Michael Gasch
2003-Dec-04 12:23 UTC
Réf. : Re: Réf. : Re: [Samba] SAMBA Groups and Permissions
damn.... now everything works samba recognises user "test_user" in group "users" AND "kids".... i dunno why ?!?!!? i did nothing, i just removed "valid users" from this share and reloaded smb-conf...nothing special ! if i could reproduce it, it would be better then seeing it working now and not knowing why.... but thx very much for your patiance greez stephane.purnelle@corman.be wrote:> what samba log says ? > > ----------------------------------- > St?phane PURNELLE stephane.purnelle@corman.be > Service Informatique Corman S.A. Tel : 00 32 087/342467 > > > > Michael Gasch <gasch@eva.mpg.de> > Envoy? par : Pour : samba@lists.samba.org > samba-bounces+stephane.purnelle=corman.be@lists cc : > .samba.org Objet : Re: R?f. : Re: [Samba] SAMBA Groups and Permissions > > > 04/12/2003 12:34 > > > > > > > > Samba is compiled with acl support option ? > yes it is, i can e.g. set ACL's in windows clients on samba shares > but i think, that's not the fact > permissions are checked not via samba! > samba just asks the FS/posix-side, if it can access "share" with uid/gid > xxx > > greez > > > stephane.purnelle@corman.be wrote: > >>Samba is compiled with acl support option ? >> >>./configure --with-acl-support >> >>----------------------------------- >>St?phane PURNELLE stephane.purnelle@corman.be >>Service Informatique Corman S.A. Tel : 00 32 087/342467 >> >> >> > > >> Michael Gasch <gasch@eva.mpg.de> > > >> Envoy? par : > > Pour : samba@lists.samba.org > >> samba-bounces+stephane.purnelle=corman.be@lists > > cc : > >> .samba.org > > Objet : Re: [Samba] SAMBA Groups and Permissions > > > >> 04/12/2003 12:21 > > > > >> >> >> >>hi, >> >>sorry, if i was too unprecise... >> >>of course i'm working with acl's - otherwise i could hardly define those >>fine granulated rules >> >>this is, what getfacls on /home/board gives: >> >>~# getfacl /home/board >> >># file: home/board >># owner: root >># group: root >>user::rwx >>group::r-x >>group:kids:r-x >>mask::r-x >>other::--- >>default:user::rwx >>default:group::r-x >>default:group:kids:r-x >>default:mask::r-x >>default:other::--- >> >> >>for some reasons, i don't want to work with "valid users" parameter, >>especially while working with scripts >>so this solution doesn't meet my expectations (as i already mentioned) >> >>the problem is on the samba-side >>on unix-side the user "test_user" has access on /home/board, cause he's >>in group "kids", too >> >>but samba just recognised group "users" for "test_user" because >>sambaPrimaryGroupSID maps to -> "users" >>so samba establishes a connection as user "testuser" / group "users", >>which fails because of my restrictive acl :/ >> >>so: is "valid users" my only chance? >> >>no way of adding more GroupSIDs for samba-users in LDAP, that samba >>recognises, that user "test_user" is in more than one group ? >> >>i mean: unix-side sees this... >> >>~# id test_user >>uid=596(test_user) gid=500(users) groups=500(users),522(kids) >> >>thx for your help!!! >> >>greez >> >> >> >>stephane.purnelle@corman.be wrote: >> >> >>>I confirm that Malte M?ller says. >>>If you want to set multiple group acces, you must use ACL. >>>the valid user parameter in smb.conf force the right of directory but the >>>unix right is only for group user. >>> >>> >>> >>> >>> >>>----------------------------------- >>>St?phane PURNELLE stephane.purnelle@corman.be >>>Service Informatique Corman S.A. Tel : 00 32 087/342467 >>> >>> >>> >> >> >>> mamue@lb-bbs1.emd.ni.schule.de >> >> >>> Envoy? par : >> >>Pour : "Michael Gasch" <gasch@eva.mpg.de> >> >>> samba-bounces+stephane.purnelle=corman.be@lists >> >>cc : samba@lists.samba.org >> >> >>> .samba.org >> >>Objet : Re: [Samba] SAMBA Groups and Permissions >> >> >> >> >>> 04/12/2003 11:41 >> >> >> >> >>> >>> >>>I am not shure if i got you right. You do not tell us the access rights >> >>of >> >> >>>the directory concerned. >>>If you'r primary uninx group is user and your dir. has: >>>drwx---rwx root user board >>>they forbid your access. then you are not allowed to access, because >> >>group >> >> >>>rights match first and If you weren't user but world, then you would be >>>allowed. This has nothing to do with samba. >>>You might want to change the group to nogroup and work with acls (if >> >>ext3, >> >> >>>XFS and alike). Or if you have plenty of CPU-cycles to waste you might >>>work with "valid users" in smb.conf. >>>But i'm not a security or filesystem-expert and may be completely wrong. >>> >>>Kind regards, >>>Malte M?ller >>> >>> >>> >>> >>>>hi >>>> >>>>i have a user >>>> >>>>~# id test_user >>>>uid=500,gid=500 (users),groups (users,kids) >>>> >>>>as you can see, this user is in primary group "users" and also member of >>>>group "kids" >>>> >>>>if he tries to access /home/board via smb (Samba 3.0 + openldap) from a >>>>windows client (XP), he fails, because his >>>> >>>>sambaPrimaryGroupSID maps to -> "users" >>>> >>>>and /home/board is not accessible for group "users" - just for "kids" >>>>if i add >>>> >>>>valid users = @kids >>>> >>>>to /home/board - share, access is granted >>>> >>>>isn't it possible in samba, that the user "test_user" gets an attribute >>>>like >>>> >>>>sambaSecondaryGroup in ldap ???? >>>> >>>>so that samba knows: "this user is in group users AND kids, so i have to >>>>try connections to share /home/board as group users AND kids" ??? >>>> >>>>if i login locally to the samba PDC with a console as "test_user", >>>>access to /home/board is granted, 'cause i'm member of "kids" >>>> >>>>so there's no permission problem >>>> >>>>please help me !!! >>>> >>>>greez >>>> >>>>-- >>>>To unsubscribe from this list go to the following URL and read the >>>>instructions: http://lists.samba.org/mailman/listinfo/samba >>>> >>>> >>>> >>> >>> >>>-- >>>To unsubscribe from this list go to the following URL and read the >>>instructions: http://lists.samba.org/mailman/listinfo/samba >>> >>> >>> >>> >> >> >> >>-- >>To unsubscribe from this list go to the following URL and read the >>instructions: http://lists.samba.org/mailman/listinfo/samba >> >> >> >> > > > -- > > > "Matrix - more than a vision" > > ************************************************** > Michael Gasch > Max Planck Institute for Evolutionary Anthropology > Deutscher Platz 6 > 04103 Leipzig > > Germany > ************************************************** > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > > > >
Reasonably Related Threads
- Réf. : Re: SAMBA Groups and Permissions
- SAMBA Groups and Permissions
- Réf. : Re: using a master ldap server and a slave ldap server for one samba server
- Réf. : Re: Réf. : Re: using a master ldap server and a slave ldap server for one samba
- Réf. : Re: Réf. : Re: Réf. : Re: using a master ldap server and a slave ldap server
Wisdom of the Ancients
