One work-around would be to create a hidden share that only Domain Admins can access. The use "force user=root" on that share. Then you'll be able to change ACL's and not be root. Josh> -----Original Message----- > From: Tanstaafl [mailto:tanstaafl_bh@netzero.net] > Sent: Thursday, July 25, 2002 1:36 PM > To: 'Samba List' > Subject: Re: [Samba] Changing ACLs as administrator > > > You must be logged in as root - or I think you can map the > Domain Admin > account *to* the root account, which accomplishes the same thing? > > Simon > > ----- Original Message ----- > From: "Rob Helmer" <robert@namodn.com> > To: <samba@lists.samba.org> > Sent: Thursday, July 25, 2002 2:35 PM > Subject: [Samba] Changing ACLs as administrator > > > > Hello, > > > > > > While the interesting discussion on POSIX ACLs vs. NT ACLs has > > been going on, I've been trying ( unsuccessfully ) from a Windows > > box logged in as DOMAIN\Administrator change ACLs on a file > > owned by a user. > > > > I just get "Access denied" every time I attempt it. > > > > I have tried setting in the smb.conf : > > > > -- > > domain admin group = DOMAIN+Domain Admins > > -- > > > > and > > > > -- > > domain admin group = DOMAIN+Administrator > > -- > > > > but I still don't seem to have this access. > > > > Is there something I am missing? > > > > Any pointers would be great :) I want to let designated > domain admins > > change ACLs, since NT ACL's "Take Ownership" doesn't seem > to be possible > > with the current POSIX ACL/Samba combination. > > > > > > > > Thanks, > > Rob > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
Hi Josh, I don't really understand what this would accomplish. If they have a hidden share, then they can only change ACLs for files on that share, correct? Or am I missing something? Thanks, Rob On Thu, Jul 25, 2002 at 01:41:02PM -0500, Samba wrote:> One work-around would be to create a hidden share that only Domain Admins > can access. The use "force user=root" on that share. Then you'll be able to > change ACL's and not be root. > > Josh > > > -----Original Message----- > > From: Tanstaafl [mailto:tanstaafl_bh@netzero.net] > > Sent: Thursday, July 25, 2002 1:36 PM > > To: 'Samba List' > > Subject: Re: [Samba] Changing ACLs as administrator > > > > > > You must be logged in as root - or I think you can map the > > Domain Admin > > account *to* the root account, which accomplishes the same thing? > > > > Simon > > > > ----- Original Message ----- > > From: "Rob Helmer" <robert@namodn.com> > > To: <samba@lists.samba.org> > > Sent: Thursday, July 25, 2002 2:35 PM > > Subject: [Samba] Changing ACLs as administrator > > > > > > > Hello, > > > > > > > > > While the interesting discussion on POSIX ACLs vs. NT ACLs has > > > been going on, I've been trying ( unsuccessfully ) from a Windows > > > box logged in as DOMAIN\Administrator change ACLs on a file > > > owned by a user. > > > > > > I just get "Access denied" every time I attempt it. > > > > > > I have tried setting in the smb.conf : > > > > > > -- > > > domain admin group = DOMAIN+Domain Admins > > > -- > > > > > > and > > > > > > -- > > > domain admin group = DOMAIN+Administrator > > > -- > > > > > > but I still don't seem to have this access. > > > > > > Is there something I am missing? > > > > > > Any pointers would be great :) I want to let designated > > domain admins > > > change ACLs, since NT ACL's "Take Ownership" doesn't seem > > to be possible > > > with the current POSIX ACL/Samba combination. > > > > > > > > > > > > Thanks, > > > Rob > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
The idea is you create one hidden share that encompasses all your other shares. If your disk layout makes that undesirable, you'll have to create multiple hidden shares to use this method. (In my case, I put all the Samba shares under /export, so it was easy.) If you map the Domain Admin group to root, any files you create while logged in as a Domain Admin will be owned by root. I didn't want that, so I used the hidden share method instead.> -----Original Message----- > From: Rob Helmer [mailto:robert@namodn.com] > Sent: Thursday, July 25, 2002 3:47 PM > To: samba@lists.samba.org > Subject: Re: [Samba] Changing ACLs as administrator > > > Hi Josh, > > > I don't really understand what this would accomplish. If they > have a hidden share, then they can only change ACLs for files on > that share, correct? > > Or am I missing something? > > > > Thanks, > Rob > > > On Thu, Jul 25, 2002 at 01:41:02PM -0500, Samba wrote: > > One work-around would be to create a hidden share that only > Domain Admins > > can access. The use "force user=root" on that share. Then > you'll be able to > > change ACL's and not be root. > > > > Josh > > > > > -----Original Message----- > > > From: Tanstaafl [mailto:tanstaafl_bh@netzero.net] > > > Sent: Thursday, July 25, 2002 1:36 PM > > > To: 'Samba List' > > > Subject: Re: [Samba] Changing ACLs as administrator > > > > > > > > > You must be logged in as root - or I think you can map the > > > Domain Admin > > > account *to* the root account, which accomplishes the same thing? > > > > > > Simon > > > > > > ----- Original Message ----- > > > From: "Rob Helmer" <robert@namodn.com> > > > To: <samba@lists.samba.org> > > > Sent: Thursday, July 25, 2002 2:35 PM > > > Subject: [Samba] Changing ACLs as administrator > > > > > > > > > > Hello, > > > > > > > > > > > > While the interesting discussion on POSIX ACLs vs. NT ACLs has > > > > been going on, I've been trying ( unsuccessfully ) from > a Windows > > > > box logged in as DOMAIN\Administrator change ACLs on a file > > > > owned by a user. > > > > > > > > I just get "Access denied" every time I attempt it. > > > > > > > > I have tried setting in the smb.conf : > > > > > > > > -- > > > > domain admin group = DOMAIN+Domain Admins > > > > -- > > > > > > > > and > > > > > > > > -- > > > > domain admin group = DOMAIN+Administrator > > > > -- > > > > > > > > but I still don't seem to have this access. > > > > > > > > Is there something I am missing? > > > > > > > > Any pointers would be great :) I want to let designated > > > domain admins > > > > change ACLs, since NT ACL's "Take Ownership" doesn't seem > > > to be possible > > > > with the current POSIX ACL/Samba combination. > > > > > > > > > > > > > > > > Thanks, > > > > Rob > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL > and read the > > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
