acl map full control = Yes
> create mask = 0744
> force create mode = 00
> security mask = 0777
> force security mode = 00
> directory mask = 0755
> force directory mode = 00
> directory security mask = 0777
> force directory security mode = 00
> force unknown acl user = No
> inherit permissions = No
> inherit acls = No
> inherit owner = No
> guest only = No
> guest ok = No
> only user = No
> hosts allow = 172.17., 172.26.128.0/255.255.240.0, 172.26.240.
> 0/255.255.252.0, 172.22., 172.24., 172.26.240.0/255.255.240.0,
172.18.153.159
> hosts deny =
> allocation roundup size = 1048576
> aio read size = 0
> aio write size = 0
> aio write behind =
> ea support = No
> nt acl support = Yes
> profile acls = Yes
> map acl inherit = No
> afs share = No
> block size = 1024
> change notify = Yes
> directory name cache size = 100
> kernel change notify = Yes
> max connections = 150
> min print space = 0
> strict allocate = No
> strict sync = No
> sync always = No
> use sendfile = No
> write cache size = 0
> max reported print jobs = 0
> max print jobs = 1000
> printable = No
> printing = cups
> cups options =
> print command =
> lpq command = %p
> lprm command =
> lppause command =
> lpresume command =
> queuepause command =
> queueresume command =
> printer name =
> use client driver = No
> default devmode = Yes
> force printername = No
> printjob username = %U
> default case = lower
> case sensitive = Auto
> preserve case = Yes
> short preserve case = Yes
> mangling char = ~
> hide dot files = Yes
> hide special files = No
> hide unreadable = No
> hide unwriteable files = No
> delete veto files = No
> veto files = /lost+found/.recycle/
> hide files =
> veto oplock files = /*.mdb/*.doc/*.xls/*.ppt/
> map archive = Yes
> map hidden = No
> map system = No
> map readonly = yes
> mangled names = Yes
> mangled map =
> store dos attributes = No
> dmapi support = No
> browseable = Yes
> blocking locks = Yes
> csc policy = manual
> fake oplocks = No
> locking = Yes
> oplocks = Yes
> level2 oplocks = Yes
> oplock contention limit = 2
> posix locking = Yes
> strict locking = Auto
> share modes = Yes
> dfree cache time = 0
> dfree command =
> copy =
> include =
> preexec =
> preexec close = No
> postexec =
> root preexec =
> root preexec close = No
> root postexec =
> available = Yes
> volume =
> fstype = Samba
> set directory = No
> wide links = Yes
> follow symlinks = Yes
> dont descend = /proc,/dev
> magic script =
> magic output =
> delete readonly = Yes
> dos filemode = No
> dos filetimes = Yes
> dos filetime resolution = No
> fake directory create times = No
> vfs objects =
> msdfs root = No
> msdfs proxy =
>
> [homes]
> comment = Home Directories
> read only = No
> create mask = 0700
> directory mask = 0700
> max connections = 5
> browseable = No
>
> [projects]
> comment = Projects directories
> path = /storage/projects
> read only = No
> create mask = 0775
> directory mask = 0775
>
> [test]
> path = /test_smb
> read only = No
>
> [web]
> path = /WEB
> valid users = colligno
> read only = No
> browseable = No
>
> [netlogon]
> comment = Network Logon Service
> path = /home/netlogon
> read only = No
> share modes = No
> root preexec = /bin/sh -c 'echo "[%T] %u se connecte depuis %m (%
> I)" >> /var/log/samba/connexion.log'
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list