Hi I'm using Samba 3.0.33 on Solaris10 and have the following problem. In the smb.conf I have workgroup = CORPROOT security = domain and users authenticated to CORPROOT domain can connect shares w/o problems, [homes] for example. Now I would like to create a share and restrict access to it just to a dozen of users or so. I tried valid users = +docs force user = usodocs where docs is a group in /etc/group and it didn't work. Looks like Samba is trying to look up the group docs on the domain controller in the CORPROOT domain. So, I tried this valid users = CORPROOT\user force user = usodocs it works. According to man page valid users = +docs should work. I must be missing something, but what? Is there any better/nicer way to achieve what I'm looking for? That is, to give a group of users full control over content of a share. I have several Linux Samba servers where I use POSIX ACLs to control read/write rights on the OS level and it works fine. I tried the same on the Solaris10 box with ZFS and its ACLs and it didn't work as expected (posted about it few weeks ago, no answers though) I would be very thankful for any help. BTW, anyone any idea how to attract attention to a post on this list? Virtual beer as attachment? ;-) My success rate is by now close to nothing. Thanks for your time. Regards, Chris -- Chris Osicki osk at osk.ch Dipl. Informatik-Ing. HTL
Chris Osicki wrote:> Hi > > I'm using Samba 3.0.33 on Solaris10 and have the following problem. > In the smb.conf I have > > workgroup = CORPROOT > security = domain > > and users authenticated to CORPROOT domain can connect shares > w/o problems, [homes] for example. > Now I would like to create a share and restrict access to it just > to a dozen of users or so. > > I tried > > valid users = +docs > force user = usodocs > > where docs is a group in /etc/group and it didn't work. > Looks like Samba is trying to look up the group docs on the domain > controller in the CORPROOT domain. > > So, I tried this > > valid users = CORPROOT\user > force user = usodocs > > it works. > According to man page > valid users = +docs > should work. > I must be missing something, but what? > > Is there any better/nicer way to achieve what I'm looking for? > That is, to give a group of users full control over content of > a share. > I have several Linux Samba servers where I use POSIX ACLs to control > read/write rights on the OS level and it works fine. > > I tried the same on the Solaris10 box with ZFS and its ACLs and it > didn't work as expected (posted about it few weeks ago, no answers though) > > I would be very thankful for any help. > > BTW, anyone any idea how to attract attention to a post on this list? > Virtual beer as attachment? ;-) > My success rate is by now close to nothing. > > Thanks for your time. > > Regards, > Chris >Don't use "force user" unless you really want everyone to look like that user when accessing the share. Quick documentation on the various options is available via SWAT.
Chris Osicki wrote:> Hi > > I'm using Samba 3.0.33 on Solaris10 and have the following problem. > In the smb.conf I have > > workgroup = CORPROOT > security = domain > > and users authenticated to CORPROOT domain can connect shares > w/o problems, [homes] for example. > Now I would like to create a share and restrict access to it just > to a dozen of users or so. > > I tried > > valid users = +docs > force user = usodocs > > where docs is a group in /etc/group and it didn't work. > Looks like Samba is trying to look up the group docs on the domain > controller in the CORPROOT domain. > > So, I tried this > > valid users = CORPROOT\user > force user = usodocs > > it works. > According to man page > valid users = +docs > should work. > I must be missing something, but what? > > Is there any better/nicer way to achieve what I'm looking for? > That is, to give a group of users full control over content of > a share. > I have several Linux Samba servers where I use POSIX ACLs to control > read/write rights on the OS level and it works fine. > > I tried the same on the Solaris10 box with ZFS and its ACLs and it > didn't work as expected (posted about it few weeks ago, no answers though) > > I would be very thankful for any help. > > BTW, anyone any idea how to attract attention to a post on this list? > Virtual beer as attachment? ;-) > My success rate is by now close to nothing. > > Thanks for your time. > > Regards, > Chris >Further to my earlier response, you need to ensure that the group has access to the share since Samba permissions cannot override Linux permissions. You may want to set the Linux permissions to 777 while testing. Leave off the force user and just try the "valid users". Also, since you are using the + group prefix, this is strictly the Linux group that you are granting permission to.