Well. let's see, it took me about 20 seconds to google an answer - sounds like you need a little motivation - like, maybe, me not just spoon-feeding you the answer? Simon>From: <sspitzner@planalytics.com> >Sent: Thursday, July 25, 2002 2:37 PM > > Ok. I will bite. How do I "map the Domain Admin > account to the root account"?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | Message: 3 | Date: Thu, 25 Jul 2002 11:35:49 -0700 | From: Rob Helmer <robert@namodn.com> | To: samba@lists.samba.org | Organization: Namodn Artists - http://www.namodn.com | Subject: [Samba] Changing ACLs as administrator | | Hello, | | | While the interesting discussion on POSIX ACLs vs. NT ACLs has | been going on, I've been trying ( unsuccessfully ) from a Windows | box logged in as DOMAIN\Administrator change ACLs on a file | owned by a user. | | I just get "Access denied" every time I attempt it. | | I have tried setting in the smb.conf : | | -- | domain admin group = DOMAIN+Domain Admins Well, firstly you probably need something like this domain admin group = @"DOMAIN+Domain Admins" But, you should read the man page on this option, since this actually affects which users are seen by the windows members of a samba controlled domain to have admin rights, only on the windows machines. | -- | | and | | -- | domain admin group = DOMAIN+Administrator | -- | | but I still don't seem to have this access. | | Is there something I am missing? | | Any pointers would be great :) I want to let designated domain admins | change ACLs, since NT ACL's "Take Ownership" doesn't seem to be possible | with the current POSIX ACL/Samba combination. You're probably looking for something more like: admin users = @"DOMAIN+Domain Admins" this should be applied carefully, and on a share-by-share basis, and I am not sure if it will do what you want (allow you to change ownership), but it will let you delete anything! no need for messy hidden shares (which is a secutiy nightmare, unless it protected somehow). Buchan - -- |----------------Registered Linux User #182071-----------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9QWqjrJK6UGDSBKcRApzpAJ9IR+jcRNhBuLZBIb62bpni3SCW2wCcDKPf lNJl6ucrV6Nw7R/i4/k1V/Y=Kclx -----END PGP SIGNATURE-----
Hello, I hope you don't mind that I am CC:'ing the list. I used the "username map" directive to point to a username map file in smb.conf : -- username map = /usr/local/samba/private/username.map -- My /usr/local/samba/private/username.map looks like this : -- root = @"DOMAIN+Domain Admins" -- Seems to work for my purposes :) My smbd/nmbd are currently on 2.2.2 ( winbind is 2.2.3a, because of the memory leak issue in previous versions ). Thanks, Rob On Fri, Jul 26, 2002 at 02:19:34PM -0400, sspitzner@planalytics.com wrote:> > > Could you please tell me how to map the root user? According to the > documentation I have > seen, the domain admin group directive is no longer valid in 2.2.5. Obviously, I > have missed > something. > > TIA > Sam > > > > > Rob Helmer <robert@namodn.com> on 07/26/2002 02:09:06 PM > > > > > To: samba@lists.samba.org > cc: (bcc: Samuel K Spitzner/Planalytics) > > Subject: Re: [Samba] Changing ACLs as administrator > > > > > Hello Buchan > > > Thank you very much for your reply. > > The "domain admin" setting in Samba doesn't seem to allow one to > change ACLs or take ownership, but I experimented with the info > in the email you sent and mapped the root user to @"DOMAIN+Domain Admins" > and now all Domain Admins are able to take ownership and/or change ACLs > from their Windows boxes. > > > > Thanks, > Rob > > > On Fri, Jul 26, 2002 at 05:28:35PM +0200, Buchan Milne wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > | Message: 3 > > | Date: Thu, 25 Jul 2002 11:35:49 -0700 > > | From: Rob Helmer <robert@namodn.com> > > | To: samba@lists.samba.org > > | Organization: Namodn Artists - http://www.namodn.com > > | Subject: [Samba] Changing ACLs as administrator > > | > > | Hello, > > | > > | > > | While the interesting discussion on POSIX ACLs vs. NT ACLs has > > | been going on, I've been trying ( unsuccessfully ) from a Windows > > | box logged in as DOMAIN\Administrator change ACLs on a file > > | owned by a user. > > | > > | I just get "Access denied" every time I attempt it. > > | > > | I have tried setting in the smb.conf : > > | > > | -- > > | domain admin group = DOMAIN+Domain Admins > > > > Well, firstly you probably need something like this > > > > domain admin group = @"DOMAIN+Domain Admins" > > > > But, you should read the man page on this option, since this actually > > affects which users are seen by the windows members of a samba > > controlled domain to have admin rights, only on the windows machines. > > > > | -- > > | > > | and > > | > > | -- > > | domain admin group = DOMAIN+Administrator > > | -- > > | > > | but I still don't seem to have this access. > > | > > | Is there something I am missing? > > | > > | Any pointers would be great :) I want to let designated domain admins > > | change ACLs, since NT ACL's "Take Ownership" doesn't seem to be possible > > | with the current POSIX ACL/Samba combination. > > > > You're probably looking for something more like: > > > > admin users = @"DOMAIN+Domain Admins" > > > > this should be applied carefully, and on a share-by-share basis, and I > > am not sure if it will do what you want (allow you to change ownership), > > but it will let you delete anything! > > > > no need for messy hidden shares (which is a secutiy nightmare, unless it > > protected somehow). > > > > Buchan > > > > - -- > > |----------------Registered Linux User #182071-----------------| > > Buchan Milne Mechanical Engineer, Network Manager > > Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 > > Stellenbosch Automotive Engineering http://www.cae.co.za > > GPG Key http://ranger.dnsalias.com/bgmilne.asc > > 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.0.7 (GNU/Linux) > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > > iD8DBQE9QWqjrJK6UGDSBKcRApzpAJ9IR+jcRNhBuLZBIb62bpni3SCW2wCcDKPf > > lNJl6ucrV6Nw7R/i4/k1V/Y> > =Kclx > > -----END PGP SIGNATURE----- > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > > > >
But that means everything you do will be as root. All new files will belong to root and not those users. Right ?? Josh> -----Original Message----- > From: Rob Helmer [mailto:robert@namodn.com] > Sent: Friday, July 26, 2002 4:10 PM > To: sspitzner@planalytics.com; samba@lists.samba.org > Subject: Re: [Samba] Changing ACLs as administrator > > > Hello, > > > I hope you don't mind that I am CC:'ing the list. > > I used the "username map" directive to point to a username map file in > smb.conf : > > -- > username map = /usr/local/samba/private/username.map > -- > > My /usr/local/samba/private/username.map looks like this : > > -- > root = @"DOMAIN+Domain Admins" > -- > > Seems to work for my purposes :) > > My smbd/nmbd are currently on 2.2.2 ( winbind is 2.2.3a, because > of the memory leak issue in previous versions ). > > > > Thanks, > Rob > > > > On Fri, Jul 26, 2002 at 02:19:34PM -0400, > sspitzner@planalytics.com wrote: > > > > > > Could you please tell me how to map the root user? According to the > > documentation I have > > seen, the domain admin group directive is no longer valid > in 2.2.5. Obviously, I > > have missed > > something. > > > > TIA > > Sam > > > > > > > > > > Rob Helmer <robert@namodn.com> on 07/26/2002 02:09:06 PM > > > > > > > > > > To: samba@lists.samba.org > > cc: (bcc: Samuel K Spitzner/Planalytics) > > > > Subject: Re: [Samba] Changing ACLs as administrator > > > > > > > > > > Hello Buchan > > > > > > Thank you very much for your reply. > > > > The "domain admin" setting in Samba doesn't seem to allow one to > > change ACLs or take ownership, but I experimented with the info > > in the email you sent and mapped the root user to > @"DOMAIN+Domain Admins" > > and now all Domain Admins are able to take ownership and/or > change ACLs > > from their Windows boxes. > > > > > > > > Thanks, > > Rob > > > > > > On Fri, Jul 26, 2002 at 05:28:35PM +0200, Buchan Milne wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > | Message: 3 > > > | Date: Thu, 25 Jul 2002 11:35:49 -0700 > > > | From: Rob Helmer <robert@namodn.com> > > > | To: samba@lists.samba.org > > > | Organization: Namodn Artists - http://www.namodn.com > > > | Subject: [Samba] Changing ACLs as administrator > > > | > > > | Hello, > > > | > > > | > > > | While the interesting discussion on POSIX ACLs vs. NT ACLs has > > > | been going on, I've been trying ( unsuccessfully ) from > a Windows > > > | box logged in as DOMAIN\Administrator change ACLs on a file > > > | owned by a user. > > > | > > > | I just get "Access denied" every time I attempt it. > > > | > > > | I have tried setting in the smb.conf : > > > | > > > | -- > > > | domain admin group = DOMAIN+Domain Admins > > > > > > Well, firstly you probably need something like this > > > > > > domain admin group = @"DOMAIN+Domain Admins" > > > > > > But, you should read the man page on this option, since > this actually > > > affects which users are seen by the windows members of a samba > > > controlled domain to have admin rights, only on the > windows machines. > > > > > > | -- > > > | > > > | and > > > | > > > | -- > > > | domain admin group = DOMAIN+Administrator > > > | -- > > > | > > > | but I still don't seem to have this access. > > > | > > > | Is there something I am missing? > > > | > > > | Any pointers would be great :) I want to let designated > domain admins > > > | change ACLs, since NT ACL's "Take Ownership" doesn't > seem to be possible > > > | with the current POSIX ACL/Samba combination. > > > > > > You're probably looking for something more like: > > > > > > admin users = @"DOMAIN+Domain Admins" > > > > > > this should be applied carefully, and on a share-by-share > basis, and I > > > am not sure if it will do what you want (allow you to > change ownership), > > > but it will let you delete anything! > > > > > > no need for messy hidden shares (which is a secutiy > nightmare, unless it > > > protected somehow). > > > > > > Buchan > > > > > > - -- > > > |----------------Registered Linux User #182071-----------------| > > > Buchan Milne Mechanical Engineer, Network Manager > > > Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 > > > Stellenbosch Automotive Engineering http://www.cae.co.za > > > GPG Key http://ranger.dnsalias.com/bgmilne.asc > > > 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 > > > -----BEGIN PGP SIGNATURE----- > > > Version: GnuPG v1.0.7 (GNU/Linux) > > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > > > > iD8DBQE9QWqjrJK6UGDSBKcRApzpAJ9IR+jcRNhBuLZBIb62bpni3SCW2wCcDKPf > > > lNJl6ucrV6Nw7R/i4/k1V/Y> > > =Kclx > > > -----END PGP SIGNATURE----- > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
Right, if you do it that way any file created by a Domain Admin will be owned by root. I didn't like that, so I went with the "create a hidden administrative share" solution. For most people it'd probably work fine, though.> -----Original Message----- > From: Konkol, Josh [mailto:JKonkol@guidemail.com] > Sent: Monday, July 29, 2002 8:57 AM > To: 'Rob Helmer'; sspitzner@planalytics.com; samba@lists.samba.org > Subject: RE: [Samba] Changing ACLs as administrator > > > But that means everything you do will be as root. All new > files will belong > to root and not those users. > > Right ?? > > Josh > > > -----Original Message----- > > From: Rob Helmer [mailto:robert@namodn.com] > > Sent: Friday, July 26, 2002 4:10 PM > > To: sspitzner@planalytics.com; samba@lists.samba.org > > Subject: Re: [Samba] Changing ACLs as administrator > > > > > > Hello, > > > > > > I hope you don't mind that I am CC:'ing the list. > > > > I used the "username map" directive to point to a username > map file in > > smb.conf : > > > > -- > > username map = /usr/local/samba/private/username.map > > -- > > > > My /usr/local/samba/private/username.map looks like this : > > > > -- > > root = @"DOMAIN+Domain Admins" > > -- > > > > Seems to work for my purposes :) > > > > My smbd/nmbd are currently on 2.2.2 ( winbind is 2.2.3a, because > > of the memory leak issue in previous versions ). > > > > > > > > Thanks, > > Rob > > > > > > > > On Fri, Jul 26, 2002 at 02:19:34PM -0400, > > sspitzner@planalytics.com wrote: > > > > > > > > > Could you please tell me how to map the root user? > According to the > > > documentation I have > > > seen, the domain admin group directive is no longer valid > > in 2.2.5. Obviously, I > > > have missed > > > something. > > > > > > TIA > > > Sam > > > > > > > > > > > > > > > Rob Helmer <robert@namodn.com> on 07/26/2002 02:09:06 PM > > > > > > > > > > > > > > > To: samba@lists.samba.org > > > cc: (bcc: Samuel K Spitzner/Planalytics) > > > > > > Subject: Re: [Samba] Changing ACLs as administrator > > > > > > > > > > > > > > > Hello Buchan > > > > > > > > > Thank you very much for your reply. > > > > > > The "domain admin" setting in Samba doesn't seem to allow one to > > > change ACLs or take ownership, but I experimented with the info > > > in the email you sent and mapped the root user to > > @"DOMAIN+Domain Admins" > > > and now all Domain Admins are able to take ownership and/or > > change ACLs > > > from their Windows boxes. > > > > > > > > > > > > Thanks, > > > Rob > > > > > > > > > On Fri, Jul 26, 2002 at 05:28:35PM +0200, Buchan Milne wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hash: SHA1 > > > > > > > > | Message: 3 > > > > | Date: Thu, 25 Jul 2002 11:35:49 -0700 > > > > | From: Rob Helmer <robert@namodn.com> > > > > | To: samba@lists.samba.org > > > > | Organization: Namodn Artists - http://www.namodn.com > > > > | Subject: [Samba] Changing ACLs as administrator > > > > | > > > > | Hello, > > > > | > > > > | > > > > | While the interesting discussion on POSIX ACLs vs. NT ACLs has > > > > | been going on, I've been trying ( unsuccessfully ) from > > a Windows > > > > | box logged in as DOMAIN\Administrator change ACLs on a file > > > > | owned by a user. > > > > | > > > > | I just get "Access denied" every time I attempt it. > > > > | > > > > | I have tried setting in the smb.conf : > > > > | > > > > | -- > > > > | domain admin group = DOMAIN+Domain Admins > > > > > > > > Well, firstly you probably need something like this > > > > > > > > domain admin group = @"DOMAIN+Domain Admins" > > > > > > > > But, you should read the man page on this option, since > > this actually > > > > affects which users are seen by the windows members of a samba > > > > controlled domain to have admin rights, only on the > > windows machines. > > > > > > > > | -- > > > > | > > > > | and > > > > | > > > > | -- > > > > | domain admin group = DOMAIN+Administrator > > > > | -- > > > > | > > > > | but I still don't seem to have this access. > > > > | > > > > | Is there something I am missing? > > > > | > > > > | Any pointers would be great :) I want to let designated > > domain admins > > > > | change ACLs, since NT ACL's "Take Ownership" doesn't > > seem to be possible > > > > | with the current POSIX ACL/Samba combination. > > > > > > > > You're probably looking for something more like: > > > > > > > > admin users = @"DOMAIN+Domain Admins" > > > > > > > > this should be applied carefully, and on a share-by-share > > basis, and I > > > > am not sure if it will do what you want (allow you to > > change ownership), > > > > but it will let you delete anything! > > > > > > > > no need for messy hidden shares (which is a secutiy > > nightmare, unless it > > > > protected somehow). > > > > > > > > Buchan > > > > > > > > - -- > > > > |----------------Registered Linux User #182071-----------------| > > > > Buchan Milne Mechanical Engineer, Network Manager > > > > Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 > > > > Stellenbosch Automotive Engineering http://www.cae.co.za > > > > GPG Key http://ranger.dnsalias.com/bgmilne.asc > > > > 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 > > > > -----BEGIN PGP SIGNATURE----- > > > > Version: GnuPG v1.0.7 (GNU/Linux) > > > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > > > > > > iD8DBQE9QWqjrJK6UGDSBKcRApzpAJ9IR+jcRNhBuLZBIb62bpni3SCW2wCcDKPf > > > > lNJl6ucrV6Nw7R/i4/k1V/Y> > > > =Kclx > > > > -----END PGP SIGNATURE----- > > > > > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL > and read the > > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
Hello all. Has somebody found a solution yet? I can't figure it out. I am beginning to wonder if it might be a bug in samba? This is what I have now: [netlogon] comment = Network Logon Service path = /home/netlogon read only = Yes guest ok = Yes write list = @"Administrators" force group = "+Administrators" inherit acls = Yes inherit permissions = Yes [homes] path = /home/users/%U read only = No browseable = No inherit acls = Yes inherit permissions = Yes [users] comment = Users share path = /home/users read only = No force group = "+Administrators" inherit acls = Yes inherit permissions = Yes [profiles] comment = User profiles share path = /home/profiles read only = No force group = "+Administrators" inherit acls = Yes inherit permissions = Yes csc policy = disable ----- All user directories and files in [users] and [profiles] are owned by the "user", their group has been set to Administrators and user and group permissions are set to rwx for directories and rw for files. The world permissions have been set to none because I want only the "user" or the Adminstrator equiv to be able to access the directories in the [users] or the [profiles] share. When I check the acls and permission from a logged-in windows XP client verything looks really good. No errors. So far so good......but then: When a user creates a new file or directory, it should inherit it's acl and permissions from the parent directory, this doesn't work, currently the owner and group get set to the user itself. If an Administrator equiv creates a new file or directory, I would like it to be set to a default acl where the group should be at least "Administrators" and, if needed, I would like to change the owner later. With the "force group" parameter set to "+Administrators" this works almost ok, the groups get set well but I get a "permission denied" when I try to change the owner of the directory. In order to be able to succeed in changing the ownership: I also have been playing with the "username map" file but when I add a line there like: root = @"Administrators" then the result is that the Administrator equiv is being logged in as root at login time, and still isn't able to change the ownership of an file or directory. I also tried the "admin users = @"Administrators" in the service section but this doesn't work either. So, I am out of options now. I hope that some other list member can give me the right solution. Or maybe one of the members of the samba team? Thank you for any reply. Eddie.
Eddie, There is no bug here, you just need to change a couple of things. Remember ownership and permissions are two different things. "inherit acls" and "inherit permissions" only deal with the acl piece of the security puzzle. They do _NOT_ deal with ownership. Here's what I've done to allow users to create new files, set the file owner to the user, set the group to the group of the parent folder, inherit ACL's from the parent folder. My share in the smb.conf looks like this: [OS_files] comment = /export/lvm/OS_files path = /export/lvm/OS_files browseable = yes writeable = yes inherit acls = yes inherit permissions = yes valid users = @"PRFMSTR2+Domain Users" Here is what the OS_files permissions look like: drwxrwsr--+ 17 PRFMSTR2+username PRFMSTR2+Domain Admins 4096 Jul 17 13:12 OS_files/ Notice the group sticky bit. This makes it so that files/folders under the OS_files folder belong to the Domain Admins group. You of course can set this to any group you want. Please respond and let me know if this works for you. Josh> -----Original Message----- > From: Eddie Lania [mailto:e.lania@elton.nl] > Sent: Tuesday, July 30, 2002 8:20 AM > To: samba@lists.samba.org > Subject: [Samba] Changing ACLs as administrator > > > Hello all. > > Has somebody found a solution yet? > I can't figure it out. > I am beginning to wonder if it might be a bug in samba? > This is what I have now: > > [netlogon] > comment = Network Logon Service > path = /home/netlogon > read only = Yes > guest ok = Yes > write list = @"Administrators" > force group = "+Administrators" > inherit acls = Yes > inherit permissions = Yes > > [homes] > path = /home/users/%U > read only = No > browseable = No > inherit acls = Yes > inherit permissions = Yes > > [users] > comment = Users share > path = /home/users > read only = No > force group = "+Administrators" > inherit acls = Yes > inherit permissions = Yes > > [profiles] > comment = User profiles share > path = /home/profiles > read only = No > force group = "+Administrators" > inherit acls = Yes > inherit permissions = Yes > csc policy = disable > ----- > > All user directories and files in [users] and [profiles] are > owned by the > "user", their group has been set to Administrators and user and group > permissions are set to rwx for directories and rw for files. > > The world permissions have been set to none because I want > only the "user" > or the Adminstrator equiv to be able to access the directories in the > [users] or the [profiles] share. > > When I check the acls and permission from a logged-in windows > XP client > verything looks really good. > No errors. > > So far so good......but then: > > When a user creates a new file or directory, it should > inherit it's acl and > permissions from the parent directory, this doesn't work, > currently the > owner and group get set to the user itself. > > If an Administrator equiv creates a new file or directory, I > would like it > to be set to a default acl where the group should be at least > "Administrators" and, if needed, I would like to change the > owner later. > With the "force group" parameter set to "+Administrators" > this works almost > ok, the groups get set well but I get a "permission denied" > when I try to > change the owner of the directory. > > In order to be able to succeed in changing the ownership: > I also have been playing with the "username map" file but > when I add a line > there like: > root = @"Administrators" > then the result is that the Administrator equiv is being > logged in as root > at login time, and still isn't able to change the ownership > of an file or > directory. > > I also tried the "admin users = @"Administrators" in the > service section but > this doesn't work either. > > So, I am out of options now. > > I hope that some other list member can give me the right solution. > Or maybe one of the members of the samba team? > > Thank you for any reply. > > Eddie. > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
Eddie, I am having the exact same problem. I cannot change ACL's either from the administrator login or the user login. If anyone can give a clue as to what is going on, I would appreciate it. I am running 2.2.5 with the acl code in the kernel and compiled with acl. Thank you Sam "Eddie Lania" <e.lania@elton.nl> on 07/30/2002 09:19:39 AM To: samba@lists.samba.org cc: (bcc: Samuel K Spitzner/Planalytics) Subject: [Samba] Changing ACLs as administrator Hello all. Has somebody found a solution yet? I can't figure it out. I am beginning to wonder if it might be a bug in samba? This is what I have now: [netlogon] comment = Network Logon Service path = /home/netlogon read only = Yes guest ok = Yes write list = @"Administrators" force group = "+Administrators" inherit acls = Yes inherit permissions = Yes [homes] path = /home/users/%U read only = No browseable = No inherit acls = Yes inherit permissions = Yes [users] comment = Users share path = /home/users read only = No force group = "+Administrators" inherit acls = Yes inherit permissions = Yes [profiles] comment = User profiles share path = /home/profiles read only = No force group = "+Administrators" inherit acls = Yes inherit permissions = Yes csc policy = disable ----- All user directories and files in [users] and [profiles] are owned by the "user", their group has been set to Administrators and user and group permissions are set to rwx for directories and rw for files. The world permissions have been set to none because I want only the "user" or the Adminstrator equiv to be able to access the directories in the [users] or the [profiles] share. When I check the acls and permission from a logged-in windows XP client verything looks really good. No errors. So far so good......but then: When a user creates a new file or directory, it should inherit it's acl and permissions from the parent directory, this doesn't work, currently the owner and group get set to the user itself. If an Administrator equiv creates a new file or directory, I would like it to be set to a default acl where the group should be at least "Administrators" and, if needed, I would like to change the owner later. With the "force group" parameter set to "+Administrators" this works almost ok, the groups get set well but I get a "permission denied" when I try to change the owner of the directory. In order to be able to succeed in changing the ownership: I also have been playing with the "username map" file but when I add a line there like: root = @"Administrators" then the result is that the Administrator equiv is being logged in as root at login time, and still isn't able to change the ownership of an file or directory. I also tried the "admin users = @"Administrators" in the service section but this doesn't work either. So, I am out of options now. I hope that some other list member can give me the right solution. Or maybe one of the members of the samba team? Thank you for any reply. Eddie. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
I've replied to these question several times in this list. People need to: Search the list Try suggestions from list Give detailed scenarios of what their problem is I have this working successfuly. Josh> -----Original Message----- > From: sspitzner@planalytics.com [mailto:sspitzner@planalytics.com] > Sent: Tuesday, July 30, 2002 10:13 AM > To: Eddie Lania > Cc: samba@lists.samba.org > Subject: Re: [Samba] Changing ACLs as administrator > > > > > Eddie, > > I am having the exact same problem. I cannot change ACL's > either from the > administrator login or the user login. If anyone can give a > clue as to what is > going on, I would appreciate it. I am running 2.2.5 with the > acl code in the > kernel and compiled with acl. > > Thank you > Sam > > > > > "Eddie Lania" <e.lania@elton.nl> on 07/30/2002 09:19:39 AM > > > > > To: samba@lists.samba.org > cc: (bcc: Samuel K Spitzner/Planalytics) > > Subject: [Samba] Changing ACLs as administrator > > > > > Hello all. > > Has somebody found a solution yet? > I can't figure it out. > I am beginning to wonder if it might be a bug in samba? > This is what I have now: > > [netlogon] > comment = Network Logon Service > path = /home/netlogon > read only = Yes > guest ok = Yes > write list = @"Administrators" > force group = "+Administrators" > inherit acls = Yes > inherit permissions = Yes > > [homes] > path = /home/users/%U > read only = No > browseable = No > inherit acls = Yes > inherit permissions = Yes > > [users] > comment = Users share > path = /home/users > read only = No > force group = "+Administrators" > inherit acls = Yes > inherit permissions = Yes > > [profiles] > comment = User profiles share > path = /home/profiles > read only = No > force group = "+Administrators" > inherit acls = Yes > inherit permissions = Yes > csc policy = disable > ----- > > All user directories and files in [users] and [profiles] are > owned by the > "user", their group has been set to Administrators and user and group > permissions are set to rwx for directories and rw for files. > > The world permissions have been set to none because I want > only the "user" > or the Adminstrator equiv to be able to access the directories in the > [users] or the [profiles] share. > > When I check the acls and permission from a logged-in windows > XP client > verything looks really good. > No errors. > > So far so good......but then: > > When a user creates a new file or directory, it should > inherit it's acl and > permissions from the parent directory, this doesn't work, > currently the > owner and group get set to the user itself. > > If an Administrator equiv creates a new file or directory, I > would like it > to be set to a default acl where the group should be at least > "Administrators" and, if needed, I would like to change the > owner later. > With the "force group" parameter set to "+Administrators" > this works almost > ok, the groups get set well but I get a "permission denied" > when I try to > change the owner of the directory. > > In order to be able to succeed in changing the ownership: > I also have been playing with the "username map" file but > when I add a line > there like: > root = @"Administrators" > then the result is that the Administrator equiv is being > logged in as root > at login time, and still isn't able to change the ownership > of an file or > directory. > > I also tried the "admin users = @"Administrators" in the > service section but > this doesn't work either. > > So, I am out of options now. > > I hope that some other list member can give me the right solution. > Or maybe one of the members of the samba team? > > Thank you for any reply. > > Eddie. > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
There are only two users who can change ACL's on a file, the owner and root. What I have done to get around this in the NT world is to create a hidden share that encompases all of the other shares. Then use 'valid users=@"Domain Admins"' and 'force user=root'. Josh> -----Original Message----- > From: sspitzner@planalytics.com [mailto:sspitzner@planalytics.com] > Sent: Tuesday, July 30, 2002 10:47 AM > To: Konkol, Josh > Subject: RE: [Samba] Changing ACLs as administrator > > > > > I am one of those you replied to. I am going to attempt to > provide you with > enough > information so that you can help me. > > I am running samba 2.2.5 compiled with acl support. My kernel > has acl support. > > I have tried every suggestion in the list. > > I am trying to go to my NT domain controller, pull up the > share, and change the > acl's > on any of the files or directories. I am also trying to > change any of the acl's > for the > spitzner share, on my own machine, running W2K, using > permissions on the right > click of the mouse. I cannot add users or change any of the > acl or share > permissions > of the files or directories, not to mention the shares. > > I have tested with the username map as you can see in the > smb.conf file > > If you are able to help I would appreciate it. > > Sam > > Here is my smb.conf. > > # Global parameters > [global] > workgroup = SWS > netbios name = BLACKHOLE > server string = Samba on Blackhole > encrypt passwords = Yes > obey pam restrictions = Yes > password server = LOCUTUS > security = domain > log file = /var/log/samba/%m.log > max log size = 50 > socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY > preferred master = No > wins server = 172.29.33.29 > wins proxy = Yes > winbind separator = + > winbind uid = 10000-20000 > winbind gid = 10000-20000 > winbind cache time = 10 > winbind use default domain = Yes > hosts allow = 172. > # username map = /etc/samba/private/username.map > printing = nt > character set = ISO8859-15 > nt acl support = Yes > nt smb support = Yes > log level = 2 > > [root] > comment = root share > path = /home/ntshares > valid users = root > read only = No > force create mode = 0660 > guest ok = No > > [send] > comment = send > path = /home/send > valid users = send fost graph > read only = No > force create mode = 0660 > guest ok = Yes > > [spitzner] > comment = send > path = /home/ntshares/uprivate/sspitzner > # valid users = SWS+SSpitzner, root > valid users = SWS+SSpitzner > read only = No > browseable = Yes > inherit acls = Yes > inherit permissions = Yes > force create mode = 0660 > > Here is my pam.d/samba file. > > #%PAM-1.0 > auth required pam_nologin.so > auth required pam_stack.so service=system-auth > auth sufficient pam_winbind.so > account required pam_stack.so service=system-auth > session required pam_stack.so service=system-auth > password required pam_stack.so service=system-auth > >
Hi Josh and list. Thank you again for your help. Putting a sticky bit for the group on the folder helped. Now, I don't need a "force group" anymore in the service. But I still have te problem that the ownership is set to the users uid when creating new files or folders. Ofcourse, this is good when the user that is creating a folder or file is the owner (user) itself. But when he or she is not the owner (because he or she is an Administrator at that moment), the folders or files created by he/she are automatically set to him/her uid. I tried to set a sticky bit for this problem to the owner of a folder (chmod u+s "folder") and after that created a subfolder in that folder and checked again to see if it had worked. But it didn't and I also good not set the ownership of the folder to a different user after doing this (permission denied). Then I tried it again but this time with "admin users = @"Administrator" in the service section and then the folder is being created with root uid, but like the previous attempts, I could not change the ownership on the folder from root to a different uid. The only way to change ownership on a folder is to ssh to the linux machine and change it to a differnet user as the root user. It seems that I am still partly stuck with this problem but anyway I thank you for helping me and learning me the chmod "sticky bit" option which I didn't know before. Eddie. ----- Original Message ----- From: "Konkol, Josh" <JKonkol@guidemail.com> To: "'Eddie Lania'" <e.lania@elton.nl> Cc: <e.lania@home.nl> Sent: Tuesday, July 30, 2002 4:47 PM Subject: RE: [Samba] Changing ACLs as administrator> Use the chgrp command to set the group of the directory, i.e. > > chgrp @"DOMAINNAME+Domain Users" foldername > > Then use chmod to set the sticky bit. > > chmod g+s foldername > > HTH > > josh > > > > > -----Original Message----- > > From: Eddie Lania [mailto:e.lania@elton.nl] > > Sent: