spu@corman.be
2005-Jan-24 16:35 UTC
RE [Samba] More help on ACL problemplease...anyone...anyone...Bueller?
Extract of smb.conf :
valid users (S)
This is a list of users that should be allowed to login to this
service. Names starting with '@', '+' and '&'
are interpreted using
the same rules as described in the invalid users parameter.
If this is empty (the default) then any user can login. If a username
is in both this list and the invalid users list then access is denied
for that user.
The current servicename is substituted for %S . This is useful in the
[homes] section.
Default: valid users = # No valid users list (anyone can login)
Example: valid users = greg, @pcusers
"Travis Bullock"
<tbullock@avmax.c
a> A
<spu@corman.be>
24/01/2005 17:28 cc
Objet
RE: RE [Samba] More help on ACL
problemplease...anyone...anyone...B
ueller?
I modified your setting
Sure:
[Planning]
comment = Avmax Domain Shares
browseable = yes
writable = yes
read only = no
# valid users = AVMAX+Planning
create mode = 0664
directory mode = 0775
path = /usr/avamx_shares/Planning
There she is. Do I have to include all groups in 'valid users'? If so
what
would the separator be?
-----Original Message-----
From: samba-bounces+tbullock=avmax.ca@lists.samba.org
[mailto:samba-bounces+tbullock=avmax.ca@lists.samba.org]On Behalf Of
spu@corman.be
Sent: Monday, January 24, 2005 9:03 AM
To: Samba (E-mail)
Subject: RE [Samba] More help on ACL
problemplease...anyone...anyone...Bueller?
Hi,
I think is not a ACL problem, it's a smb.conf share configuration problem,
could you sent a part of your smb.conf which about of this share.
-----------------------------------
St?phane PURNELLE stephane.purnelle@corman.be
Service Informatique Corman S.A. Tel : 00 32 087/342467
"Travis Bullock"
<tbullock@avmax.c
a> A
Envoy? par : "Samba (E-mail)"
samba-bounces+ste <samba@lists.samba.org>
phane.purnelle=co cc
rman.be@lists.sam
ba.org Objet
[Samba] More help on ACL problem
please...anyone...anyone...Bueller?
24/01/2005 16:59
Hello,
I am running Fedora Core 2.
Kernel: linux-2.6.5-1.358
Kernel supports ACL:
[root@atlas configs]# grep FS_SECURITY kernel-2.6.5-i686-smp.config
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_XFS_SECURITY=y
CONFIG_DEVPTS_FS_SECURITY=y
[root@atlas configs]# grep XATTR kernel-2.6.5-i686-smp.config
CONFIG_EXT2_FS_XATTR=y
CONFIG_EXT3_FS_XATTR=y
CONFIG_DEVPTS_FS_XATTR=y
Have extended attributes set in /etc/fstab is as follows:
/dev/Goliath/root / ext3 acl,user_xattr 1 1
I have a directory called Planning with ACL permissions assigned via the
setfacl command:
drwxrwx---+ 2 root AVMAX+Planning 4096 Jan 14 09:55 Planning
which looks like this with getfacl:
[root@atlas avamx_shares]# getfacl Planning/
# file: Planning
# owner: root
# group: AVMAX+Planning
user::rwx
group::rwx
group:AVMAX+Domain Users:r--
mask::rwx
other::---
Problem:
If I add my user to the AVMAX+Planning group on my NT DOMAIN PDC there is
no
problem. I can browse to the Planning directory via My Network Places.
However if I remove my account from the AVMAX+Planning group and browse to
the Planning directory it prompts me for a password. Because my account is
by default a member of the AVMAX+Domain Users and I have configured (i
think) the Planning directory ACL to allow read access to the AVMAX+Domain
Users group.....I should be able to browse this directory without being
prompted for a username and password....
QUESTION: What did I do wrong or not do at all to make the applied ACL
function correctly and allow all users in the AVMAX+Domain Users group read
acces to the Planning samba share?
Cheers,
Travis
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
-----------------------------------
St?phane PURNELLE stephane.purnelle@corman.be
Service Informatique Corman S.A. Tel : 00 32 087/342467
Travis Bullock
2005-Jan-24 20:13 UTC
[Samba] RE: More help on ACLproblemplease...Problem solved.....thanks to all.....
Dude,
Thanks for your help. I made the modifications to the "valid users="
line
in the smb.conf but was still not able to browse to the directory without
being a member of the primary group AVMAX+Planning. However there was also a
problem with the way I set up the ACL which I have now discovered and
corrected. The details are as follows:
Along with having to list all allowed groups in the "valid users="
line in
the smb.conf file for the share I also had to modify each shares ACL
permissions as well. Originally I had given "AVMAX+Domain Users" a :r
permission in that directories ACL. I aslo needed to put in a :x permission
to allow browsing to work on that folder. So I fixed the problem by doing:
setfacl -m group:"AVMAX+Domain Users":rx Planning
This allows me to now browse to the directory problem free without being a
member of the primary domain group AVMAX+Planning.
I am also able to leave the "valid users=" parameter out of the
smb.conf
share detail and let winbind and the ACL's work on the security of the
directory.
So anyway thanks to those who replied to my request for assistance.
Cheers,
Travis
-----Original Message-----
From: samba-bounces+tbullock=avmax.ca@lists.samba.org
[mailto:samba-bounces+tbullock=avmax.ca@lists.samba.org]On Behalf Of
spu@corman.be
Sent: Monday, January 24, 2005 9:33 AM
To: samba@samba.org
Subject: RE: RE [Samba] More help on
ACLproblemplease...anyone...anyone...Bueller?
Extract of smb.conf :
valid users (S)
This is a list of users that should be allowed to login to this
service. Names starting with '@', '+' and '&'
are interpreted using
the same rules as described in the invalid users parameter.
If this is empty (the default) then any user can login. If a username
is in both this list and the invalid users list then access is denied
for that user.
The current servicename is substituted for %S . This is useful in the
[homes] section.
Default: valid users = # No valid users list (anyone can login)
Example: valid users = greg, @pcusers
"Travis Bullock"
<tbullock@avmax.c
a> A
<spu@corman.be>
24/01/2005 17:28 cc
Objet
RE: RE [Samba] More help on ACL
problemplease...anyone...anyone...B
ueller?
I modified your setting
Sure:
[Planning]
comment = Avmax Domain Shares
browseable = yes
writable = yes
read only = no
# valid users = AVMAX+Planning
create mode = 0664
directory mode = 0775
path = /usr/avamx_shares/Planning
There she is. Do I have to include all groups in 'valid users'? If so
what
would the separator be?
-----Original Message-----
From: samba-bounces+tbullock=avmax.ca@lists.samba.org
[mailto:samba-bounces+tbullock=avmax.ca@lists.samba.org]On Behalf Of
spu@corman.be
Sent: Monday, January 24, 2005 9:03 AM
To: Samba (E-mail)
Subject: RE [Samba] More help on ACL
problemplease...anyone...anyone...Bueller?
Hi,
I think is not a ACL problem, it's a smb.conf share configuration problem,
could you sent a part of your smb.conf which about of this share.
-----------------------------------
St?phane PURNELLE stephane.purnelle@corman.be
Service Informatique Corman S.A. Tel : 00 32 087/342467
"Travis Bullock"
<tbullock@avmax.c
a> A
Envoy? par : "Samba (E-mail)"
samba-bounces+ste <samba@lists.samba.org>
phane.purnelle=co cc
rman.be@lists.sam
ba.org Objet
[Samba] More help on ACL problem
please...anyone...anyone...Bueller?
24/01/2005 16:59
Hello,
I am running Fedora Core 2.
Kernel: linux-2.6.5-1.358
Kernel supports ACL:
[root@atlas configs]# grep FS_SECURITY kernel-2.6.5-i686-smp.config
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_XFS_SECURITY=y
CONFIG_DEVPTS_FS_SECURITY=y
[root@atlas configs]# grep XATTR kernel-2.6.5-i686-smp.config
CONFIG_EXT2_FS_XATTR=y
CONFIG_EXT3_FS_XATTR=y
CONFIG_DEVPTS_FS_XATTR=y
Have extended attributes set in /etc/fstab is as follows:
/dev/Goliath/root / ext3 acl,user_xattr 1 1
I have a directory called Planning with ACL permissions assigned via the
setfacl command:
drwxrwx---+ 2 root AVMAX+Planning 4096 Jan 14 09:55 Planning
which looks like this with getfacl:
[root@atlas avamx_shares]# getfacl Planning/
# file: Planning
# owner: root
# group: AVMAX+Planning
user::rwx
group::rwx
group:AVMAX+Domain Users:r--
mask::rwx
other::---
Problem:
If I add my user to the AVMAX+Planning group on my NT DOMAIN PDC there is
no
problem. I can browse to the Planning directory via My Network Places.
However if I remove my account from the AVMAX+Planning group and browse to
the Planning directory it prompts me for a password. Because my account is
by default a member of the AVMAX+Domain Users and I have configured (i
think) the Planning directory ACL to allow read access to the AVMAX+Domain
Users group.....I should be able to browse this directory without being
prompted for a username and password....
QUESTION: What did I do wrong or not do at all to make the applied ACL
function correctly and allow all users in the AVMAX+Domain Users group read
acces to the Planning samba share?
Cheers,
Travis
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
-----------------------------------
St?phane PURNELLE stephane.purnelle@corman.be
Service Informatique Corman S.A. Tel : 00 32 087/342467
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba