hello i solved my problem. i wanted a manager to be able to modify files in the users' profiles from his windows workstation. The solution i found is with adding this lige to the profiles share bloc in smb.conf : root postexec = setfacl -R -m g:"Domain Admins":rwx /share/profiles/%U regards ELH -------- Message original -------- Sujet: profile question Date: Tue, 18 Jul 2006 18:52:07 +0200 De: ?ric le h?naff <eric.le.henaff@ens.fr> Forums de discussion: gmane.network.samba.general hello, i have a profile question here under is my profile definition. it's nothing more than the one from the idealx samba howto. profiles just work fine on my box BUT i want more ... i want a manager to have read/write acces on every users' profile subdirectory for troubleshooting from his windows workstation with invoking \\server\profiles. he's in the domain admins. How to do that Thank you for any help, i tried different scenarios (samba tweaking, acls inheritance and so on) for an afternoon and didnt find one working. ELH [profiles] path = /home/profiles read only = no create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes profile acls = yes csc policy = disable # next line is a great way to secure the profiles force user = %U # next line allows administrator to access all profiles valid users = %U @"Domain Admins" -- ?ric LE H?NAFF ?cole normale sup?rieure - Centre de ressources informatiques Informaticien, Ing?nieur d?veloppements et syst?mes aupr?s des biblioth?ques de l'ENS Pr?f?rez firefox! http://www.mozilla-europe.org/fr/ SVP, ?vitez de m'envoyer des attachements au format Word, Excel ou PowerPoint. Pr?f?rez les formats rtf, csv, html ou pdf au lieu des formats word et excel. Voir http://www.gnu.org/philosophy/no-word-attachments.fr.html pour plus d'explications. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Geating Eric, Return of this conversation on the mailing list :-) and in english. I'm sure that will not work that's way. When a "Domain Admins" member will modify a file or directory, this file will be owned by the member and not by the user of this profile. Windows client will be generate an error during profile transfert. Like I have say in PV, you need to execute setfacl -R -m u:<profile_user>::r-x /share/profiles/<profile_user>. The root postexec parameter will use server ressources unnessarely. With the way I say in PV, just apply these lines at the creation of profile user: setfacl -R -m u:<profile_user>::r-x /share/profiles/<profile_user> setfacl -R -d -m u:<profile_user>::r-x /share/profiles/<profile_user> setfacl -R -m g:"Domain Admins":rwx /share/profiles/<profile_user> setfacl -R -d -m g:"Domain Admins":rwx /share/profiles/<profile_user> No root postexec is need, and you can surely make some mod to include it in the idealix script or create your own script. Robert> hello > i solved my problem. > i wanted a manager to be able to modify files in the users' profiles > from his windows workstation. > The solution i found is with adding this lige to the profiles share > bloc in smb.conf : > root postexec = setfacl -R -m g:"Domain Admins":rwx /share/profiles/%U > regards > ELH > > -------- Message original -------- > Sujet: profile question > Date: Tue, 18 Jul 2006 18:52:07 +0200 > De: ?ric le h?naff <eric.le.henaff@ens.fr> > Forums de discussion: gmane.network.samba.general > > hello, > i have a profile question > here under is my profile definition. it's nothing more than the one from > the idealx samba howto. > profiles just work fine on my box BUT i want more ... > i want a manager to have read/write acces on every users' profile > subdirectory for troubleshooting from his windows workstation with > invoking \\server\profiles. he's in the domain admins. > How to do that > Thank you for any help, i tried different scenarios (samba tweaking, > acls inheritance and so on) for an afternoon and didnt find one working. > ELH > > [profiles] > path = /home/profiles > read only = no > create mask = 0600 > directory mask = 0700 > browseable = No > guest ok = Yes > profile acls = yes > csc policy = disable > # next line is a great way to secure the profiles > force user = %U > # next line allows administrator to access all profiles > valid users = %U @"Domain Admins" >