----Original Message----- From: Mahoney, Tom [mailto:tom.mahoney@riaco.com] Sent: 18 March 2002 21:38 To: 'Noel Kelly' Subject: RE: [Samba] acl's and samba Thank you Thank you Thank you! I don't want to try and make seperate admin shares for each user share but removing the additional share directives from the user shares and creating one top level admin share worked. I set the admin share un browseable so users aren't gripping why they can't see it and then just typed the path in after verifying that the normal shares worked properly again and it worked. I was able to add the acl and remove it. I'm curious though whether seperate admin shares would work and for that matter why the first share with the non working config stated that my password was wrong. Oh well. Now assuming that Wayne wasn't referring to my ACL problems I need to now look at the unix side of tying samba, ftp, ssh, etc.. to the domain via pam. Thank you again as well as Andrew and Wayne. Thanks for all your help. I'll try not to bug you guys too much and get the rest going my self if I can. You guy's are life savers. We were going to have to go to 2k for this if I couldn't get this working. Again THANK YOU!!! =) -----Original Message----- From: Noel Kelly [mailto:nkelly@tarsus.co.uk] Sent: Monday, March 18, 2002 2:14 PM To: 'Mahoney, Tom'; Noel Kelly Cc: Samba generic mail list (E-mail) Subject: RE: [Samba] acl's and samba I did actually mean two shares but that it just the way we work. You can still of course administrate from any workstation - simply do a 'net use * \\samba\adminsharename' - only takes a few seconds. I deliberately carve up the network shares so that the users have their environ and the admins have theirs (usually a top level share at the root of all the user's shares.) The '@' should be used for all group references. To make sure that your Samba setup is functioning, change the winbind separator to be '+'. This will make things a lot clearer. One you can see authentication is working you can then play with the separator character. Logging onto the samba shares from a windows machine, you should be able to use 'standard' M$ - domainname\tom in any username prompts. You only need to do domain+username when working in Linux. This should only be necessary you are not logged onto the domain however - the currently logged on user's details should be sent before authenication boxes appear. If you really want to push it though then I would avoid gui stuff and go straight for : net use * \\sambaserver\sharename /user:domainname\username and enter the correct password. Noel -----Original Message----- From: Mahoney, Tom [mailto:tom.mahoney@riaco.com] Sent: 18 March 2002 21:05 To: 'Noel Kelly' Cc: Samba generic mail list (E-mail) Subject: RE: [Samba] acl's and samba So create two share definetions for each logical share? One for admin use and the other for users? The problem is that I setup this box to replace a 2k machine serving files. Some shares are used really only by users and others only by admins and some by both. I simply need for my self and the rest of my IT team to be able to go in at our leasure and add additional users to directories as they need access from any 2k machine which we are logged in from anywhere on our network. I tried adding the commas to all shares and samba doesn't seem to care on way or the other. Also aren't you only supposed to add @ to the beginning of unix or domain groups? I'm adding domain user accounts. Also when your connecting to samba from 2k and are prompted for your login info. Do you login as domain\user or domain/user? I have / used as the seperator on samba but don't know if it's 2k that interprets the username typped at the 2k prompt or if it's samba which interprets it. Do you also by any chance have an idea of why my first share says invalid passwords while all others prompt for login info and then say invalid user? Please let me know if you would like me to include my smb.conf as I would be more than happy to. I only have to edit out networks for security. Thanks for your help so far. =) -----Original Message----- From: Noel Kelly [mailto:nkelly@tarsus.co.uk] Sent: Monday, March 18, 2002 1:50 PM To: 'Mahoney, Tom' Cc: Samba generic mail list (E-mail) Subject: RE: [Samba] acl's and samba Tom, It might be a small thing, but I think your 'valid users =' list needs to be comma delimited - not spaces. eg: valid users = @uk+it,@uk+developers Also, the ability to act as root on a share is pretty dangerous. I only use it as an administrative thing to alter permissions even on files/directories created by the users (and therefore owned by them). Perhaps your users need to alter permissions themselves but otherwise I would create a normal share for your users and a special, 'force user =' share for the admins only. Noel -----Original Message----- From: Mahoney, Tom [mailto:tom.mahoney@riaco.com] Sent: 18 March 2002 18:47 To: 'Noel Kelly' Cc: Samba generic mail list (E-mail) Subject: RE: [Samba] acl's and samba Hmm I tried what you suggested and I'm sure it should work if not for this problem. I added the following options to each of my shares: force user = root valid users = domain/users to add seperated by space read only = No inherit permissions = Yes create mask = 777 directory mask = 777 nt acl support = Yes veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ delte veto files = Yes directory mask is in global and was removed from the shares when I passed the alterations through testparm to clean it up. It also has the same mask set as before I passed it through testparm. Now my problem is this. The first share defined after homes give me this error from 2k: \\server\share is not accesible. The specified network password is not correct. All other shares prompt for a user I enter my domain user as domain/user and then my password and get the error: \\server\share is not accesible. The specified username is invalid. My homes share works without a hitch. I also don't have a /etc/pam.d/samba configured to use winbindd which might be my whole problem. I'm not clear on how to properly configure /etc/pam.d/samba with pam_winbind.so with redhat7.2. I did try altering /etc/pam.d/samba to point to system-auth-winbind which I created and added the auth and account pam_winbind.so lines to and then restarted samba but this didn't change anything at all. system-auth-winbind was created by copying the system system-auth and adding the auth and account lines. The share following the homes share also did not contain any funky characters either which is the only explenation I could come up with for it behaving differently than all the other shares. Very odd. ?=/ If you or anyone would like I can include the full contents of my smb.conf file minus network ips etc.. for security for you to examine. Thanks for everyone's help so far. =) -----Original Message----- From: Noel Kelly [mailto:nkelly@tarsus.co.uk] Sent: Saturday, March 16, 2002 12:32 PM To: 'Mahoney, Tom'; Samba generic mail list (E-mail) Subject: RE: [Samba] acl's and samba I think the nut of your problem is that it is only the owner of the file/directory who can alter the ACLs on it. It does not matter if you are the member of a group with full rights - only the owner can change ACLs. Root can of course do whatever he wants to anything. I got round this by creating a special administrator share which has the 'force user = root' entry. This causes all operations on the this share to be done as root. Obviously very dangerous but effective. Limit the access to this special share using 'valid users =' Noel [AdminShared] force user = root valid users = uk+nkelly path = /raid/shared/ public = no read only = No inherit permissions = yes create mask = 777 directory security mask = 777 nt acl support = yes # Veto the Apple specific files that a NetAtalk server creates. veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ delete veto files = yes -----Original Message----- From: Mahoney, Tom [mailto:tom.mahoney@riaco.com] Sent: 15 March 2002 23:31 To: Samba generic mail list (E-mail) Subject: [Samba] acl's and samba I asked a long winded question before about ACL's on linux with bestbits patches and how everying in samba was essentially working but I couldn't change modify or add acls' from a 2k workstation also on the domain. Well I have a two part question. Should I ((HAVE)) to add a map to /etc/samba/smbusers like: user domain/user ? My impression from reading the docs and peoples posts is that winbindd should figure this out ALL ON IT'S OWN. Is that not the case? In which case I'm SUPPOSED to add the map but it's either not mentioned or vaguely implied? Second. With my homedir accessible ( only because I did add the map, and yes I know that if I add the map and it works most people would just give me a blank stare on this over my question above, but I want someone to please confirm this for me. ) I can go to my home share and set and remove acl's but on my file shares on the samba box I can't. Ok, confirmed that kernel and samba support acls' and fileutils/e2fsprogs do too. Can set acls' from cli and view them with ls or getfacl and see them through samba. Samba just can't change them. (except for home share) Now seeing that it works with my home share I have to think that samba is perfectly ready and willing to set them but it must be I assume a unix permission problem. Now currently ALL files and directories under the file shares have permissions set like so: chown -R root /home/samba/<all file share dirs> chgrp -R domain/Domain Admins /home/samba/<all file share dirs> chmod -R ugo+rwx /home/samba/<all file share firs>