Dear All
I've been working at building a file server to provide file sharing for a
Windows 2003 Active Directory Domain.
Our requirements are for the Windows Server Administrator to be able to create
all the users' home folders in the Samba share and apply restrictive
permissions. Ie. User joe, //samba/joe$ or //samba/share/joe (Dfs), with
permissions for only the user "joe" and "domain admins".
So basically, is what I am trying to do possible? Can I configure Samba so that
an MCSE can create a folder on the a samba share (Dfs) and assign that user
rights to the folder via the "Permissions" tab of the folder
properties dialog?
Ie. Can it be setup so clickety-clickers can manage the permissions and create
new folders within a Dfs share?
So far, I have:
- mit-krb5 1.4 successfully compiled and configured, and has been successfully
authenticated to the realm with kinit.
- samba 3.0.14a successfully compiled with ADS, IDMAP, ACL, LDAP, Winbind,
MS-Dfs and Krb5 support. (smb.conf/output of smbd -b is attached)
** I'm experiencing odd behaviour from the ACL support, where when I use the
Windows "Permissions" tab on a share or folder within a share, and
changes I
make are lost on clicking the Apply button. Like Windows is not allowed to
write ACLs back to the linux box. **
- kernel, filesystem (mounted acl,user_attr) and library support for POSIX ACLs.
smbd -b | grep ACL returns the two flags confirming samba acl support. Confirmed
that the setfacl and getfacl commands work. Output from from mount command:
/dev/md0 / reiserfs defaults,acl,user_xattr 1 1
- nsswitch.conf configured:
passwd: compat winbind
shadow: compat
group: compat winbind
- a public share for testing which is root:users 755. I couldn't browse to
it as
Administrator from the Windows 2003 Server if it was 750. Must I user the
username map functionality at all?
- tried to configure a Dfs share, but I think it may not be the same sort of
thing I used to use in Windows 2000. In Windows 2000 I used a root Dfs share
in order to share on directory, eg. \\server\users$, and in that directory each
user's home directory existed with their specific permissions.
- wbinfo -t returns: "checking the trust secret via RPC calls
succeeded"
- wbinfo -u returns: "Error looking up domain users"
** I'm assuming this is where the error is? Is it that winbind cannot list
the
users therefore when a Windows user connects, Samba think that user does not
exist and boots it for lack of permission? **
- wbinfo -g returns the AD groups:
BUILTIN/system operators
BUILTIN/replicators
BUILTIN/guests
BUILTIN/power users
BUILTIN/print operators
BUILTIN/administrators
BUILTIN/account operators
BUILTIN/backup operators
BUILTIN/users
domain computers
domain controllers
schema admins
enterprise admins
domain admins
domain users
domain guests
group policy creator owners
dnsupdateproxy
call_centre
finance
Ciao
Warwick Chapman
Marketing and Operations
Thusa Business Support cc
Cellular: +27 83 7797 094
Telephone: +27 31 563 1180
Facsimile: +27 31 563 1182
Website: http://www.thusa.co.za
-- There are 10 types of people in this world. Those who understand binary, and
those who don't.
----------------------------------------------------------------
Sent with Thusa Internet Gateway Services http://www.thusa.co.za
-------------- next part --------------
Build environment:
Built by: root@box
Built on: Tue Jun 28 18:30:01 SAST 2005
Built using: gcc
Build host: Linux box 2.6.11.8thusa #2 SMP Mon Jun 27 23:34:28 SAST 2005
i686 unknown
SRCDIR: /tmp/samba-3.0.14a/source
BUILDDIR: /tmp/samba-3.0.14a/source
