-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Is there a way in samba 2.2.2-pre (SAMBA_2_2 latest CVS) to grant a user
privileges as another user instead of just remapping the user to another
user? I set the "username map = /etc/samba/user.map" configuration
option
and added:
root = "DOMAIN+@Domain Admins"
to the user.map file but whenever I create a file it is owned by root
instead of my username...is there any way around this? I would like to
grant Domain Admins privileged access to the samba shares but still be able
to make new files and folders as their own account.
I am using Red Hat 7.1 with kernel 2.4.9 with the ACL patch version 0.7.16.
I am using winbindd to enumerate users and groups from the PDC which is
running NT4 SP6a with all current security patches. My workstation I am
doing my testing from is Windows 2000 SP2 also with all current security
patches.
Please send any responses directly to my e-mail as I am not currently
subscribed to the list.
Thank you
<begin smb.conf>
[global]
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/profiles/%U
winbind uid = 10000-20000
winbind gid = 10000-20000
workgroup = DOMAIN
server string = Network Storage
security = DOMAIN
encrypt passwords = Yes
password server = *
domain logons = no
local master = no
domain master = no
preferred master = no
log file = /var/log/samba/%m.log
max log size = 0
name resolve order = wins lmhosts bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
dns proxy = No
wins server = 10.1.1.5
remote announce = 10.1.1.255
remote browse sync = 10.1.1.2
hosts allow = 10.1.1. 127.
printing = lprng
add user script = /usr/sbin/useradd -g domain -d /home/samba -s
/dev/null -c %u %u
delete user script = /usr/sbin/userdel %u
username map = /etc/samba/users.map
[public]
comment = Public Stuff
path = /home/samba
writeable = Yes
guest ok = No
createmode = 740
directory mode = 740
[public2]
comment = Test share
path = /usr/local/src
writeable = Yes
guest ok = No
[profiles]
comment = User Profiles
path = /home/profiles
create mask =0600
directory mask = 0700
; restrict acl with mask = yes
force directory mode = 0700
force create mode = 0600
restrict acl with mask = yes
map hidden = yes
map system = yes
writeable = Yes
guest ok = No
[archives]
comment = Archives
path = /home/archives
writeable = Yes
guest ok = No
[forms]
comment = Forms
path = /home/forms
writeable = Yes
guest ok = No
[Test]
comment = Test
path = /tmp
writeable = Yes
guest ok = No
<end smb.conf>
.????---------------------------------------------------------????.
-If everyone throws in their two cents worth, -
-but its a penny for your thoughts...who keeps the profit?-
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQA/AwUBO8xCBcbgHXR4hb1iEQJtEgCgj2Nov00+Frg9CT9O4Tgb/Qzn9WUAoNGw
5sF/t9QJzoh21giTOLqLQv2G
=PLvD
-----END PGP SIGNATURE-----
> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Is there a way in samba 2.2.2-pre (SAMBA_2_2 latest CVS) to grant a user > privileges as another user instead of just remapping the user to another > user? I set the "username map = /etc/samba/user.map" configuration option > and added: > > root = "DOMAIN+@Domain Admins" > > to the user.map file but whenever I create a file it is owned by root > instead of my username...is there any way around this? I would like to > grant Domain Admins privileged access to the samba shares but still be able > to make new files and folders as their own account.This is going to be hard. The user name map maps the userid given from the client to the userid used by samba on the server. An this is one userid per smbd. This means: if you map your domain admins to root, there smbd runs as root an files are created as root. What kind of privileged do you want to give them? Access to certain files / shares? Then you shoulb be fine with putting all admins into a group (or maping a domain group to a unix group (?)) and give this group file access privileged on the samba server. If the standard unix rights sheme doesn't fit your