[Samba] Cannot add ACL through windows client
Zoddo
zoddo.ino at gmail.com
Thu Oct 23 09:31:17 MDT 2014
I just did a test, even creating the account in a local machine (with the
same password), I don't able to add a permission on the file for this user.
There is another problem.
2014-10-23 17:21 GMT+02:00 Zoddo <zoddo.ino at gmail.com>:
> But a Windows machine is able to get account name on existing permissions.
> There must be an solution. It's impossible for me to create accounts on the
> clients machines.
>
> 2014-10-22 16:12 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
>
>> On 22/10/14 15:01, Zoddo wrote:
>>
>>> I don't want to add an ACL on an unknown user from samba but add an ACL
>>> on a user that exist in the samba database but unknown by the client
>>> machine.
>>>
>> OK, I should also have said that if you try to user a samba user that is
>> unknown to windows, this will also fail because the user MUST be known
>> everywhere.
>>
>>
>>> The clients machines weren't in a domain.
>>>
>> Yes I know, I said that you were using a workgroup, they are terrible
>> things, when you want to add a user, you have to log into every machine in
>> the workgroup that they are to be created or will connect to and add the
>> user.
>>
>> Rowland
>>
>>>
>>> 2014-10-22 15:54 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>>:
>>>
>>> On 22/10/14 14:34, Zoddo wrote:
>>>
>>> Yes, the user exist in //etc/passwd/ and in the samba database
>>> with the same password.
>>> The user doesn't exist on the windows machine. I just want add
>>> a permission on directories/files for an another user that
>>> exist in the unix/samba database.
>>>
>>>
>>> You are running a workgroup and if you attempt to connect to a
>>> samba share, you will probably be asked who to connect as, at this
>>> point, you can use a username & password of a user that samba
>>> knows and you should be connected as the samba user. If you now
>>> try to change the ACL's of a file on the share from windows and
>>> try to use a windows user that is unknown to samba, this will fail
>>> because, to samba, it is an unknown user.
>>>
>>> Rowland
>>>
>>> 2014-10-22 15:15 GMT+02:00 Rowland Penny
>>> <rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>
>>> <mailto:rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>>>:
>>>
>>> On 22/10/14 13:47, Zoddo wrote:
>>>
>>> up !
>>>
>>> 2014-10-20 23:19 GMT+02:00 Zoddo <zoddo.ino at gmail.com
>>> <mailto:zoddo.ino at gmail.com>
>>> <mailto:zoddo.ino at gmail.com
>>> <mailto:zoddo.ino at gmail.com>> <mailto:zoddo.ino at gmail.com
>>> <mailto:zoddo.ino at gmail.com>
>>> <mailto:zoddo.ino at gmail.com
>>> <mailto:zoddo.ino at gmail.com>>>>:
>>>
>>> Yes, it's this !
>>>
>>> 2014-10-20 23:17 GMT+02:00 Rowland Penny
>>> <rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>
>>> <mailto:rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>>
>>> <mailto:rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>
>>> <mailto:rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>>>>:
>>>
>>> On 20/10/14 22:11, Zoddo wrote:
>>>
>>> Yes, the users is UNIX accounts "imported" in
>>> samba via
>>> /smbpasswd/.
>>>
>>> Windows machines are in the same workgroup.
>>>
>>> 2014-10-20 22:56 GMT+02:00 Rowland Penny
>>> <rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>
>>> <mailto:rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>>
>>> <mailto:rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>
>>> <mailto:rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>>>
>>> <mailto:rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>
>>> <mailto:rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>>
>>> <mailto:rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>
>>> <mailto:rowlandpenny at googlemail.com
>>> <mailto:rowlandpenny at googlemail.com>>>>>:
>>>
>>>
>>> On 20/10/14 21:43, Zoddo wrote:
>>>
>>> Samba has been installed via Debian
>>> repositories
>>> (apt-get).
>>>
>>> Here is my /smb.conf/ :
>>>
>>>
>>> #
>>> # Sample configuration file
>>> for the Samba
>>> suite for Debian
>>> GNU/Linux.
>>> #
>>> #
>>> # This is the main Samba
>>> configuration
>>> file.
>>> You should
>>> read the
>>> # smb.conf(5) manual page in
>>> order to
>>> understand the
>>> options listed
>>> # here. Samba has a huge number
>>> of
>>> configurable options
>>> most of which
>>> # are not shown in this example
>>> #
>>> # Some options that are often
>>> worth tuning
>>> have been
>>> included as
>>> # commented-out examples in
>>> this file.
>>> # - When such options are
>>> commented
>>> with ";", the
>>> proposed setting
>>> # differs from the default
>>> Samba
>>> behaviour
>>> # - When commented with "#",
>>> the proposed
>>> setting is the
>>> default
>>> # behaviour of Samba but
>>> the option is
>>> considered important
>>> # enough to be mentioned here
>>> #
>>> # NOTE: Whenever you modify
>>> this file you
>>> should run the
>>> command
>>> # "testparm" to check that you
>>> have
>>> not made
>>> any basic
>>> syntactic
>>> # errors.
>>> # A well-established practice
>>> is to
>>> name the
>>> original file
>>> # "smb.conf.master" and create
>>> the "real"
>>> config file with
>>> # testparm -s smb.conf.master
>>> >smb.conf
>>> # This minimizes the size of the
>>> really used
>>> smb.conf file
>>> # which, according to the
>>> Samba Team,
>>> impacts
>>> performance
>>> # However, use this with
>>> caution if your
>>> smb.conf file
>>> contains nested
>>> # "include" statements. See
>>> Debian bug
>>> #483187
>>> for a case
>>> # where using a master file is
>>> not a
>>> good idea.
>>> #
>>> #=======================
>>> Global Settings
>>> =======================
>>> [global]
>>> username map =
>>> /etc/samba/samba_usermapping
>>> ## Browsing/Identification ###
>>> # Change this to the
>>> workgroup/NT-domain name
>>> your Samba
>>> server
>>> will part of
>>> workgroup = WORKGROUP
>>> # server string is the
>>> equivalent of
>>> the NT
>>> Description field
>>> server string = %h server
>>> # Windows Internet Name Serving
>>> Support Section:
>>> # WINS Support - Tells the NMBD
>>> component of
>>> Samba to
>>> enable its
>>> WINS Server
>>> # wins support = no
>>> # WINS Server - Tells the NMBD
>>> components of
>>> Samba to be a
>>> WINS Client
>>> # Note: Samba can be either a
>>> WINS
>>> Server, or
>>> a WINS
>>> Client, but
>>> NOT both
>>> ; wins server = w.x.y.z
>>> # This will prevent nmbd to
>>> search for
>>> NetBIOS
>>> names
>>> through DNS.
>>> dns proxy = no
>>> # What naming service and in what
>>> order should
>>> we use to
>>> resolve
>>> host names
>>> # to IP addresses
>>> ; name resolve order =
>>> lmhosts host
>>> wins bcast
>>> #### Networking ####
>>> # The specific set of interfaces
>>> /
>>> networks to
>>> bind to
>>> # This can be either the
>>> interface
>>> name or an IP
>>> address/netmask;
>>> # interface names are normally
>>> preferred
>>> ; interfaces = 127.0.0.0/8
>>> <http://127.0.0.0/8>
>>> <http://127.0.0.0/8>
>>> <http://127.0.0.0/8> <http://127.0.0.0/8>
>>> <http://127.0.0.0/8> eth0
>>>
>>> # Only bind to the named
>>> interfaces and/or
>>> networks; you
>>> must use the
>>> # 'interfaces' option above to
>>> use this.
>>> # It is recommended that you
>>> enable this
>>> feature if your Samba
>>> machine is
>>> # not protected by a firewall
>>> or is a
>>> firewall
>>> itself. However, this
>>> # option cannot handle dynamic or
>>> non-broadcast interfaces
>>> correctly.
>>> ; bind interfaces only = yes
>>>
>>>
>>> #### Debugging/Accounting ####
>>> # This tells Samba to use a
>>> separate
>>> log file
>>> for each machine
>>> # that connects
>>> log file =
>>> /var/log/samba/log.%m
>>> # Cap the size of the
>>> individual log
>>> files (in
>>> KiB).
>>> max log size = 1000
>>> # If you want Samba to only log
>>> through syslog
>>> then set
>>> the following
>>> # parameter to 'yes'.
>>> # syslog only = no
>>> # We want Samba to log a
>>> minimum amount of
>>> information to
>>> syslog.
>>> Everything
>>> # should go to
>>> /var/log/samba/log.{smbd,nmbd}
>>> instead. If
>>> you want
>>> to log
>>> # through syslog you should
>>> set the
>>> following
>>> parameter to
>>> something higher.
>>> syslog = 0
>>> # Do something sensible when
>>> Samba
>>> crashes:
>>> mail the admin
>>> a backtrace
>>> panic action =
>>> /usr/share/samba/panic-action %d
>>>
>>> ####### Authentication #######
>>> # "security = user" is always
>>> a good idea.
>>> This will require a
>>> Unix account
>>> # in this server for every user
>>> accessing the
>>> server. See
>>> #
>>> /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/
>>> ServerType.html
>>> # in the samba-doc package for
>>> details.
>>> # security = user
>>> # You may wish to use password
>>> encryption. See the section on
>>> # 'encrypt passwords' in the
>>> smb.conf(5)
>>> manpage before
>>> enabling.
>>> encrypt passwords = true
>>> # If you are using encrypted
>>> passwords, Samba
>>> will need to
>>> know what
>>> # password database type you
>>> are using.
>>> passdb backend = tdbsam
>>> obey pam restrictions = yes
>>> # This boolean parameter
>>> controls whether
>>> Samba attempts
>>> to sync
>>> the Unix
>>> # password with the SMB
>>> password when the
>>> encrypted SMB
>>> password
>>> in the
>>> # passdb is changed.
>>> unix password sync = yes
>>> # For Unix password sync to
>>> work on a
>>> Debian
>>> GNU/Linux
>>> system, the
>>> following
>>> # parameters must be set
>>> (thanks to
>>> Ian Kahan
>>> <<kahan at informatik.tu-
>>> muenchen.de
>>> <mailto:kahan at informatik.tu-muenchen.de>
>>> <mailto:kahan at informatik.tu-muenchen.de
>>> <mailto:kahan at informatik.tu-muenchen.de>>
>>> <mailto:kahan at informatik.tu-muenchen.de
>>> <mailto:kahan at informatik.tu-muenchen.de>
>>> <mailto:kahan at informatik.tu-muenchen.de
>>> <mailto:kahan at informatik.tu-muenchen.de>>>
>>> <mailto:kahan at informatik.tu-
>>> muenchen.de
>>> <mailto:kahan at informatik.tu-muenchen.de>
>>> <mailto:kahan at informatik.tu-muenchen.de
>>> <mailto:kahan at informatik.tu-muenchen.de>>
>>> <mailto:kahan at informatik.tu-muenchen.de
>>> <mailto:kahan at informatik.tu-muenchen.de>
>>> <mailto:kahan at informatik.tu-muenchen.de
>>> <mailto:kahan at informatik.tu-muenchen.de>>>>
>>> <mailto:
>>> kahan at informatik.tu-muenchen.de
>>> <mailto:kahan at informatik.tu-muenchen.de>
>>> <mailto:kahan at informatik.tu-muenchen.de
>>> <mailto:kahan at informatik.tu-muenchen.de>>
>>> <mailto:kahan at informatik.tu-muenchen.de
>>> <mailto:kahan at informatik.tu-muenchen.de>
>>> <mailto:kahan at informatik.tu-muenchen.de
>>> <mailto:kahan at informatik.tu-muenchen.de>>>
>>>
>>> <mailto:kahan at informatik.tu-
>>> muenchen.de
>>> <mailto:kahan at informatik.tu-muenchen.de>
>>> <mailto:kahan at informatik.tu-muenchen.de
>>> <mailto:kahan at informatik.tu-muenchen.de>>
>>> <mailto:kahan at informatik.tu-muenchen.de
>>> <mailto:kahan at informatik.tu-muenchen.de>
>>> <mailto:kahan at informatik.tu-muenchen.de
>>> <mailto:kahan at informatik.tu-muenchen.de>>>>>> for
>>>
>>> # sending the correct chat
>>> script for the
>>> passwd program
>>> in Debian
>>> Sarge).
>>> passwd program =
>>> /usr/bin/passwd %u
>>> passwd chat =
>>> *Enter\snew\s*\spassword:* %n\n
>>> *Retype\snew\s*\spassword:* %n\n
>>> *password\supdated\ssuccessfully* .
>>> # This boolean controls
>>> whether PAM
>>> will be
>>> used for
>>> password changes
>>> # when requested by an SMB client
>>> instead of
>>> the program
>>> listed in
>>> # 'passwd program'. The
>>> default is 'no'.
>>> pam password change = yes
>>> # This option controls how
>>> unsuccessful
>>> authentication
>>> attempts
>>> are mapped
>>> # to anonymous connections
>>> map to guest = bad user
>>> ########## Domains ###########
>>> # Is this machine able to
>>> authenticate
>>> users.
>>> Both PDC and BDC
>>> # must have this setting
>>> enabled. If
>>> you are
>>> the BDC you must
>>> # change the 'domain master'
>>> setting to no
>>> #
>>> ; domain logons = yes
>>> #
>>> # The following setting only
>>> takes
>>> effect if
>>> 'domain
>>> logons' is set
>>> # It specifies the location of
>>> the user's
>>> profile directory
>>> # from the client point of view)
>>> # The following required a
>>> [profiles]
>>> share to
>>> be setup on the
>>> # samba server (see below)
>>> ; logon path = \\%N\profiles\%U
>>> # Another common choice is
>>> storing the
>>> profile
>>> in the
>>> user's home
>>> directory
>>> # (this is Samba's default)
>>> # logon path = \\%N\%U\profile
>>> # The following setting only
>>> takes
>>> effect if
>>> 'domain
>>> logons' is set
>>> # It specifies the location of a
>>> user's home
>>> directory
>>> (from the
>>> client
>>> # point of view)
>>> ; logon drive = H:
>>> # logon home = \\%N\%U
>>> # The following setting only
>>> takes
>>> effect if
>>> 'domain
>>> logons' is set
>>> # It specifies the script to run
>>> during logon.
>>> The script
>>> must be
>>> stored
>>> # in the [netlogon] share
>>> # NOTE: Must be store in 'DOS'
>>> file format
>>> convention
>>> ; logon script = logon.cmd
>>> # This allows Unix users to be
>>> created
>>> on the
>>> domain
>>> controller
>>> via the SAMR
>>> # RPC pipe. The example
>>> command creates a
>>> user account with a
>>> disabled Unix
>>> # password; please adapt to
>>> your needs
>>> ; add user script =
>>> /usr/sbin/adduser
>>> --quiet
>>> --disabled-password
>>> --gecos "" %u
>>> # This allows machine accounts
>>> to be
>>> created
>>> on the domain
>>> controller via the
>>> # SAMR RPC pipe.
>>> # The following assumes a
>>> "machines" group
>>> exists on the
>>> system
>>> ; add machine script =
>>> /usr/sbin/useradd -g
>>> machines -c "%u
>>> machine account" -d
>>> /var/lib/samba -s
>>> /bin/false %u
>>> # This allows Unix groups to be
>>> created on the
>>> domain
>>> controller
>>> via the SAMR
>>> # RPC pipe.
>>> ; add group script =
>>> /usr/sbin/addgroup
>>> --force-badname %g
>>> ########## Printing ##########
>>> # If you want to automatically
>>> load your
>>> printer list rather
>>> # than setting them up
>>> individually then
>>> you'll need this
>>> # load printers = yes
>>> # lpr(ng) printing. You may
>>> wish to
>>> override
>>> the location
>>> of the
>>> # printcap file
>>> ; printing = bsd
>>> ; printcap name = /etc/printcap
>>> # CUPS printing. See also the
>>> cupsaddsmb(8)
>>> manpage in the
>>> # cupsys-client package.
>>> ; printing = cups
>>> ; printcap name = cups
>>> ############ Misc ############
>>> # Using the following line
>>> enables you to
>>> customise your
>>> configuration
>>> # on a per machine basis. The
>>> %m gets
>>> replaced
>>> with the
>>> netbios name
>>> # of the machine that is
>>> connecting
>>> ; include =
>>> /home/samba/etc/smb.conf.%m
>>> # Most people will find that this
>>> option gives
>>> better
>>> performance.
>>> # See smb.conf(5) and
>>> /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.
>>> html
>>> # for details
>>> # You may want to add the
>>> following on
>>> a Linux
>>> system:
>>> # SO_RCVBUF=8192 SO_SNDBUF=8192
>>> # socket options = TCP_NODELAY
>>> # The following parameter is
>>> useful
>>> only if
>>> you have the
>>> linpopup
>>> package
>>> # installed. The samba
>>> maintainer and
>>> the linpopup
>>> maintainer are
>>> # working to ease installation
>>> and
>>> configuration of
>>> linpopup and
>>> samba.
>>> ; message command = /bin/sh -c
>>> '/usr/bin/linpopup "%f"
>>> "%m" %s;
>>> rm %s' &
>>> # Domain Master specifies
>>> Samba to be the
>>> Domain Master
>>> Browser.
>>> If this
>>> # machine will be configured
>>> as a BDC (a
>>> secondary logon
>>> server), you
>>> # must set this to 'no';
>>> otherwise, the
>>> default behavior is
>>> recommended.
>>> # domain master = auto
>>> # Some defaults for winbind
>>> (make sure
>>> you're
>>> not using
>>> the ranges
>>> # for something else.)
>>> ; idmap uid = 10000-20000
>>> ; idmap gid = 10000-20000
>>> ; template shell = /bin/bash
>>> # The following was the default
>>> behaviour in
>>> sarge,
>>> # but samba upstream reverted
>>> the default
>>> because it might
>>> induce
>>> # performance issues in large
>>> organizations.
>>> # See Debian bug #368251 for
>>> some of the
>>> consequences of *not*
>>> # having this setting and
>>> smb.conf(5)
>>> for details.
>>> ; winbind enum groups = yes
>>> ; winbind enum users = yes
>>> # Setup usershare options to
>>> enable
>>> non-root
>>> users to
>>> share folders
>>> # with the net usershare command.
>>> # Maximum number of usershare.
>>> 0 (default)
>>> means that
>>> usershare is
>>> disabled.
>>> ; usershare max shares = 100
>>> # Allow users who've been granted
>>> usershare
>>> privileges to
>>> create
>>> # public shares, not just
>>> authenticated ones
>>> usershare allow guests = yes
>>> #======================= Share
>>> Definitions
>>> =======================
>>> [homes]
>>> comment = Home Directories
>>> browseable = no
>>> # By default, the home
>>> directories are
>>> exported read-only.
>>> Change the
>>> # next parameter to 'no' if
>>> you want to be
>>> able to write
>>> to them.
>>> read only = yes
>>> # File creation mask is set to
>>> 0700 for
>>> security reasons.
>>> If you
>>> want to
>>> # create files with group=rw
>>> permissions, set next
>>> parameter to 0775.
>>> create mask = 0700
>>> # Directory creation mask is
>>> set to
>>> 0700 for
>>> security
>>> reasons. If
>>> you want to
>>> # create dirs. with group=rw
>>> permissions, set next
>>> parameter to 0775.
>>> directory mask = 0700
>>> # By default,
>>> \\server\username shares
>>> can be
>>> connected to
>>> by anyone
>>> # with access to the samba
>>> server.
>>> # The following parameter
>>> makes sure
>>> that only
>>> "username"
>>> can connect
>>> # to \\server\username
>>> # This might need tweaking
>>> when using
>>> external
>>> authentication schemes
>>> valid users = %S
>>> # Un-comment the following and
>>> create
>>> the netlogon
>>> directory for
>>> Domain Logons
>>> # (you need to configure Samba
>>> to act
>>> as a domain
>>> controller too.)
>>> ;[netlogon]
>>> ; comment = Network Logon
>>> Service
>>> ; path = /home/samba/netlogon
>>> ; guest ok = yes
>>> ; read only = yes
>>> # Un-comment the following and
>>> create
>>> the profiles
>>> directory to store
>>> # users profiles (see the
>>> "logon path"
>>> option
>>> above)
>>> # (you need to configure Samba
>>> to act
>>> as a domain
>>> controller too.)
>>> # The path below should be
>>> writable by all
>>> users so that their
>>> # profile directory may be
>>> created the
>>> first
>>> time they log on
>>> ;[profiles]
>>> ; comment = Users profiles
>>> ; path = /home/samba/profiles
>>> ; guest ok = no
>>> ; browseable = no
>>> ; create mask = 0600
>>> ; directory mask = 0700
>>> [printers]
>>> comment = All Printers
>>> browseable = no
>>> path = /var/spool/samba
>>> printable = yes
>>> guest ok = no
>>> read only = yes
>>> create mask = 0700
>>> # Windows clients look for
>>> this share
>>> name as
>>> a source of
>>> downloadable
>>> # printer drivers
>>> [print$]
>>> comment = Printer Drivers
>>> path = /var/lib/samba/printers
>>> browseable = yes
>>> read only = yes
>>> guest ok = no
>>> # Uncomment to allow remote
>>> administration of
>>> Windows
>>> print drivers.
>>> # You may need to replace
>>> 'lpadmin'
>>> with the
>>> name of the
>>> group your
>>> # admin users are members of.
>>> # Please note that you also
>>> need to set
>>> appropriate Unix
>>> permissions
>>> # to the drivers directory for
>>> these
>>> users to
>>> have write
>>> rights in it
>>> ; write list = root, @lpadmin
>>> # A sample share for sharing your
>>> CD-ROM with
>>> others.
>>> ;[cdrom]
>>> ; comment = Samba server's
>>> CD-ROM
>>> ; read only = yes
>>> ; locking = no
>>> ; path = /cdrom
>>> ; guest ok = yes
>>> # The next two parameters show
>>> how to
>>> auto-mount a CD-ROM
>>> when the
>>> #cdrom share is accesed. For
>>> this to work
>>> /etc/fstab must
>>> contain
>>> #an entry like this:
>>> #
>>> # /dev/scd0 /cdrom iso9660
>>> defaults,noauto,ro,user 0 0
>>> #
>>> # The CD-ROM gets unmounted
>>> automatically
>>> after the
>>> connection to the
>>> #
>>> # If you don't want to use
>>> auto-mounting/unmounting make
>>> sure the CD
>>> #is mounted on /cdrom
>>> #
>>> ; preexec = /bin/mount /cdrom
>>> ; postexec = /bin/umount /cdrom
>>>
>>> [data]
>>> writeable = yes
>>> path = /data
>>>
>>>
>>>
>>> 2014-10-20 22:26 GMT+02:00 Rowland
>>
>>
>
More information about the samba
mailing list