samba - Dec 2003 - access controls on shares

hello,

I'm trying to set up a samba serveur with access controls on shares,
like described in chapter 13 section 4 of the samba howto collection,
but I didn't succeed. 

I don't know if I need to set "security = DOMAIN", to join the
domain
and/or to use winbind.

My server is a simple domain member (the PDC is a NT4 server). I've
tried samba 3.0.0 and 2.2.3a on a debian stable box.

I've tried various configurations, on somes, got an error ("access
denied") on the windows box while setting the ACL on the share, on
others, got an "access denied" trying to access to the share even with
correct ACLs.

Can anybody post a samba smb.conf ready for ACL on shares or explain me
a way to configure it?

-- 
 busab
(sorry for my bad english)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

BuSab wrote:
| hello,
|
| I'm trying to set up a samba serveur with access controls on shares,
| like described in chapter 13 section 4 of the samba howto collection,
| but I didn't succeed.
|
| I don't know if I need to set "security = DOMAIN", to join the
domain
| and/or to use winbind.
|
| My server is a simple domain member (the PDC is a NT4 server). I've
| tried samba 3.0.0 and 2.2.3a on a debian stable box.
|
| I've tried various configurations, on somes, got an error ("access
| denied") on the windows box while setting the ACL on the share, on
| others, got an "access denied" trying to access to the share even
with
| correct ACLs.
|
| Can anybody post a samba smb.conf ready for ACL on shares or explain me
| a way to configure it?

you must create a local Samba account for root.  Only root
(uid == 0) can set share acls.  We're working on extending this
to use group membership (e.g. Domain Admins) but havne't
finished it yet.




- --
cheers, jerry
~ ----------------------------------------------------------------------
~ Hewlett-Packard            ------------------------- http://www.hp.com
~ SAMBA Team                 ---------------------- http://www.samba.org
~ GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
~ "If we're adding to the noise, turn off this song" --Switchfoot
(2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/2KlRIR7qMdg1EfYRAq3nAKDLfNhhEgctcQqtRqqUMjAk9UsKTQCfcyKG
HfhyXaoSCaf/QuU11B7kX6k=+JY0
-----END PGP SIGNATURE-----

I solve this using the option admin users in shares, like that:

[Finances]
	path = /Groups/Finances
	valid users = @"DOMAIN+Finances"
	admin users = @"DOMAIN+Domain Admins"

Everyone who belongs to the Finances group can access the share, but
can't modify acls from windows, but, everyone who belongs to the Domain
Admins group can modify acls without problem, if you look in the
smbstatus the connection is made by root.
>>> "Gerald (Jerry) Carter" <jerry@samba.org> 12/11/03
02:28pm >>>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

BuSab wrote:
| hello,
|
| I'm trying to set up a samba serveur with access controls on shares,
| like described in chapter 13 section 4 of the samba howto
collection,
| but I didn't succeed.
|
| I don't know if I need to set "security = DOMAIN", to join the
domain
| and/or to use winbind.
|
| My server is a simple domain member (the PDC is a NT4 server). I've
| tried samba 3.0.0 and 2.2.3a on a debian stable box.
|
| I've tried various configurations, on somes, got an error ("access
| denied") on the windows box while setting the ACL on the share, on
| others, got an "access denied" trying to access to the share even
with
| correct ACLs.
|
| Can anybody post a samba smb.conf ready for ACL on shares or explain
me
| a way to configure it?

you must create a local Samba account for root.  Only root
(uid == 0) can set share acls.  We're working on extending this
to use group membership (e.g. Domain Admins) but havne't
finished it yet.




- --
cheers, jerry
~
----------------------------------------------------------------------
~ Hewlett-Packard            -------------------------
http://www.hp.com 
~ SAMBA Team                 ----------------------
http://www.samba.org 
~ GnuPG Key                  ----
http://www.plainjoe.org/gpg_public.asc 
~ "If we're adding to the noise, turn off this song" --Switchfoot
(2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org 

iD8DBQE/2KlRIR7qMdg1EfYRAq3nAKDLfNhhEgctcQqtRqqUMjAk9UsKTQCfcyKG
HfhyXaoSCaf/QuU11B7kX6k=+JY0
-----END PGP SIGNATURE-----

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

yeap, I'm talking about ACLs on files and directories, I'm using ext3
file system with acls and quotas, and works really fine.
>>> BuSab <busabPasDePubMerci@nerim.net> 12/12/03 06:04am
>>>
le Thu, 11 Dec 2003 15:03:35 -0300, "Leandro Ariel Gomez Chavarria"
<lgomez@cencosud.com.ar> wrote :
> I solve this using the option admin users in shares, like that:
> 
> [Finances]
> 	path = /Groups/Finances
> 	valid users = @"DOMAIN+Finances"
> 	admin users = @"DOMAIN+Domain Admins"
> 
> Everyone who belongs to the Finances group can access the share, but
> can't modify acls from windows, but, everyone who belongs to the
> Domain Admins group can modify acls without problem, if you look in
> the smbstatus the connection is made by root.
It don't work for me. Are you talking about share ACLs or ACLs on
files
and directories?

-- 
 busab
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba