Noel Kelly
2002-Mar-19 22:15 UTC
[Samba] Quick question on adding Winbind/NIS groups to a Samb a ACL
Bill- Key point is that you need to be the owner to manage ACLs through the Windows GUI. Try and create a new file so you are the owner of it and then manipulate the ACLs. Or chown and existing file so you are the owner. You cannot use the 'take ownership' NT route. Check out the 'force user = root' setting - we use it for creating admin-only shares. Root can do anything of course. Hope this helps a bit, Noel -----Original Message----- From: Bill Town [mailto:bill@kontiki.com] Sent: 19 March 2002 22:18 To: samba@lists.samba.org Subject: [Samba] Quick question on adding Winbind/NIS groups to a Samba ACL Hi all- First a little background and infrastructure: After a long arduous road I got my Samba file server to authenticate with Winbind and/or NIS (synced with AD) in a Native Mode Active Directory. I can logon to the Linux server locally and also gain access to a file share via a windows box with accounts in either. Samba is running on a Linux 7.2 server with Kernel 2.14.18 with the ACL patches (using http://acl.bestbits.at/). I built Samba with the --with-acl-support and --with-nis (--with-winbind is a default option). The Samba configuration file is below as well as the pam.d/login and pam.d/system-auth files. The server is a member of the domain and [wbinfo -t] reports [security is good]. [Getent passwd] and [getent group] enumerate the users and groups correctly. Now the question: I can modify permissions through a Windows 2000 Security Interface if the group already has some sort of permissions assigned on the file/directory. I cannot add groups to an ACL through the Windows 2000 interface but must resort to adding them via setfacl on the Linux box. Any ideas? I cannot add groups because it only wants DOMAIN\GROUP and the current permissions show up as FILE-SERVER\GROUP. The Winbind groups do not show up at all in the Windows security interface but do in the getfacl on the Linux box. Thanks in advance for your help. Cheers, -Bill smb.conf: --------------------------------------------------------- # Samba config file # Date: 2002/03/19 # Global parameters [global] workgroup = ZODIAC netbios name = fs1-test server string = Test File Server security = DOMAIN encrypt passwords = Yes password server = * preferred master = False local master = No domain master = False wins server = 172.16.1.12 172.16.2.12 large readwrite = yes winbind uid = 20000-29999 winbind gid = 2000-2999 # winbind separator = + winbind enum users = yes winbind enum groups = yes template shell = /bin/bash [test] comment = Test File Share path = /export/test read only = No inherit permissions = yes --------------------------------------------------------- pam.d/login: --------------------------------------------------------- #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth required /lib/security/pam_stack.so service=system-auth auth sufficient /lib/security/pam_winbind.so use_first_pass auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok #auth sufficient /lib/security/pam_unix.so use_first_pass #account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so --------------------------------------------------------- pam.d/system-auth: --------------------------------------------------------- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_winbind.so use_first_pass auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 typepassword sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow nis password sufficient /lib/security/pam_winbind.so use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session required /lib/security/pam_winbind.so --------------------------------------------------------- ---- Bill Town Kontiki, Inc. Voice: 650.625.3065 Fax: 650.623.0142 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
JC Nou
2002-Mar-19 22:27 UTC
[Samba] Quick question on adding Winbind/NIS groups to a Samb a ACL
G'Day, Will this only work with the 2.14.18 Kernel (with the ACL patches) only? We are using the 2.4.9-13SGI_XFS_1.0.2 kernel and what to deliver a similar service. TIA JC ----- Original Message ----- From: "Noel Kelly" <nkelly@tarsus.co.uk> To: "'Bill Town'" <bill@kontiki.com>; <samba@lists.samba.org> Sent: Wednesday, March 20, 2002 3:44 PM Subject: RE: [Samba] Quick question on adding Winbind/NIS groups to a Samb a ACL> Bill- > > Key point is that you need to be the owner to manage ACLs through the > Windows GUI. Try and create a new file so you are the owner of it andthen> manipulate the ACLs. Or chown and existing file so you are the owner.You> cannot use the 'take ownership' NT route. > > Check out the 'force user = root' setting - we use it for creating > admin-only shares. Root can do anything of course. > > Hope this helps a bit, > Noel > > -----Original Message----- > From: Bill Town [mailto:bill@kontiki.com] > Sent: 19 March 2002 22:18 > To: samba@lists.samba.org > Subject: [Samba] Quick question on adding Winbind/NIS groups to a Samba > ACL > > > Hi all- > > First a little background and infrastructure: > After a long arduous road I got my Samba file server to authenticate > with Winbind and/or NIS (synced with AD) in a Native Mode Active > Directory. I can logon to the Linux server locally and also gain access > to a file share via a windows box with accounts in either. Samba is > running on a Linux 7.2 server with Kernel 2.14.18 with the ACL patches > (using http://acl.bestbits.at/). I built Samba with the > --with-acl-support and --with-nis (--with-winbind is a default option). > The Samba configuration file is below as well as the pam.d/login and > pam.d/system-auth files. The server is a member of the domain and > [wbinfo -t] reports [security is good]. [Getent passwd] and [getent > group] enumerate the users and groups correctly. > > Now the question: > I can modify permissions through a Windows 2000 Security Interface if > the group already has some sort of permissions assigned on the > file/directory. I cannot add groups to an ACL through the Windows 2000 > interface but must resort to adding them via setfacl on the Linux box. > Any ideas? I cannot add groups because it only wants DOMAIN\GROUP and > the current permissions show up as FILE-SERVER\GROUP. The Winbind > groups do not show up at all in the Windows security interface but do in > the getfacl on the Linux box. Thanks in advance for your help. > > Cheers, > -Bill > > > smb.conf: > --------------------------------------------------------- > # Samba config file > # Date: 2002/03/19 > > # Global parameters > [global] > workgroup = ZODIAC > netbios name = fs1-test > server string = Test File Server > security = DOMAIN > encrypt passwords = Yes > password server = * > preferred master = False > local master = No > domain master = False > wins server = 172.16.1.12 172.16.2.12 > large readwrite = yes > winbind uid = 20000-29999 > winbind gid = 2000-2999 > # winbind separator = + > winbind enum users = yes > winbind enum groups = yes > template shell = /bin/bash > > [test] > comment = Test File Share > path = /export/test > read only = No > inherit permissions = yes > --------------------------------------------------------- > > pam.d/login: > --------------------------------------------------------- > > #%PAM-1.0 > auth required /lib/security/pam_securetty.so > auth required /lib/security/pam_nologin.so > auth required /lib/security/pam_stack.so service=system-auth > auth sufficient /lib/security/pam_winbind.so use_first_pass > auth required /lib/security/pam_pwdb.so use_first_pass shadow > nullok > #auth sufficient /lib/security/pam_unix.so use_first_pass > > #account sufficient /lib/security/pam_winbind.so > account required /lib/security/pam_stack.so service=system-auth > > password required /lib/security/pam_stack.so service=system-auth > > session required /lib/security/pam_stack.so service=system-auth > session optional /lib/security/pam_console.so > > --------------------------------------------------------- > > pam.d/system-auth: > --------------------------------------------------------- > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required /lib/security/pam_env.so > auth sufficient /lib/security/pam_unix.so likeauth nullok > auth sufficient /lib/security/pam_winbind.so use_first_pass > auth required /lib/security/pam_deny.so > > account required /lib/security/pam_unix.so > > password required /lib/security/pam_cracklib.so retry=3 type> password sufficient /lib/security/pam_unix.so nullok use_authtok > md5 shadow nis > password sufficient /lib/security/pam_winbind.so use_authtok > password required /lib/security/pam_deny.so > > session required /lib/security/pam_limits.so > session required /lib/security/pam_unix.so > session required /lib/security/pam_winbind.so > --------------------------------------------------------- > > ---- > Bill Town > Kontiki, Inc. > Voice: 650.625.3065 > Fax: 650.623.0142 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >