samba - Jan 2003 - replacing a w2k machine with samba 2.2.7a

Hi.

First, i would like to thank samba developers for producing such a good product.
Second, i have a few questions/remarks :

I have recently replaced a w2k file server running in w2k domain (native mode)
with samba 2.2.7a on RH 7.3 with the latest kernel, no acl, configured winbind,
and ran into the problem described here :

http://lists.samba.org/pipermail/samba-technical/2001-October/032017.html

it would be helpful if this info made it's way into the winbind.html at the
doc directory of the samba distribution - i waisted an hour tracking it down,
and other people may just give up on it before finding the solution.

After configuring everything, my samba server is running for 2 weeks already ,
without any major problems. i have a few minor problems though :

generally, this server holds a few shares for several different groups in my
organization. each share is writable for members of that group, and readable for
the rest. this is accomplished by the following setup (a sniplet from my
smb.conf regargding the "_creative" share):

[global]
     workgroup = MyOrg
     winbind separator = +
     winbind uid = 10000-20000
     winbind gid = 10000-20000
     winbind enum users = yes
     winbind enum groups = yes
     template homedir = /mnt/usersdata/_users/%U
     security = domain
     encrypt passwords = yes
     dos filemode = yes
#     security mask = 0000
[_Creative]
   comment = Creative division
   path = /mnt/gendata/_creative
   read only = no
   create mode = 664
   directory mode = 775
   force security mode = 664
   force group = +MyOrg+Creative
   write list = @MyOrg+Creative

all files written to the share are mode 664, and directories are 775 . 

There is a problem though, when an owner of the file sets the file read only,
noone except him can remove the read only attribute, since the file becomes 444.
i tried dos filemode - it's is not much help. is there a solution for this ?
the problem is escalated by people copying many read only files into the share
(like pictures from a cd), and other users can't remove the read only
attribute.

trying to solve the problem, i have tried to set "security mask =
0000" - but this was completely not helpful, setting files read only still
worked. another problem was uncovered with this line - for some reason, people
working in m$ work (yacccs) were not able to save their documents while working
on the samba share - for some reason suring the save operation the file got the
000 permission, and of course nother else could be done with the file until i
fixed the problem by chmod 664 of the file.

nt has the option to grans write control to a share, and full control. i would
really like to make these shares only write accessible, and all attribute
shanges would not be propagated tothe files themselvs - i don't mind that a
person will not be able to set a file read only. all i want is for all my files
to have the permission i set in createmode, whatever the user tries to do to it.

I have read the entire smb.conf documentation, and didn't find anything that
could help me. am i missing something ? am i looking at is from the wrong
direction ?

right now the only solution i have is a cron job ran daily that runs find on all
shared directories and changes permissions of all files to the default, and of
course, this is not much of a solution...

addition question i have is as follows : i want to provide a group of my users
with a home directory, but not all of them - some users are administrative users
only, and they don't need home dirs. i have started with something like this
:

[homes]
   comment = Home Directories
   path = /mnt/usersdata/_users/%S
   browseable = no
   writable = yes
   valid users = MyOrg+alex MyOrg+alon MyOrg+ariela 
   create mode = 0644
   directory mode = 0755

and these users get their directories fine, but these users who are not in valid
users (and i don't want to provide them with home directories) still see a
share of a home directory on that server (of course they can't connect to
it, since it does't exist on the HD). what better way to do this ?

Thank you.

Alex.
-------------- next part --------------
HTML attachment scrubbed and removed

Alex,

Hi...
The way I got around this was to create a share and use the "force
user" and
"force group" options on the share.  This makes everyone that can
login to
the share have owner access to all files.  This should solve your problems
and allow everyone to change RW options on the files.

I used nobody as the owner and group!  Just for security reasons, I don't
like using root for this.

Thanks,
James Kosin

Original Message
---------------------------
Message: 3
From: "Alex Kramarov" <alex@incredimail.com>
To: <samba@lists.samba.org>
Date: Mon, 6 Jan 2003 19:10:48 +0200
Subject: [Samba] replacing a w2k machine with samba 2.2.7a

This is a multi-part message in MIME format.