Tuesday, July 30, 2002 9:35 AM > > To: Konkol, Josh > > Subject: Re: [Samba] Changing ACLs as administrator > > > > > > Hi Josh, > > > > Thank you so very much for your response. > > > > I hope this isn't a dumb question but could you explain to me > > what you mean > > with the "group sticky bit" ? > > Because I want to try this as soon as I know how to put a > > "sticky bit" to > > the group. > > I will copy this mail to my home address and will be trying > > your solution > > later on this evening. > > If youre going to respond fast, would you then kindly be > > willing to send > > this to my home e-mail address? > > > > e.lania@home.nl > > > > Thank you once more! > > > > Eddie. > > > > ----- Original Message ----- > > From: "Konkol, Josh" <JKonkol@guidemail.com> > > To: "'Eddie Lania'" <e.lania@elton.nl>; <samba@lists.samba.org> > > Sent: Tuesday, July 30, 2002 4:06 PM > > Subject: RE: [Samba] Changing ACLs as administrator > > > > > > > Eddie, > > > > > > There is no bug here, you just need to change a couple of things. > > Remember > > > ownership and permissions are two different things. > > "inherit acls" and > > > "inherit permissions" only deal with the acl piece of the > > security puzzle. > > > They do _NOT_ deal with ownership. > > > > > > Here's what I've done to allow users to create new files, > > set the file > > owner > > > to the user, set the group to the group of the parent > > folder, inherit > > ACL's > > > from the parent folder. > > > > > > My share in the smb.conf looks like this: > > > > > > [OS_files] > > > comment = /export/lvm/OS_files > > > path = /export/lvm/OS_files > > > browseable = yes > > > writeable = yes > > > inherit acls = yes > > > inherit permissions = yes > > > valid users = @"PRFMSTR2+Domain Users" > > > > > > Here is what the OS_files permissions look like: > > > > > > drwxrwsr--+ 17 PRFMSTR2+username PRFMSTR2+Domain Admins > > 4096 Jul 17 > > > 13:12 OS_files/ > > > > > > Notice the group sticky bit. This makes it so that > > files/folders under > > the > > > OS_files folder belong to the Domain Admins group. You of > > course can set > > > this to any group you want. > > > > > > Please respond and let me know if this works for you. > > > > > > Josh > > > > > > > > > > -----Original Message----- > > > > From: Eddie Lania [mailto:e.lania@elton.nl] > > > > Sent: Tuesday, July 30, 2002 8:20 AM > > > > To: samba@lists.samba.org > > > > Subject: [Samba] Changing ACLs as administrator > > > > > > > > > > > > Hello all. > > > > > > > > Has somebody found a solution yet? > > > > I can't figure it out. > > > > I am beginning to wonder if it might be a bug in samba? > > > > This is what I have now: > > > > > > > > [netlogon] > > > > comment = Network Logon Service > > > > path = /home/netlogon > > > > read only = Yes > > > > guest ok = Yes > > > > write list = @"Administrators" > > > > force group = "+Administrators" > > > > inherit acls = Yes > > > > inherit permissions = Yes > > > > > > > > [homes] > > > > path = /home/users/%U > > > > read only = No > > > > browseable = No > > > > inherit acls = Yes > > > > inherit permissions = Yes > > > > > > > > [users] > > > > comment = Users share > > > > path = /home/users > > > > read only = No > > > > force group = "+Administrators" > > > > inherit acls = Yes > > > > inherit permissions = Yes > > > > > > > > [profiles] > > > > comment = User profiles share > > > > path = /home/profiles > > > > read only = No > > > > force group = "+Administrators" > > > > inherit acls = Yes > > > > inherit permissions = Yes > > > > csc policy = disable > > > > ----- > > > > > > > > All user directories and files in [users] and [profiles] are > > > > owned by the > > > > "user", their group has been set to Administrators and > > user and group > > > > permissions are set to rwx for directories and rw for files. > > > > > > > > The world permissions have been set to none because I want > > > > only the "user" > > > > or the Adminstrator equiv to be able to access the > > directories in the > > > > [users] or the [profiles] share. > > > > > > > > When I check the acls and permission from a logged-in windows > > > > XP client > > > > verything looks really good. > > > > No errors. > > > > > > > > So far so good......but then: > > > > > > > > When a user creates a new file or directory, it should > > > > inherit it's acl and > > > > permissions from the parent directory, this doesn't work, > > > > currently the > > > > owner and group get set to the user itself. > > > > > > > > If an Administrator equiv creates a new file or directory, I > > > > would like it > > > > to be set to a default acl where the group should be at least > > > > "Administrators" and, if needed, I would like to change the > > > > owner later. > > > > With the "force group" parameter set to "+Administrators" > > > > this works almost > > > > ok, the groups get set well but I get a "permission denied" > > > > when I try to > > > > change the owner of the directory. > > > > > > > > In order to be able to succeed in changing the ownership: > > > > I also have been playing with the "username map" file but > > > > when I add a line > > > > there like: > > > > root = @"Administrators" > > > > then the result is that the Administrator equiv is being > > > > logged in as root > > > > at login time, and still isn't able to change the ownership > > > > of an file or > > > > directory. > > > > > > > > I also tried the "admin users = @"Administrators" in the > > > > service section but > > > > this doesn't work either. > > > > > > > > So, I am out of options now. > > > > > > > > I hope that some other list member can give me the right solution. > > > > Or maybe one of the members of the samba team? > > > > > > > > Thank you for any reply. > > > > > > > > Eddie. > > > > > > > > > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > >
I added my comments below.> -----Original Message----- > From: Eddie Lania [mailto:e.lania@home.nl] > Sent: Tuesday, July 30, 2002 2:07 PM > To: Konkol, Josh > Cc: Samba list > Subject: Re: [Samba] Changing ACLs as administrator > > > Hi Josh and list. > > Thank you again for your help. > > Putting a sticky bit for the group on the folder helped. > Now, I don't need a "force group" anymore in the service. > > But I still have te problem that the ownership is set to the > users uid when > creating new files or folders. > Ofcourse, this is good when the user that is creating a > folder or file is > the owner (user) itself. > But when he or she is not the owner (because he or she is an > Administrator > at that moment), the folders or files created by he/she are > automatically > set to him/her uid.I don't understand why this is an issue. When would you want someone to create a file and not own it?> > I tried to set a sticky bit for this problem to the owner of > a folder (chmod > u+s "folder") and after that created a subfolder in that > folder and checked > again to see if it had worked.The sticky bit for users is for binary files so that any user that runs that binary executes it as that owning user.> But it didn't and I also good not set the ownership of the folder to a > different user after doing this (permission denied).Only two people can change ACL's. The owner and root.> > Then I tried it again but this time with "admin users = > @"Administrator" in > the service section and then the folder is being created with > root uid, but > like the previous attempts, I could not change the ownership > on the folder > from root to a different uid.admin users has no affect on acl's.> > The only way to change ownership on a folder is to ssh to the > linux machine > and change it to a differnet user as the root user. > > It seems that I am still partly stuck with this problem but > anyway I thank > you for helping me and learning me the chmod "sticky bit" > option which I > didn't know before. > > Eddie.Due to the limitation of who can and can't modify ACL's I use a hidden share for ACL administration. Search the archives here, I've posted my solution atleast 3 times. Good Luck, Josh> > ----- Original Message ----- > From: "Konkol, Josh" <JKonkol@guidemail.com> > To: "'Eddie Lania'" <e.lania@elton.nl> > Cc: <e.lania@home.nl> > Sent: Tuesday, July 30, 2002 4:47 PM > Subject: RE: [Samba] Changing ACLs as administrator > > > > Use the chgrp command to set the group of the directory, i.e. > > > > chgrp @"DOMAINNAME+Domain Users" foldername > > > > Then use chmod to set the sticky bit. > > > > chmod g+s foldername > > > > HTH > > > > josh > > > > > > > > > -----Original Message----- > > > From: Eddie Lania [mailto:e.lania@elton.nl] > > > Sent: Tuesday, July 30, 2002 9:35 AM > > > To: Konkol, Josh > > > Subject: Re: [Samba] Changing ACLs as administrator > > > > > > > > > Hi Josh, > > > > > > Thank you so very much for your response. > > > > > > I hope this isn't a dumb question but could you explain to me > > > what you mean > > > with the "group sticky bit" ? > > > Because I want to try this as soon as I know how to put a > > > "sticky bit" to > > > the group. > > > I will copy this mail to my home address and will be trying > > > your solution > > > later on this evening. > > > If youre going to respond fast, would you then kindly be > > > willing to send > > > this to my home e-mail address? > > > > > > e.lania@home.nl > > > > > > Thank you once more! > > > > > > Eddie. > > > > > > ----- Original Message ----- > > > From: "Konkol, Josh" <JKonkol@guidemail.com> > > > To: "'Eddie Lania'" <e.lania@elton.nl>; <samba@lists.samba.org> > > > Sent: Tuesday, July 30, 2002 4:06 PM > > > Subject: RE: [Samba] Changing ACLs as administrator > > > > > > > > > > Eddie, > > > > > > > > There is no bug here, you just need to change a couple > of things. > > > Remember > > > > ownership and permissions are two different things. > > > "inherit acls" and > > > > "inherit permissions" only deal with the acl piece of the > > > security puzzle. > > > > They do _NOT_ deal with ownership. > > > > > > > > Here's what I've done to allow users to create new files, > > > set the file > > > owner > > > > to the user, set the group to the group of the parent > > > folder, inherit > > > ACL's > > > > from the parent folder. > > > > > > > > My share in the smb.conf looks like this: > > > > > > > > [OS_files] > > > > comment = /export/lvm/OS_files > > > > path = /export/lvm/OS_files > > > > browseable = yes > > > > writeable = yes > > > > inherit acls = yes > > > > inherit permissions = yes > > > > valid users = @"PRFMSTR2+Domain Users" > > > > > > > > Here is what the OS_files permissions look like: > > > > > > > > drwxrwsr--+ 17 PRFMSTR2+username PRFMSTR2+Domain Admins > > > 4096 Jul 17 > > > > 13:12 OS_files/ > > > > > > > > Notice the group sticky bit. This makes it so that > > > files/folders under > > > the > > > > OS_files folder belong to the Domain Admins group. You of > > > course can set > > > > this to any group you want. > > > > > > > > Please respond and let me know if this works for you. > > > > > > > > Josh > > > > > > > > > > > > > -----Original Message----- > > > > > From: Eddie Lania [mailto:e.lania@elton.nl] > > > > > Sent: Tuesday, July 30, 2002 8:20 AM > > > > > To: samba@lists.samba.org > > > > > Subject: [Samba] Changing ACLs as administrator > > > > > > > > > > > > > > > Hello all. > > > > > > > > > > Has somebody found a solution yet? > > > > > I can't figure it out. > > > > > I am beginning to wonder if it might be a bug in samba? > > > > > This is what I have now: > > > > > > > > > > [netlogon] > > > > > comment = Network Logon Service > > > > > path = /home/netlogon > > > > > read only = Yes > > > > > guest ok = Yes > > > > > write list = @"Administrators" > > > > > force group = "+Administrators" > > > > > inherit acls = Yes > > > > > inherit permissions = Yes > > > > > > > > > > [homes] > > > > > path = /home/users/%U > > > > > read only = No > > > > > browseable = No > > > > > inherit acls = Yes > > > > > inherit permissions = Yes > > > > > > > > > > [users] > > > > > comment = Users share > > > > > path = /home/users > > > > > read only = No > > > > > force group = "+Administrators" > > > > > inherit acls = Yes > > > > > inherit permissions = Yes > > > > > > > > > > [profiles] > > > > > comment = User profiles share > > > > > path = /home/profiles > > > > > read only = No > > > > > force group = "+Administrators" > > > > > inherit acls = Yes > > > > > inherit permissions = Yes > > > > > csc policy = disable > > > > > ----- > > > > > > > > > > All user directories and files in [users] and [profiles] are > > > > > owned by the > > > > > "user", their group has been set to Administrators and > > > user and group > > > > > permissions are set to rwx for directories and rw for files. > > > > > > > > > > The world permissions have been set to none because I want > > > > > only the "user" > > > > > or the Adminstrator equiv to be able to access the > > > directories in the > > > > > [users] or the [profiles] share. > > > > > > > > > > When I check the acls and permission from a logged-in windows > > > > > XP client > > > > > verything looks really good. > > > > > No errors. > > > > > > > > > > So far so good......but then: > > > > > > > > > > When a user creates a new file or directory, it should > > > > > inherit it's acl and > > > > > permissions from the parent directory, this doesn't work, > > > > > currently the > > > > > owner and group get set to the user itself. > > > > > > > > > > If an Administrator equiv creates a new file or directory, I > > > > > would like it > > > > > to be set to a default acl where the group should be at least > > > > > "Administrators" and, if needed, I would like to change the > > > > > owner later. > > > > > With the "force group" parameter set to "+Administrators" > > > > > this works almost > > > > > ok, the groups get set well but I get a "permission denied" > > > > > when I try to > > > > > change the owner of the directory. > > > > > > > > > > In order to be able to succeed in changing the ownership: > > > > > I also have been playing with the "username map" file but > > > > > when I add a line > > > > > there like: > > > > > root = @"Administrators" > > > > > then the result is that the Administrator equiv is being > > > > > logged in as root > > > > > at login time, and still isn't able to change the ownership > > > > > of an file or > > > > > directory. > > > > > > > > > > I also tried the "admin users = @"Administrators" in the > > > > > service section but > > > > > this doesn't work either. > > > > > > > > > > So, I am out of options now. > > > > > > > > > > I hope that some other list member can give me the > right solution. > > > > > Or maybe one of the members of the samba team? > > > > > > > > > > Thank you for any reply. > > > > > > > > > > Eddie. > > > > > > > > > > > > > > > > > > > > -- > > > > > To unsubscribe from this list go to the following URL > and read the > > > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
> I tried that and when I am the owner of a directory, I can NOT set the > ownership to some other user if I want to.I think you're running into a collision between what Linux can do, and what NT can do. Under Linux, only root can change the ownership of a file, but can change it to any user. Under Windows, anyone can change ownership of a file (if they have Take Ownership rights) BUT they can only change it to themselves. For that reason, I can't see any way to make this work the way you want it to. I've always just ssh'd in and used chown.