needs, acl's are your friend. If it's for shares you can use "valid users = @group" in smb.conf Christian> > I am using Red Hat 7.1 with kernel 2.4.9 with the ACL patch version 0.7.16. > I am using winbindd to enumerate users and groups from the PDC which is > running NT4 SP6a with all current security patches. My workstation I am > doing my testing from is Windows 2000 SP2 also with all current security > patches. > > Please send any responses directly to my e-mail as I am not currently > subscribed to the list. > > Thank you > > <begin smb.conf> > > [global] > winbind separator = + > winbind enum users = yes > winbind enum groups = yes > winbind cache time = 10 > template shell = /bin/bash > template homedir = /home/profiles/%U > winbind uid = 10000-20000 > winbind gid = 10000-20000 > workgroup = DOMAIN > server string = Network Storage > security = DOMAIN > encrypt passwords = Yes > password server = * > domain logons = no > local master = no > domain master = no > preferred master = no > log file = /var/log/samba/%m.log > max log size = 0 > name resolve order = wins lmhosts bcast > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > load printers = No > dns proxy = No > wins server = 10.1.1.5 > remote announce = 10.1.1.255 > remote browse sync = 10.1.1.2 > hosts allow = 10.1.1. 127. > printing = lprng > add user script = /usr/sbin/useradd -g domain -d /home/samba -s > /dev/null -c %u %u > delete user script = /usr/sbin/userdel %u > username map = /etc/samba/users.map > > [public] > comment = Public Stuff > path = /home/samba > writeable = Yes > guest ok = No > createmode = 740 > directory mode = 740 > > [public2] > comment = Test share > path = /usr/local/src > writeable = Yes > guest ok = No > > [profiles] > comment = User Profiles > path = /home/profiles > create mask =0600 > directory mask = 0700 > ; restrict acl with mask = yes > force directory mode = 0700 > force create mode = 0600 > restrict acl with mask = yes > map hidden = yes > map system = yes > writeable = Yes > guest ok = No > > [archives] > comment = Archives > path = /home/archives > writeable = Yes > guest ok = No > > [forms] > comment = Forms > path = /home/forms > writeable = Yes > guest ok = No > > [Test] > comment = Test > path = /tmp > writeable = Yes > guest ok = No > > <end smb.conf> > > .????---------------------------------------------------------????. > -If everyone throws in their two cents worth, - > -but its a penny for your thoughts...who keeps the profit?- > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 7.0.1 > > iQA/AwUBO8xCBcbgHXR4hb1iEQJtEgCgj2Nov00+Frg9CT9O4Tgb/Qzn9WUAoNGw > 5sF/t9QJzoh21giTOLqLQv2G > =PLvD > -----END PGP SIGNATURE----- > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >_(_)_ wWWWw _ @@@@ (_)@(_) vVVVv _ @@@@ (___) _(_)_ @@()@@ wWWWw (_)\ (___) _(_)_ @@()@@ Y (_)@(_) @@@@ (___) `|/ Y (_)@(_) @@@@ \|/ (_)\ / Y \| \|/ /(_) \| |/ | \ | \ |/ | / \ | / \|/ |/ \| \|/ jgs|// \\|/// \\\|//\\\|/// \|/// \\\|// \\|// \\\|// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, I tried adding "Domain Admins" to the /home/profiles dir and no effect. I tried adding Domain Admins into the ACL for the share through Windows 2000 and it just said "Access Denied" and gave me this error in the log: getgrname_from_group(): could not get domain sid for domain [2001/10/16 10:27:30, 0] nsswitch/winbindd_user.c:winbindd_getpwnam_from_user(122) I can't think of anything else to try. Also, what is the deal with that error? - -----Original Message----- From: Christian Barth [mailto:barth@cck.uni-kl.de] Sent: Tuesday, October 16, 2001 10:07 AM To: 'samba@lists.samba.org'; Levi Ruiz Subject: Re: username map behavior> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Is there a way in samba 2.2.2-pre (SAMBA_2_2 latest CVS) to grant a user > privileges as another user instead of just remapping the user to another > user? I set the "username map = /etc/samba/user.map" configuration option > and added: > > root = "DOMAIN+@Domain Admins" > > to the user.map file but whenever I create a file it is owned by root > instead of my username...is there any way around this? I would like to > grant Domain Admins privileged access to the samba shares but still beable> to make new files and folders as their own account.This is going to be hard. The user name map maps the userid given from the client to the userid used by samba on the server. An this is one userid per smbd. This means: if you map your domain admins to root, there smbd runs as root an files are created as root. What kind of privileged do you want to give them? Access to certain files / shares? Then you shoulb be fine with putting all admins into a group (or maping a domain group to a unix group (?)) and give this group file access privileged on the samba server. If the standard unix rights sheme doesn't fit your needs, acl's are your friend. If it's for shares you can use "valid users = @group" in smb.conf Christian> > I am using Red Hat 7.1 with kernel 2.4.9 with the ACL patch version0.7.16.> I am using winbindd to enumerate users and groups from the PDC which is > running NT4 SP6a with all current security patches. My workstation I am > doing my testing from is Windows 2000 SP2 also with all current security > patches. > > Please send any responses directly to my e-mail as I am not currently > subscribed to the list. > > Thank you > > <begin smb.conf> > > [global] > winbind separator = + > winbind enum users = yes > winbind enum groups = yes > winbind cache time = 10 > template shell = /bin/bash > template homedir = /home/profiles/%U > winbind uid = 10000-20000 > winbind gid = 10000-20000 > workgroup = DOMAIN > server string = Network Storage > security = DOMAIN > encrypt passwords = Yes > password server = * > domain logons = no > local master = no > domain master = no > preferred master = no > log file = /var/log/samba/%m.log > max log size = 0 > name resolve order = wins lmhosts bcast > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > load printers = No > dns proxy = No > wins server = 10.1.1.5 > remote announce = 10.1.1.255 > remote browse sync = 10.1.1.2 > hosts allow = 10.1.1. 127. > printing = lprng > add user script = /usr/sbin/useradd -g domain -d /home/samba -s > /dev/null -c %u %u > delete user script = /usr/sbin/userdel %u > username map = /etc/samba/users.map > > [public] > comment = Public Stuff > path = /home/samba > writeable = Yes > guest ok = No > createmode = 740 > directory mode = 740 > > [public2] > comment = Test share > path = /usr/local/src > writeable = Yes > guest ok = No > > [profiles] > comment = User Profiles > path = /home/profiles > create mask =0600 > directory mask = 0700 > ; restrict acl with mask = yes > force directory mode = 0700 > force create mode = 0600 > restrict acl with mask = yes > map hidden = yes > map system = yes > writeable = Yes > guest ok = No > > [archives] > comment = Archives > path = /home/archives > writeable = Yes > guest ok = No > > [forms] > comment = Forms > path = /home/forms > writeable = Yes > guest ok = No > > [Test] > comment = Test > path = /tmp > writeable = Yes > guest ok = No > > <end smb.conf> > > .????---------------------------------------------------------????. > -If everyone throws in their two cents worth, - > -but its a penny for your thoughts...who keeps the profit?- > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 7.0.1 > > iQA/AwUBO8xCBcbgHXR4hb1iEQJtEgCgj2Nov00+Frg9CT9O4Tgb/Qzn9WUAoNGw > 5sF/t9QJzoh21giTOLqLQv2G > =PLvD > -----END PGP SIGNATURE----- > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >_(_)_ wWWWw _ @@@@ (_)@(_) vVVVv _ @@@@ (___) _(_)_ @@()@@ wWWWw (_)\ (___) _(_)_ @@()@@ Y (_)@(_) @@@@ (___) `|/ Y (_)@(_) @@@@ \|/ (_)\ / Y \| \|/ /(_) \| |/ | \ | \ |/ | / \ | / \|/ |/ \| \|/ jgs|// \\|/// \\\|//\\\|/// \|/// \\\|// \\|// \\\|// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBO8yLZ8bgHXR4hb1iEQKZ/wCeLE1KOuNDjhnh7fySppw5rAn4BeMAmwdC 7ivvuxCyIgSvlzCx4HCBXIQr =kMHi -----END PGP SIGNATURE-----