------=_NextPart_000_0005_01C2B5B7.5276B870
Content-Type: text/plain;
charset="windows-1255"
Content-Transfer-Encoding: quoted-printable

Hi.

First, i would like to thank samba developers for producing such a good product.
Second, i have a few questions/remarks :

I have recently replaced a w2k file server running in w2k domain (native mode)
with samba 2.2.7a on RH 7.3 with the latest kernel, no acl, configured winbind,
and ran into the problem described here :

http://lists.samba.org/pipermail/samba-technical/2001-October/032017.html

it would be helpful if this info made it's way into the winbind.html at the
doc directory of the samba distribution - i waisted an hour tracking it down,
and other people may just give up on it before finding the solution.

After configuring everything, my samba server is running for 2 weeks already ,
without any major problems. i have a few minor problems though :

generally, this server holds a few shares for several different groups in my
organization. each share is writable for members of that group, and readable for
the rest. this is accomplished by the following setup (a sniplet from my
smb.conf regargding the "_creative" share):

[global]
     workgroup =3D MyOrg
     winbind separator =3D +
     winbind uid =3D 10000-20000
     winbind gid =3D 10000-20000
     winbind enum users =3D yes
     winbind enum groups =3D yes
     template homedir =3D /mnt/usersdata/_users/%U
     security =3D domain
     encrypt passwords =3D yes
     dos filemode =3D yes
#     security mask =3D 0000
[_Creative]
   comment =3D Creative division
   path =3D /mnt/gendata/_creative
   read only =3D no
   create mode =3D 664
   directory mode =3D 775
   force security mode =3D 664
   force group =3D +MyOrg+Creative
   write list =3D @MyOrg+Creative

all files written to the share are mode 664, and directories are 775 .=20

There is a problem though, when an owner of the file sets the file read only,
noone except him can remove the read only attribute, since the file becomes 444.
i tried dos filemode - it's is not much help. is there a solution for this ?
the problem is escalated by people copying many read only files into the share
(like pictures from a cd), and other users can't remove the read only
attribute.

trying to solve the problem, i have tried to set "security mask =3D
0000" - but this was completely not helpful, setting files read only still
worked. another problem was uncovered with this line - for some reason, people
working in m$ work (yacccs) were not able to save their documents while working
on the samba share - for some reason suring the save operation the file got the
000 permission, and of course nother else could be done with the file until i
fixed the problem by chmod 664 of the file.=20

nt has the option to grans write control to a share, and full control. i would
really like to make these shares only write accessible, and all attribute
shanges would not be propagated tothe files themselvs - i don't mind that a
person will not be able to set a file read only. all i want is for all my files
to have the permission i set in createmode, whatever the user tries to do to
it.=20

I have read the entire smb.conf documentation, and didn't find anything that
could help me. am i missing something ? am i looking at is from the wrong
direction ?

right now the only solution i have is a cron job ran daily that runs find on all
shared directories and changes permissions of all files to the default, and of
course, this is not much of a solution...

addition question i have is as follows : i want to provide a group of my users
with a home directory, but not all of them - some users are administrative users
only, and they don't need home dirs. i have started with something like this
:

[homes]
   comment =3D Home Directories
   path =3D /mnt/usersdata/_users/%S
   browseable =3D no
   writable =3D yes
   valid users =3D MyOrg+alex MyOrg+alon MyOrg+ariela=20
   create mode =3D 0644
   directory mode =3D 0755

and these users get their directories fine, but these users who are not in valid
users (and i don't want to provide them with home directories) still see a
share of a home directory on that server (of course they can't connect to
it, since it does't exist on the HD). what better way to do this ?

Thank you.

Alex.

------------------------------------------
End of Original Message

----
James Kosin <jkosin@intcomgrp.com>

International Communications Group, Inc.
200 Enterprise Drive
Newport News, VA 23603-1300
-- United States of America --

Voice:   +1 (757) 947-1030 x122
Fax:      +1 (757) 947-1035

----
"Walking on water and developing software to specification
are easy as long as both are frozen" - Edward V. Berard.