stephane.purnelle@corman.be
2003-Dec-04 10:53 UTC
Réf. : Re: [Samba] SAMBA Groups and Permissions
I confirm that Malte M?ller says.
If you want to set multiple group acces, you must use ACL.
the valid user parameter in smb.conf force the right of directory but the
unix right is only for group user.
-----------------------------------
St?phane PURNELLE stephane.purnelle@corman.be
Service Informatique Corman S.A. Tel : 00 32 087/342467
mamue@lb-bbs1.emd.ni.schule.de
Envoy? par : Pour
: "Michael Gasch" <gasch@eva.mpg.de>
samba-bounces+stephane.purnelle=corman.be@lists cc :
samba@lists.samba.org
.samba.org Objet
: Re: [Samba] SAMBA Groups and Permissions
04/12/2003 11:41
I am not shure if i got you right. You do not tell us the access rights of
the directory concerned.
If you'r primary uninx group is user and your dir. has:
drwx---rwx root user board
they forbid your access. then you are not allowed to access, because group
rights match first and If you weren't user but world, then you would be
allowed. This has nothing to do with samba.
You might want to change the group to nogroup and work with acls (if ext3,
XFS and alike). Or if you have plenty of CPU-cycles to waste you might
work with "valid users" in smb.conf.
But i'm not a security or filesystem-expert and may be completely wrong.
Kind regards,
Malte M?ller
> hi
>
> i have a user
>
> ~# id test_user
> uid=500,gid=500 (users),groups (users,kids)
>
> as you can see, this user is in primary group "users" and also
member of
> group "kids"
>
> if he tries to access /home/board via smb (Samba 3.0 + openldap) from a
> windows client (XP), he fails, because his
>
> sambaPrimaryGroupSID maps to -> "users"
>
> and /home/board is not accessible for group "users" - just for
"kids"
> if i add
>
> valid users = @kids
>
> to /home/board - share, access is granted
>
> isn't it possible in samba, that the user "test_user" gets an
attribute
> like
>
> sambaSecondaryGroup in ldap ????
>
> so that samba knows: "this user is in group users AND kids, so i have
to
> try connections to share /home/board as group users AND kids" ???
>
> if i login locally to the samba PDC with a console as
"test_user",
> access to /home/board is granted, 'cause i'm member of
"kids"
>
> so there's no permission problem
>
> please help me !!!
>
> greez
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
stephane.purnelle@corman.be
2003-Dec-04 11:27 UTC
Réf. : Re: [Samba] SAMBA Groups and Permissions
Samba is compiled with acl support option ?
./configure --with-acl-support
-----------------------------------
St?phane PURNELLE stephane.purnelle@corman.be
Service Informatique Corman S.A. Tel : 00 32 087/342467
Michael Gasch <gasch@eva.mpg.de>
Envoy? par : Pour
: samba@lists.samba.org
samba-bounces+stephane.purnelle=corman.be@lists cc :
.samba.org Objet
: Re: [Samba] SAMBA Groups and Permissions
04/12/2003 12:21
hi,
sorry, if i was too unprecise...
of course i'm working with acl's - otherwise i could hardly define those
fine granulated rules
this is, what getfacls on /home/board gives:
~# getfacl /home/board
# file: home/board
# owner: root
# group: root
user::rwx
group::r-x
group:kids:r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:group:kids:r-x
default:mask::r-x
default:other::---
for some reasons, i don't want to work with "valid users"
parameter,
especially while working with scripts
so this solution doesn't meet my expectations (as i already mentioned)
the problem is on the samba-side
on unix-side the user "test_user" has access on /home/board, cause
he's
in group "kids", too
but samba just recognised group "users" for "test_user"
because
sambaPrimaryGroupSID maps to -> "users"
so samba establishes a connection as user "testuser" / group
"users",
which fails because of my restrictive acl :/
so: is "valid users" my only chance?
no way of adding more GroupSIDs for samba-users in LDAP, that samba
recognises, that user "test_user" is in more than one group ?
i mean: unix-side sees this...
~# id test_user
uid=596(test_user) gid=500(users) groups=500(users),522(kids)
thx for your help!!!
greez
stephane.purnelle@corman.be wrote:> I confirm that Malte M?ller says.
> If you want to set multiple group acces, you must use ACL.
> the valid user parameter in smb.conf force the right of directory but the
> unix right is only for group user.
>
>
>
>
>
> -----------------------------------
> St?phane PURNELLE stephane.purnelle@corman.be
> Service Informatique Corman S.A. Tel : 00 32 087/342467
>
>
>
> mamue@lb-bbs1.emd.ni.schule.de
> Envoy? par :
Pour : "Michael Gasch"
<gasch@eva.mpg.de>> samba-bounces+stephane.purnelle=corman.be@lists
cc : samba@lists.samba.org> .samba.org
Objet : Re: [Samba] SAMBA Groups and Permissions>
>
> 04/12/2003 11:41
>
>
>
>
>
>
> I am not shure if i got you right. You do not tell us the access rights
of> the directory concerned.
> If you'r primary uninx group is user and your dir. has:
> drwx---rwx root user board
> they forbid your access. then you are not allowed to access, because
group> rights match first and If you weren't user but world, then you would be
> allowed. This has nothing to do with samba.
> You might want to change the group to nogroup and work with acls (if
ext3,> XFS and alike). Or if you have plenty of CPU-cycles to waste you might
> work with "valid users" in smb.conf.
> But i'm not a security or filesystem-expert and may be completely
wrong.
>
> Kind regards,
> Malte M?ller
>
>
>>hi
>>
>>i have a user
>>
>>~# id test_user
>>uid=500,gid=500 (users),groups (users,kids)
>>
>>as you can see, this user is in primary group "users" and also
member of
>>group "kids"
>>
>>if he tries to access /home/board via smb (Samba 3.0 + openldap) from a
>>windows client (XP), he fails, because his
>>
>>sambaPrimaryGroupSID maps to -> "users"
>>
>>and /home/board is not accessible for group "users" - just for
"kids"
>>if i add
>>
>>valid users = @kids
>>
>>to /home/board - share, access is granted
>>
>>isn't it possible in samba, that the user "test_user" gets
an attribute
>>like
>>
>>sambaSecondaryGroup in ldap ????
>>
>>so that samba knows: "this user is in group users AND kids, so i
have to
>>try connections to share /home/board as group users AND kids" ???
>>
>>if i login locally to the samba PDC with a console as
"test_user",
>>access to /home/board is granted, 'cause i'm member of
"kids"
>>
>>so there's no permission problem
>>
>>please help me !!!
>>
>>greez
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: http://lists.samba.org/mailman/listinfo/samba
>>
>>
>>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Maybe Matching Threads
- SAMBA Groups and Permissions
- Réf. : Re: Réf. : Re: SAMBA Groups and Permissions
- Réf. : Retry: RedHat, XFS, and ACL Support
- Réf. : Re: Réf. : Re: using a master ldap server and a slave ldap server for one samba
- Réf. : Re: using a master ldap server and a slave ldap server for one samba server