[Samba] ACL SHARE

Carlos A. P. Cunha carlos.hollow at gmail.com
Tue Jun 27 16:03:33 UTC 2017 

Hello
You're right. Configuration are correct, there is no middle ground :-D
But do I change these settings, I will not have problems with IDS 
changes, and soon problems with permissions (since I changed ids) of the 
users?
Or other problems changing it?


Regards


Em 27-06-2017 12:23, L.P.H. van Belle via samba escreveu:
> correct is not much different, but you need a "correct" config.
>   
> now your config is simpley wrong. ( sorry )
>   
> This proves it. one question..
>           idmap config * : backend = rid
>           idmap config * : range = 100000-999999
>
> can you write you "rid" to the samba AD.. No.
>         # - must use an read-write-enabled back end, such as tdb.
>
>   
> you need also :
> # idmap config for the SAMDOM domain
> idmap config SAMDOM : backend = rid
> idmap config SAMDOM : range = 10000-999999
>   
> but do remember ...
> For every domain, set these parameters individually. The ID ranges of the * default domain and all other domains configured in the smb.conf file must not overlap.
>   
> Greetz,
>   
> Louis
>   
>
>
> Van: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com]
> Verzonden: dinsdag 27 juni 2017 17:07
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] ACL SHARE
>
>
>
>
> Hello
> Thank you for your attention.
> My conf is not much different from the documentation, and what's different "I believe" is not my problem.
> As I mentioned the problem only occurs with access via sharing ....
> Regards
>
> Em 27-06-2017 11:32, L.P.H. van Belle via samba escreveu:
>
>
> Hai Carlos, I suggest start here : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File Which says.. # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use an read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 And you want RID, https://wiki.samba.org/index.php/Idmap_config_rid So fix you smb.conf, restart samba. Run : net cache flush Test id username And try again. Greetz, Louis
>
> -----Oorspronkelijk bericht----- Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos A. P. Cunha via samba Verzonden: dinsdag 27 juni 2017 16:26 Aan: samba at lists.samba.org Onderwerp: [Samba] ACL SHARE Hello I have a Debian 8 with samba (Version 4.2.10-Debian) that serves as Fileserver. My smb.conf [global] workgroup = XXXXX realm = GRUPO.XXXXX.COM.BR security = ADS idmap config * : backend = rid idmap config * : range = 100000-999999 client schannel = no allow trusted domains = yes winbind use default domain = yes winbind refresh tickets = Yes winbind offline logon = no winbind cache time = 360 winbind enum users = yes winbind enum groups = yes template shell = /bin/bash template homedir = /home/%U map to guest = bad user guest account = guest guest ok = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes I have sharing: [QUALIDADELEITE] path = /home/QUALIDADELEITE browseable = yes writeable = yes printable = no create mask = 0770 force directory mode = 0770 force create mode = 0770 force group = +qualidadeleite valid users = @qualidadeleite getfacl /home/QUALIDADELEITE # file: home/QUALIDADELEITE # owner: root # group: qualidadeleite user::rwx group::rwx other::--- default:user::rwx default:group::r-x default:group:qualidadeleite:rwx default:mask::rwx default:other::r-x My doubts inside have an ok.txt file Getfacl ok.txt # File: ok.txt # Owner: root # Group: root User :: rwx Group :: r-x #effective: --- Group: qualidadeleite: rwx #effective: --- Mask :: --- Other :: --- The problem in this way a user of the qualidadeleite group can not do anything in the file, even though they have permissions via ACL, this only happens on shares. Direct on the file System the ACL permission is functional. Access to this directory occurs both direct (ssh) and via shares. Do you know what it can be? Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
>
>
>

More information about the samba mailing list