[Samba] Cannot add ACL through windows client
Zoddo
zoddo.ino at gmail.com
Thu Oct 23 09:21:20 MDT 2014
But a Windows machine is able to get account name on existing permissions.
There must be an solution. It's impossible for me to create accounts on the
clients machines.
2014-10-22 16:12 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 22/10/14 15:01, Zoddo wrote:
>
>> I don't want to add an ACL on an unknown user from samba but add an ACL
>> on a user that exist in the samba database but unknown by the client
>> machine.
>>
> OK, I should also have said that if you try to user a samba user that is
> unknown to windows, this will also fail because the user MUST be known
> everywhere.
>
>
>> The clients machines weren't in a domain.
>>
> Yes I know, I said that you were using a workgroup, they are terrible
> things, when you want to add a user, you have to log into every machine in
> the workgroup that they are to be created or will connect to and add the
> user.
>
> Rowland
>
>>
>> 2014-10-22 15:54 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>:
>>
>> On 22/10/14 14:34, Zoddo wrote:
>>
>> Yes, the user exist in //etc/passwd/ and in the samba database
>> with the same password.
>> The user doesn't exist on the windows machine. I just want add
>> a permission on directories/files for an another user that
>> exist in the unix/samba database.
>>
>>
>> You are running a workgroup and if you attempt to connect to a
>> samba share, you will probably be asked who to connect as, at this
>> point, you can use a username & password of a user that samba
>> knows and you should be connected as the samba user. If you now
>> try to change the ACL's of a file on the share from windows and
>> try to use a windows user that is unknown to samba, this will fail
>> because, to samba, it is an unknown user.
>>
>> Rowland
>>
>> 2014-10-22 15:15 GMT+02:00 Rowland Penny
>> <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>>:
>>
>> On 22/10/14 13:47, Zoddo wrote:
>>
>> up !
>>
>> 2014-10-20 23:19 GMT+02:00 Zoddo <zoddo.ino at gmail.com
>> <mailto:zoddo.ino at gmail.com>
>> <mailto:zoddo.ino at gmail.com
>> <mailto:zoddo.ino at gmail.com>> <mailto:zoddo.ino at gmail.com
>> <mailto:zoddo.ino at gmail.com>
>> <mailto:zoddo.ino at gmail.com
>> <mailto:zoddo.ino at gmail.com>>>>:
>>
>> Yes, it's this !
>>
>> 2014-10-20 23:17 GMT+02:00 Rowland Penny
>> <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>>>:
>>
>> On 20/10/14 22:11, Zoddo wrote:
>>
>> Yes, the users is UNIX accounts "imported" in
>> samba via
>> /smbpasswd/.
>>
>> Windows machines are in the same workgroup.
>>
>> 2014-10-20 22:56 GMT+02:00 Rowland Penny
>> <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>>>>:
>>
>>
>> On 20/10/14 21:43, Zoddo wrote:
>>
>> Samba has been installed via Debian
>> repositories
>> (apt-get).
>>
>> Here is my /smb.conf/ :
>>
>>
>> #
>> # Sample configuration file
>> for the Samba
>> suite for Debian
>> GNU/Linux.
>> #
>> #
>> # This is the main Samba
>> configuration
>> file.
>> You should
>> read the
>> # smb.conf(5) manual page in
>> order to
>> understand the
>> options listed
>> # here. Samba has a huge number of
>> configurable options
>> most of which
>> # are not shown in this example
>> #
>> # Some options that are often
>> worth tuning
>> have been
>> included as
>> # commented-out examples in
>> this file.
>> # - When such options are
>> commented
>> with ";", the
>> proposed setting
>> # differs from the default
>> Samba
>> behaviour
>> # - When commented with "#",
>> the proposed
>> setting is the
>> default
>> # behaviour of Samba but
>> the option is
>> considered important
>> # enough to be mentioned here
>> #
>> # NOTE: Whenever you modify
>> this file you
>> should run the
>> command
>> # "testparm" to check that you
>> have
>> not made
>> any basic
>> syntactic
>> # errors.
