Douglas Phillipson
2003-Oct-22 14:57 UTC
[Samba] ACL's vs Share definitions (Trying again)
I have the Win2000 client(s) in a Samba domain. Domain authentication works fine, my "homes" share works fine, remote profiles work fine. Using 3.0.1Pre1 I would like to add people to "someshare" through the Security tab, and control their access through windows ACL's. How should I setup a share as a basis for doing this? The share below (someshare) in this email doesn't work. Although I get no error when adding another user to the share through the security tab in windows, and the ACL's on the Linux side get added. The newly added user, added via "Properties->Security", does not have permission to write to the share. Does the "read list", "write list" and other similar parameters take precedence over an ACL set through windows? If the share definition overrides all the ACL's, what good are ACL's? Am I not using them properly? How should I setup a share with minimal rights so an administrator can grant users access to the share, through Windows ACL's? Does winbind offer any advantages to me if no other DC's are involved. I have one samba 3.0.1 DC with several win2000 PC's as a testbed. I'm trying to really scope out what ACL's do for me. I've read the section on Winbind according to the "Target Uses" section winbind would be good for adding Linux machines to an existing NT network. I will have no existing NT machines or Domains so what does winbind offer me and do I need to run it anyway? On my NT4 box we grant access to printers through the Security tab on the printer, adding the user to the printer. Is this possible with ACL's as they exist now with Samba and the ACL patch? If so, how would you add a printer as a domain resource to do this, again through windows? Or does it have to be added (if it can be added) on the Linux side? If on linux side, how do you add/create a domain printer. Is the printer in the domain simply by being in the smb.conf file? I don't see my printer as a resource, domain or other,to choose from in the security tab from within windows. I did read the April 21 2003 version of the howto and these things were not clear to me. After I figure them out I would be happy to give you some verbage if you would care to have it. Thanks again Samba folks Doug P (Previous reference below) I'm really struggling with ACL's and permissions. I have a share owned by a user (douglas). Douglas can read, write and create to the share: [someshare] comment = Public Stuff path = /home/samba/pub nt acl support = yes public = yes admin users = douglas write list = douglas I'm logged in to Win2000 as douglas. Through the security tab on Win2000 I add read and write permission to the top level share called public (but it's not really public) for "terry". I see terry in the list and everything seems to go OK in setting it. Then I log off and login as terry. Terry has no write access to the share. What takes precedence? The share definition in smb.conf or settings through the security tab in windows, which should be the ACL's. Does adding a user through the security tab effectively add another user to the "write list". If so, it isn't. What am I doing wrong? Here are the linux permissions: ls -ld /home/samba/pub drwxrwxrwt 3 douglas douglas 4096 2003-10-20 22:18 /home/samba/pub Here are the ACL's from linux getfacl -R --skip-base /home/samba/pub getfacl: Removing leading '/' from absolute path names # file: home/samba/pub # owner: douglas # group: douglas user::rwx user:terry:rwx group::r-x mask::rwx other::rwx default:user::rwx default:user:terry:rwx <<<<< Shouldn't terry have rwx access according to this? default:group::--- default:mask::rwx default:other::---
Hi Doug, I'm having the same issue. We have a test environment setup with RedHat 9, Windows 2003 Enterprise Edition and one test workstations (XP Pro). We have the Kerberos / Winbind part working fine, we can log into the Linux box with AD Creds and can browse the Windows Network and read the shares on the samba server. We can't set permissions as described in the how-to or in any of the other docs I can find. Can anyone help?! Thanks in advance, Johan>>> Douglas Phillipson <phillipd@oem.doe.gov> 10/22/03 07:57AM >>>I have the Win2000 client(s) in a Samba domain. Domain authentication works fine, my "homes" share works fine, remote profiles work fine. Using 3.0.1Pre1 I would like to add people to "someshare" through the Security tab, and control their access through windows ACL's. How should I setup a share as a basis for doing this? The share below (someshare) in this email doesn't work. Although I get no error when adding another user to the share through the security tab in windows, and the ACL's on the Linux side get added. The newly added user, added via "Properties->Security", does not have permission to write to the share. Does the "read list", "write list" and other similar parameters take precedence over an ACL set through windows? If the share definition overrides all the ACL's, what good are ACL's? Am I not using them properly? How should I setup a share with minimal rights so an administrator can grant users access to the share, through Windows ACL's? Does winbind offer any advantages to me if no other DC's are involved. I have one samba 3.0.1 DC with several win2000 PC's as a testbed. I'm trying to really scope out what ACL's do for me. I've read the section on Winbind according to the "Target Uses" section winbind would be good for adding Linux machines to an existing NT network. I will have no existing NT machines or Domains so what does winbind offer me and do I need to run it anyway? On my NT4 box we grant access to printers through the Security tab on the printer, adding the user to the printer. Is this possible with ACL's as they exist now with Samba and the ACL patch? If so, how would you add a printer as a domain resource to do this, again through windows? Or does it have to be added (if it can be added) on the Linux side? If on linux side, how do you add/create a domain printer. Is the printer in the domain simply by being in the smb.conf file? I don't see my printer as a resource, domain or other,to choose from in the security tab from within windows. I did read the April 21 2003 version of the howto and these things were not clear to me. After I figure them out I would be happy to give you some verbage if you would care to have it. Thanks again Samba folks Doug P (Previous reference below) I'm really struggling with ACL's and permissions. I have a share owned by a user (douglas). Douglas can read, write and create to the share: [someshare] comment = Public Stuff path = /home/samba/pub nt acl support = yes public = yes admin users = douglas write list = douglas I'm logged in to Win2000 as douglas. Through the security tab on Win2000 I add read and write permission to the top level share called public (but it's not really public) for "terry". I see terry in the list and everything seems to go OK in setting it. Then I log off and login as terry. Terry has no write access to the share. What takes precedence? The share definition in smb.conf or settings through the security tab in windows, which should be the ACL's. Does adding a user through the security tab effectively add another user to the "write list". If so, it isn't. What am I doing wrong? Here are the linux permissions: ls -ld /home/samba/pub drwxrwxrwt 3 douglas douglas 4096 2003-10-20 22:18 /home/samba/pub Here are the ACL's from linux getfacl -R --skip-base /home/samba/pub getfacl: Removing leading '/' from absolute path names # file: home/samba/pub # owner: douglas # group: douglas user::rwx user:terry:rwx group::r-x mask::rwx other::rwx default:user::rwx default:user:terry:rwx <<<<< Shouldn't terry have rwx access according to this? default:group::--- default:mask::rwx default:other::--- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba