samba - Feb 2004 - Samba3/ADS: share permissions vs ACLs

Hello,

I'm struggling with permissions management in samba 3.0.2, ads member mode,
on SuSE 9. I have
essentially two questions:

1) What is the precendence of the various permissions (Filesystem, share, ACL,
smb.conf, user vs.
group in each) that Samba observes, and how do they effect each other?

2) Should I be able to set share-level permissions on a samba share from a Win2k
machine by
working in the "Share Permissions" tab of MMC?


More info:

I am currently able (after much struggle) to successfully save filesystem ACLs
from MMC on a Win2k
machine, logged in as the domain Administrator. I can do it from the
"Security" tab in the share
propterties. However, I cannot make any changes to the "Share
Permissions" tab, which simply lists
"Everybody" with full control. After much reading and googling, I
remain unsure if this is normal
or not. And I honestly don't know which is the preferred method, share perms
vs ACLs.

Of the filesystem ACL's I can set, only user entries seem to be observed.
Group entries are not
taking effect for members of those groups. Winbind appears properly configured,
at least, getent
passwd works.

An example:

Domain user "bob" is a member of "Corp Admins", among many
other groups. "groups bob" returns them
all. Trying to connect or list as 'bob' generates a log message: chdir
(/home/share1) failed

/home/share1/ is owned by administrator.root, perms rwxrwx---+

Add group "Corp Admins" with full perms to the "security"
tab of MMC.
   - bob cannot connect or list files.

Create "write list", "admin users", & "valid
users" in smb.conf, and add MYDOMAIN\@"Corp Admins"
to each.
   - bob cannot connect or list files.

Change ownership of /home/share1 to administrator."Corp Admins"
   - bob cannot connect or list files.

Finally, remove all prior changes, then add 'bob' with all rights for
"this folder, subfolders and
files", to the Security tab of MMC.
   - bob CAN connect, list, delete files.


Installation details:

SuSE 9.0
Samba 3.0.2 installed from rpms at ftp.sernet.de/pub/samba/suse9/
ADS mode, existing Win2k domain
wbinfo -u/-g, getent passwd all work**.
I'll post my smb.conf if it would help. It's pretty plain.


Thanks in advance for any pointers thrown my way!

-- Seb


(**) that is, until winbind dies, which is each night. It's still running,
but not serving names,
until restarted again. I'm still investigating that one.


__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html