>> # A well-established practice
>> is to
>> name the
>> original file
>> # "smb.conf.master" and create
>> the "real"
>> config file with
>> # testparm -s smb.conf.master
>> >smb.conf
>> # This minimizes the size of the
>> really used
>> smb.conf file
>> # which, according to the
>> Samba Team,
>> impacts
>> performance
>> # However, use this with
>> caution if your
>> smb.conf file
>> contains nested
>> # "include" statements. See
>> Debian bug
>> #483187
>> for a case
>> # where using a master file is
>> not a
>> good idea.
>> #
>> #=======================
>> Global Settings
>> =======================
>> [global]
>> username map =
>> /etc/samba/samba_usermapping
>> ## Browsing/Identification ###
>> # Change this to the
>> workgroup/NT-domain name
>> your Samba
>> server
>> will part of
>> workgroup = WORKGROUP
>> # server string is the
>> equivalent of
>> the NT
>> Description field
>> server string = %h server
>> # Windows Internet Name Serving
>> Support Section:
>> # WINS Support - Tells the NMBD
>> component of
>> Samba to
>> enable its
>> WINS Server
>> # wins support = no
>> # WINS Server - Tells the NMBD
>> components of
>> Samba to be a
>> WINS Client
>> # Note: Samba can be either a WINS
>> Server, or
>> a WINS
>> Client, but
>> NOT both
>> ; wins server = w.x.y.z
>> # This will prevent nmbd to
>> search for
>> NetBIOS
>> names
>> through DNS.
>> dns proxy = no
>> # What naming service and in what
>> order should
>> we use to
>> resolve
>> host names
>> # to IP addresses
>> ; name resolve order =
>> lmhosts host
>> wins bcast
>> #### Networking ####
>> # The specific set of interfaces /
>> networks to
>> bind to
>> # This can be either the interface
>> name or an IP
>> address/netmask;
>> # interface names are normally
>> preferred
>> ; interfaces = 127.0.0.0/8
>> <http://127.0.0.0/8>
>> <http://127.0.0.0/8>
>> <http://127.0.0.0/8> <http://127.0.0.0/8>
>> <http://127.0.0.0/8> eth0
>>
>> # Only bind to the named
>> interfaces and/or
>> networks; you
>> must use the
>> # 'interfaces' option above to
>> use this.
>> # It is recommended that you
>> enable this
>> feature if your Samba
>> machine is
>> # not protected by a firewall
>> or is a
>> firewall
>> itself. However, this
>> # option cannot handle dynamic or
>> non-broadcast interfaces
>> correctly.
>> ; bind interfaces only = yes
>>
>>
>> #### Debugging/Accounting ####
>> # This tells Samba to use a
>> separate
>> log file
>> for each machine
>> # that connects
>> log file =
>> /var/log/samba/log.%m
>> # Cap the size of the
>> individual log
>> files (in
>> KiB).
>> max log size = 1000
>> # If you want Samba to only log
>> through syslog
>> then set
>> the following
>> # parameter to 'yes'.
>> # syslog only = no
>> # We want Samba to log a
>> minimum amount of
>> information to
>> syslog.
>> Everything
>> # should go to
>> /var/log/samba/log.{smbd,nmbd}
>> instead. If
>> you want
>> to log
>> # through syslog you should
>> set the
>> following
>> parameter to
>> something higher.
>> syslog = 0
>> # Do something sensible when Samba
>> crashes:
>> mail the admin
>> a backtrace
>> panic action =
>> /usr/share/samba/panic-action %d
>>
>> ####### Authentication #######
>> # "security = user" is always
>> a good idea.
>> This will require a
>> Unix account
>> # in this server for every user
>> accessing the
>> server. See
>> #
>> /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/
>> ServerType.html
>> # in the samba-doc package for
>> details.
>> # security = user
>> # You may wish to use password
>> encryption. See the section on
>> # 'encrypt passwords' in the
>> smb.conf(5)
>> manpage before
>> enabling.
>> encrypt passwords = true
>> # If you are using encrypted
>> passwords, Samba
>> will need to
>> know what
>> # password database type you
>> are using.
>> passdb backend = tdbsam
>> obey pam restrictions = yes
>> # This boolean parameter
>> controls whether
>> Samba attempts
>> to sync
>> the Unix
>> # password with the SMB
>> password when the
>> encrypted SMB
>> password
>> in the
>> # passdb is changed.
>> unix password sync = yes
>> # For Unix password sync to
>> work on a
>> Debian
>> GNU/Linux
>> system, the
>> following
>> # parameters must be set
>> (thanks to
>> Ian Kahan
>> <<kahan at informatik.tu-
>> muenchen.de
>> <mailto:kahan at informatik.tu-muenchen.de>
>> <mailto:kahan at informatik.tu-muenchen.de
>> <mailto:kahan at informatik.tu-muenchen.de>>
>> <mailto:kahan at informatik.tu-muenchen.de
>> <mailto:kahan at informatik.tu-muenchen.de>
>> <mailto:kahan at informatik.tu-muenchen.de
>> <mailto:kahan at informatik.tu-muenchen.de>>>
>> <mailto:kahan at informatik.tu-
>> muenchen.de
>> <mailto:kahan at informatik.tu-muenchen.de>
>> <mailto:kahan at informatik.tu-muenchen.de
>> <mailto:kahan at informatik.tu-muenchen.de>>
>> <mailto:kahan at informatik.tu-muenchen.de
>> <mailto:kahan at informatik.tu-muenchen.de>
>> <mailto:kahan at informatik.tu-muenchen.de
>> <mailto:kahan at informatik.tu-muenchen.de>>>>
>> <mailto:
>> kahan at informatik.tu-muenchen.de
>> <mailto:kahan at informatik.tu-muenchen.de>
>> <mailto:kahan at informatik.tu-muenchen.de
>> <mailto:kahan at informatik.tu-muenchen.de>>
>> <mailto:kahan at informatik.tu-muenchen.de
>> <mailto:kahan at informatik.tu-muenchen.de>
>> <mailto:kahan at informatik.tu-muenchen.de
>> <mailto:kahan at informatik.tu-muenchen.de>>>
>>
>> <mailto:kahan at informatik.tu-
>> muenchen.de
>> <mailto:kahan at informatik.tu-muenchen.de>
>> <mailto:kahan at informatik.tu-muenchen.de
>> <mailto:kahan at informatik.tu-muenchen.de>>
>> <mailto:kahan at informatik.tu-muenchen.de
>> <mailto:kahan at informatik.tu-muenchen.de>
>> <mailto:kahan at informatik.tu-muenchen.de
>> <mailto:kahan at informatik.tu-muenchen.de>>>>>> for
>>
>> # sending the correct chat
>> script for the
>> passwd program
>> in Debian
>> Sarge).
>> passwd program =
>> /usr/bin/passwd %u
>> passwd chat =
>> *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n
>> *password\supdated\ssuccessfully* .
>> # This boolean controls
>> whether PAM
>> will be
>> used for
>> password changes
>> # when requested by an SMB client
>> instead of
>> the program
>> listed in
>> # 'passwd program'. The
>> default is 'no'.
>> pam password change = yes
>> # This option controls how
>> unsuccessful
>> authentication
>> attempts
>> are mapped
>> # to anonymous connections
>> map to guest = bad user
>> ########## Domains ###########
>> # Is this machine able to
>> authenticate
>> users.
>> Both PDC and BDC
>> # must have this setting
>> enabled. If
>> you are
>> the BDC you must
>> # change the 'domain master'
>> setting to no
>> #
>> ; domain logons = yes
>> #
>> # The following setting only takes
>> effect if
>> 'domain
>> logons' is set
>> # It specifies the location of
>> the user's
>> profile directory
>> # from the client point of view)
>> # The following required a
>> [profiles]
>> share to
>> be setup on the
>> # samba server (see below)
>> ; logon path = \\%N\profiles\%U
>> # Another common choice is
>> storing the
>> profile
>> in the
>> user's home
>> directory
>> # (this is Samba's default)
>> # logon path = \\%N\%U\profile
>> # The following setting only takes
>> effect if
>> 'domain
>> logons' is set
>> # It specifies the location of a
>> user's home
>> directory
>> (from the
>> client
>> # point of view)
>> ; logon drive = H:
>> # logon home = \\%N\%U
>> # The following setting only takes
>> effect if
>> 'domain
>> logons' is set
>> # It specifies the script to run
>> during logon.
>> The script
>> must be
>> stored
>> # in the [netlogon] share
>> # NOTE: Must be store in 'DOS'
>> file format
>> convention
>> ; logon script = logon.cmd
>> # This allows Unix users to be
>> created
>> on the
>> domain
>> controller
>> via the SAMR
>> # RPC pipe. The example
>> command creates a
>> user account with a
>> disabled Unix
>> # password; please adapt to
>> your needs
>> ; add user script =
>> /usr/sbin/adduser
>> --quiet
>> --disabled-password
>> --gecos "" %u
>> # This allows machine accounts
>> to be
>> created
>> on the domain
>> controller via the
>> # SAMR RPC pipe.
>> # The following assumes a
>> "machines" group
>> exists on the
>> system
>> ; add machine script =
>> /usr/sbin/useradd -g
>> machines -c "%u
>> machine account" -d
>> /var/lib/samba -s
>> /bin/false %u
>> # This allows Unix groups to be
>> created on the
>> domain
>> controller
>> via the SAMR
>> # RPC pipe.
>> ; add group script =
>> /usr/sbin/addgroup
>> --force-badname %g
>> ########## Printing ##########
>> # If you want to automatically
>> load your
>> printer list rather
>> # than setting them up
>> individually then
>> you'll need this
>> # load printers = yes
>> # lpr(ng) printing. You may
>> wish to
>> override
>> the location
>> of the
>> # printcap file
>> ; printing = bsd
>> ; printcap name = /etc/printcap
>> # CUPS printing. See also the
>> cupsaddsmb(8)
>> manpage in the
>> # cupsys-client package.
>> ; printing = cups
>> ; printcap name = cups
>> ############ Misc ############
>> # Using the following line
>> enables you to
>> customise your
>> configuration
>> # on a per machine basis. The
>> %m gets
>> replaced
>> with the
>> netbios name
>> # of the machine that is
>> connecting
>> ; include =
>> /home/samba/etc/smb.conf.%m
>> # Most people will find that this
>> option gives
>> better
>> performance.
>> # See smb.conf(5) and
>> /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.
>> html
>> # for details
>> # You may want to add the
>> following on
>> a Linux
>> system:
>> # SO_RCVBUF=8192 SO_SNDBUF=8192
>> # socket options = TCP_NODELAY
>> # The following parameter is
>> useful
>> only if
>> you have the
>> linpopup
>> package
>> # installed. The samba
>> maintainer and
>> the linpopup
>> maintainer are
>> # working to ease installation and
>> configuration of
>> linpopup and
>> samba.
>> ; message command = /bin/sh -c
>> '/usr/bin/linpopup "%f"
>> "%m" %s;
>> rm %s' &
>> # Domain Master specifies
>> Samba to be the
>> Domain Master
>> Browser.
>> If this
>> # machine will be configured
>> as a BDC (a
>> secondary logon
>> server), you
>> # must set this to 'no';
>> otherwise, the
>> default behavior is
>> recommended.
>> # domain master = auto
>> # Some defaults for winbind
>> (make sure
>> you're
>> not using
>> the ranges
>> # for something else.)
>> ; idmap uid = 10000-20000
>> ; idmap gid = 10000-20000
>> ; template shell = /bin/bash
>> # The following was the default
>> behaviour in
>> sarge,
>> # but samba upstream reverted
>> the default
>> because it might
>> induce
>> # performance issues in large
>> organizations.
>> # See Debian bug #368251 for
>> some of the
>> consequences of *not*
>> # having this setting and
>> smb.conf(5)
>> for details.
>> ; winbind enum groups = yes
>> ; winbind enum users = yes
>> # Setup usershare options to
>> enable
>> non-root
>> users to
>> share folders
>> # with the net usershare command.
>> # Maximum number of usershare.
>> 0 (default)
>> means that
>> usershare is
>> disabled.
>> ; usershare max shares = 100
>> # Allow users who've been granted
>> usershare
>> privileges to
>> create
>> # public shares, not just
>> authenticated ones
>> usershare allow guests = yes
>> #======================= Share
>> Definitions
>> =======================
>> [homes]
>> comment = Home Directories
>> browseable = no
>> # By default, the home
>> directories are
>> exported read-only.
>> Change the
>> # next parameter to 'no' if
>> you want to be
>> able to write
>> to them.
>> read only = yes
>> # File creation mask is set to
>> 0700 for
>> security reasons.
>> If you
>> want to
>> # create files with group=rw
>> permissions, set next
>> parameter to 0775.
>> create mask = 0700
>> # Directory creation mask is
>> set to
>> 0700 for
>> security
>> reasons. If
>> you want to
>> # create dirs. with group=rw
>> permissions, set next
>> parameter to 0775.
>> directory mask = 0700
>> # By default,
>> \\server\username shares
>> can be
>> connected to
>> by anyone
>> # with access to the samba server.
>> # The following parameter
>> makes sure
>> that only
>> "username"
>> can connect
>> # to \\server\username
>> # This might need tweaking
>> when using
>> external
>> authentication schemes
>> valid users = %S
>> # Un-comment the following and
>> create
>> the netlogon
>> directory for
>> Domain Logons
>> # (you need to configure Samba
>> to act
>> as a domain
>> controller too.)
>> ;[netlogon]
>> ; comment = Network Logon
>> Service
>> ; path = /home/samba/netlogon
>> ; guest ok = yes
>> ; read only = yes
>> # Un-comment the following and
>> create
>> the profiles
>> directory to store
>> # users profiles (see the
>> "logon path"
>> option
>> above)
>> # (you need to configure Samba
>> to act
>> as a domain
>> controller too.)
>> # The path below should be
>> writable by all
>> users so that their
>> # profile directory may be
>> created the
>> first
>> time they log on
>> ;[profiles]
>> ; comment = Users profiles
>> ; path = /home/samba/profiles
>> ; guest ok = no
>> ; browseable = no
>> ; create mask = 0600
>> ; directory mask = 0700
>> [printers]
>> comment = All Printers
>> browseable = no
>> path = /var/spool/samba
>> printable = yes
>> guest ok = no
>> read only = yes
>> create mask = 0700
>> # Windows clients look for
>> this share
>> name as
>> a source of
>> downloadable
>> # printer drivers
>> [print$]
>> comment = Printer Drivers
>> path = /var/lib/samba/printers
>> browseable = yes
>> read only = yes
>> guest ok = no
>> # Uncomment to allow remote
>> administration of
>> Windows
>> print drivers.
>> # You may need to replace
>> 'lpadmin'
>> with the
>> name of the
>> group your
>> # admin users are members of.
>> # Please note that you also
>> need to set
>> appropriate Unix
>> permissions
>> # to the drivers directory for
>> these
>> users to
>> have write
>> rights in it
>> ; write list = root, @lpadmin
>> # A sample share for sharing your
>> CD-ROM with
>> others.
>> ;[cdrom]
>> ; comment = Samba server's
>> CD-ROM
>> ; read only = yes
>> ; locking = no
>> ; path = /cdrom
>> ; guest ok = yes
>> # The next two parameters show
>> how to
>> auto-mount a CD-ROM
>> when the
>> #cdrom share is accesed. For
>> this to work
>> /etc/fstab must
>> contain
>> #an entry like this:
>> #
>> # /dev/scd0 /cdrom iso9660
>> defaults,noauto,ro,user 0 0
>> #
>> # The CD-ROM gets unmounted
>> automatically
>> after the
>> connection to the
>> #
>> # If you don't want to use
>> auto-mounting/unmounting make
>> sure the CD
>> #is mounted on /cdrom
>> #
>> ; preexec = /bin/mount /cdrom
>> ; postexec = /bin/umount /cdrom
>>
>> [data]
>> writeable = yes
>> path = /data
>>
>>
>>
>> 2014-10-20 22:26 GMT+02:00 Rowland
>
>
More information about the samba
mailing list