samba - Aug 2005 - Samba, win xp and acls

Hello all,

I'm working and searching for a few days to obtain this result :

* I want to share some directories between differents users and groups 
(windows XP clients) using a minimum but efficient configuration with 
samba and posix acls.
* I would like that users windows configuration stay on locals machines 
(no roaming accounts),
* When registering users and computers on the domain, users must keep 
there configuration,
* I want to manage users and groups using srvtools.exe


I use tdbsam, posix acls work fine and samba (3.0.14a) runs as a PDC.

My problems are :
* On windows (with administrator account), some directories don't have 
the acl (security) panel,
* On other directories, the panel is present but I cannot modify 
permissions,
* Users configurations are never stored locally,
* Creating new users with srvtools not possible,
* How to keep old users windows configuration when entering the domain ?
* No way to find a good tutorial answering my needs...



Here is my configuration :


smb.conf :
------------------------------------------------
[global]
   interfaces = 192.168.1.120/24
   enable privileges = yes
   nt acl support = yes

   security = user

   netbios name = FSERVER
   workgroup = FWSERVER
   passdb backend = tdbsam
   server string = File Server

add user script = /usr/sbin/useradd -m '%u'
add group script = /usr/sbin/groupadd '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u'


logon script = scripts\logon.bat
logon path logon drive = H:
domain logons = yes
username map = /etc/samba/smbusers

admin users = root

   socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096

   encrypt passwords = yes
 
   wins support = yes

   os level = 50
   domain master = yes
   local master = yes
   preferred master = yes

   name resolve order = lmhosts host wins bcast

   preserve case = yes
   short preserve case = yes

   unix password sync = yes

  passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .

[public]
   writable = yes
   path = /share/public
   public = yes
   create mode = 0777
   directory mask = 0777
   admin users = root
   nt acl support = yes

[technique]
   writable = yes
   path = /share/technique
   public = no
   create mode = 0770
   directory mask = 0770
   valid users= @technique, @admins
   admin users = root
   nt acl support = yes

[stagiaires]
   writable = yes
   path = /share/stagiaires
   public = no
   create mode = 0770
   directory mask = 0770
   valid users= @stagiaires, @admins
   admin users = root
   nt acl support = yes

[secretariat]
   writable = yes
   path = /share/secretariat
   public = no
   create mode = 0770
   directory mask = 0770
   valid users= @secretariat @admins
   admin users = root
   nt acl support = yes

[finances]
   writable = yes
   path = /share/finances
   public = no
   create mode = 0770
   directory mask = 0770
   valid users = @finances @admins
   admin users = root
   nt acl support = yes
-------------------------------------------------------------------


My groupmaps seems to be good :

System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-3171617769-241562045-158900556-512) -> admins
Power Users (S-1-5-32-547) -> -1
Domain Guests (S-1-5-21-3592376627-3846121942-908627037-514) -> -1
Domain Users (S-1-5-21-3592376627-3846121942-908627037-513) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> admins
Domain Users (S-1-5-21-3171617769-241562045-158900556-513) -> ntusers
Account Operators (S-1-5-32-548) -> -1
Secretariat (S-1-5-21-3171617769-241562045-158900556-3003) -> secretariat
Technique (S-1-5-21-3171617769-241562045-158900556-3005) -> technique
Finances (S-1-5-21-3171617769-241562045-158900556-3007) -> finances
Stagiaires (S-1-5-21-3171617769-241562045-158900556-3009) -> stagiaires
Domain Guests (S-1-5-21-3171617769-241562045-158900556-514) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1



Thx for help.

Max

Hi,

samba-bounces+stephane.purnelle=corman.be@lists.samba.org a ?crit sur
04/08/2005 17:26:59 :
> Hello all,
>
> I'm working and searching for a few days to obtain this result :
>
> * I want to share some directories between differents users and groups
> (windows XP clients) using a minimum but efficient configuration with
> samba and posix acls.
> * I would like that users windows configuration stay on locals machines
> (no roaming accounts),
> * When registering users and computers on the domain, users must keep
> there configuration,
> * I want to manage users and groups using srvtools.exe
>
>
> I use tdbsam, posix acls work fine and samba (3.0.14a) runs as a PDC.
>
> My problems are :
> * On windows (with administrator account), some directories don't have
> the acl (security) panel,
> * On other directories, the panel is present but I cannot modify
> permissions,
If you specify that the admin user is root, the administrator user don't
have the right to admin the system.
> * Users configurations are never stored locally,
> * Creating new users with srvtools not possible,
> * How to keep old users windows configuration when entering the domain ?
> * No way to find a good tutorial answering my needs...
SAMBA-HOWTO-COLLECTION and samba by-example in samba web-site
>
>
>
> Here is my configuration :
>
>
> smb.conf :
> ------------------------------------------------
> [global]
>    interfaces = 192.168.1.120/24
>    enable privileges = yes
>    nt acl support = yes
>
>    security = user
>
>    netbios name = FSERVER
>    workgroup = FWSERVER
>    passdb backend = tdbsam
>    server string = File Server
>
> add user script = /usr/sbin/useradd -m '%u'
> add group script = /usr/sbin/groupadd '%g'
> add user to group script = /usr/sbin/usermod -G '%g' '%u'
> add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null
'%u'
>
>
> logon script = scripts\logon.bat
> logon path > logon drive = H:
> domain logons = yes
> username map = /etc/samba/smbusers
>
> admin users = root
>
>    socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096
SO_RCVBUF=4096
>
>    encrypt passwords = yes
>
>    wins support = yes
>
>    os level = 50
>    domain master = yes
>    local master = yes
>    preferred master = yes
>
>    name resolve order = lmhosts host wins bcast
>
>    preserve case = yes
>    short preserve case = yes
>
>    unix password sync = yes
>
>   passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n .
>
> [public]
>    writable = yes
>    path = /share/public
>    public = yes
>    create mode = 0777
>    directory mask = 0777
>    admin users = root
>    nt acl support = yes
>
> [technique]
>    writable = yes
>    path = /share/technique
>    public = no
>    create mode = 0770
>    directory mask = 0770
>    valid users= @technique, @admins
>    admin users = root
>    nt acl support = yes
>
> [stagiaires]
>    writable = yes
>    path = /share/stagiaires
>    public = no
>    create mode = 0770
>    directory mask = 0770
>    valid users= @stagiaires, @admins
>    admin users = root
>    nt acl support = yes
>
> [secretariat]
>    writable = yes
>    path = /share/secretariat
>    public = no
>    create mode = 0770
>    directory mask = 0770
>    valid users= @secretariat @admins
>    admin users = root
>    nt acl support = yes
>
> [finances]
>    writable = yes
>    path = /share/finances
>    public = no
>    create mode = 0770
>    directory mask = 0770
>    valid users = @finances @admins
>    admin users = root
>    nt acl support = yes
> -------------------------------------------------------------------
>
>
> My groupmaps seems to be good :
>
> System Operators (S-1-5-32-549) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Domain Admins (S-1-5-21-3171617769-241562045-158900556-512) -> admins
> Power Users (S-1-5-32-547) -> -1
> Domain Guests (S-1-5-21-3592376627-3846121942-908627037-514) -> -1
> Domain Users (S-1-5-21-3592376627-3846121942-908627037-513) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> admins
> Domain Users (S-1-5-21-3171617769-241562045-158900556-513) -> ntusers
> Account Operators (S-1-5-32-548) -> -1
> Secretariat (S-1-5-21-3171617769-241562045-158900556-3003) ->
secretariat
> Technique (S-1-5-21-3171617769-241562045-158900556-3005) -> technique
> Finances (S-1-5-21-3171617769-241562045-158900556-3007) -> finances
> Stagiaires (S-1-5-21-3171617769-241562045-158900556-3009) -> stagiaires
> Domain Guests (S-1-5-21-3171617769-241562045-158900556-514) -> -1
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
>
>
>
> Thx for help.
>
> Max
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
-----------------------------------
St?phane PURNELLE                         stephane.purnelle@corman.be
Service Informatique       Corman S.A.           Tel : 00 32 087/342467