Paths:
SBINDIR: /usr/sbin
BINDIR: /usr/bin
SWATDIR: /usr/share/swat
CONFIGFILE: /etc/samba/smb.conf
LOGFILEBASE: /var/log/samba
LMHOSTSFILE: /etc/samba/lmhosts
LIBDIR: /usr/lib/samba
SHLIBEXT: so
LOCKDIR: /var/cache/samba
PIDDIR: /var/run
SMB_PASSWD_FILE: /etc/samba/private/smbpasswd
PRIVATE_DIR: /etc/samba/private
System Headers:
HAVE_SYS_ACL_H
HAVE_SYS_CDEFS_H
HAVE_SYS_FCNTL_H
HAVE_SYS_IOCTL_H
HAVE_SYS_IPC_H
HAVE_SYS_MMAN_H
HAVE_SYS_MOUNT_H
HAVE_SYS_PARAM_H
HAVE_SYS_QUOTA_H
HAVE_SYS_RESOURCE_H
HAVE_SYS_SELECT_H
HAVE_SYS_SHM_H
HAVE_SYS_SOCKET_H
HAVE_SYS_STATFS_H
HAVE_SYS_STATVFS_H
HAVE_SYS_STAT_H
HAVE_SYS_SYSCALL_H
HAVE_SYS_SYSLOG_H
HAVE_SYS_SYSMACROS_H
HAVE_SYS_TIME_H
HAVE_SYS_TYPES_H
HAVE_SYS_UNISTD_H
HAVE_SYS_VFS_H
HAVE_SYS_WAIT_H
HAVE_SYS_XATTR_H
Headers:
HAVE_ARPA_INET_H
HAVE_ASM_TYPES_H
HAVE_ATTR_XATTR_H
HAVE_COM_ERR_H
HAVE_CTYPE_H
HAVE_DIRENT_H
HAVE_DLFCN_H
HAVE_EXECINFO_H
HAVE_FCNTL_H
HAVE_GLOB_H
HAVE_GRP_H
HAVE_GSSAPI_GSSAPI_GENERIC_H
HAVE_GSSAPI_GSSAPI_H
HAVE_INTTYPES_H
HAVE_KRB5_H
HAVE_LANGINFO_H
HAVE_LASTLOG_H
HAVE_LBER_H
HAVE_LDAP_H
HAVE_LIMITS_H
HAVE_LOCALE_H
HAVE_MEMORY_H
HAVE_MNTENT_H
HAVE_NETINET_IN_SYSTM_H
HAVE_NETINET_IP_H
HAVE_NETINET_TCP_H
HAVE_NET_IF_H
HAVE_NSS_H
HAVE_POLL_H
HAVE_READLINE_HISTORY_H
HAVE_READLINE_READLINE_H
HAVE_RPCSVC_NIS_H
HAVE_RPCSVC_YPCLNT_H
HAVE_RPCSVC_YP_PROT_H
HAVE_RPC_RPC_H
HAVE_SHADOW_H
HAVE_STDARG_H
HAVE_STDINT_H
HAVE_STDLIB_H
HAVE_STRINGS_H
HAVE_STRING_H
HAVE_STROPTS_H
HAVE_SYSCALL_H
HAVE_SYSLOG_H
HAVE_TERMIOS_H
HAVE_TERMIO_H
HAVE_UNISTD_H
HAVE_UTIME_H
UTMP Options:
HAVE_GETUTMPX
HAVE_UTMPX_H
HAVE_UTMP_H
HAVE_UT_UT_ADDR
HAVE_UT_UT_EXIT
HAVE_UT_UT_HOST
HAVE_UT_UT_ID
HAVE_UT_UT_NAME
HAVE_UT_UT_PID
HAVE_UT_UT_TIME
HAVE_UT_UT_TV
HAVE_UT_UT_TYPE
HAVE_UT_UT_USER
PUTUTLINE_RETURNS_UTMP
WITH_UTMP
HAVE_* Defines:
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_AP_OPTS_USE_SUBKEY
HAVE_ASPRINTF
HAVE_ASPRINTF_DECL
HAVE_ATEXIT
HAVE_BACKTRACE_SYMBOLS
HAVE_BER_SCANF
HAVE_C99_VSNPRINTF
HAVE_CHMOD
HAVE_CHOWN
HAVE_CHROOT
HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS
HAVE_CONNECT
HAVE_CREAT64
HAVE_CRYPT
HAVE_CUPS
HAVE_DEVICE_MAJOR_FN
HAVE_DEVICE_MINOR_FN
HAVE_DIRENT_D_OFF
HAVE_DLCLOSE
HAVE_DLERROR
HAVE_DLOPEN
HAVE_DLSYM
HAVE_DUP2
HAVE_ENDMNTENT
HAVE_ENDNETGRENT
HAVE_ERRNO_DECL
HAVE_EXECL
HAVE_EXPLICIT_LARGEFILE_SUPPORT
HAVE_FCHMOD
HAVE_FCHOWN
HAVE_FCNTL_LOCK
HAVE_FCVT
HAVE_FGETXATTR
HAVE_FLISTXATTR
HAVE_FOPEN64
HAVE_FREMOVEXATTR
HAVE_FSEEKO64
HAVE_FSETXATTR
HAVE_FSTAT
HAVE_FSTAT64
HAVE_FSYNC
HAVE_FTELLO64
HAVE_FTRUNCATE
HAVE_FTRUNCATE64
HAVE_FTRUNCATE_EXTEND
HAVE_FUNCTION_MACRO
HAVE_GETCWD
HAVE_GETDIRENTRIES
HAVE_GETGRENT
HAVE_GETGRNAM
HAVE_GETMNTENT
HAVE_GETNETGRENT
HAVE_GETRLIMIT
HAVE_GETSPNAM
HAVE_GETTIMEOFDAY_TZ
HAVE_GETXATTR
HAVE_GLOB
HAVE_GRANTPT
HAVE_GSSAPI
HAVE_GSS_DISPLAY_STATUS
HAVE_ICONV
HAVE_IFACE_IFCONF
HAVE_IMMEDIATE_STRUCTURES
HAVE_INITGROUPS
HAVE_INNETGR
HAVE_KERNEL_CHANGE_NOTIFY
HAVE_KERNEL_OPLOCKS_LINUX
HAVE_KERNEL_SHARE_MODES
HAVE_KRB5
HAVE_KRB5_AUTH_CON_SETUSERUSERKEY
HAVE_KRB5_C_ENCTYPE_COMPARE
HAVE_KRB5_ENCRYPT_BLOCK
HAVE_KRB5_ENCRYPT_DATA
HAVE_KRB5_FREE_DATA_CONTENTS
HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS
HAVE_KRB5_FREE_KTYPES
HAVE_KRB5_FREE_UNPARSED_NAME
HAVE_KRB5_GET_PERMITTED_ENCTYPES
HAVE_KRB5_KEYBLOCK_IN_CREDS
HAVE_KRB5_KEYTAB_ENTRY_KEY
HAVE_KRB5_KT_FREE_ENTRY
HAVE_KRB5_LOCATE_KDC
HAVE_KRB5_MK_REQ_EXTENDED
HAVE_KRB5_PRINCIPAL2SALT
HAVE_KRB5_PRINC_COMPONENT
HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
HAVE_KRB5_SET_REAL_TIME
HAVE_KRB5_STRING_TO_KEY
HAVE_KRB5_TKT_ENC_PART2
HAVE_KRB5_USE_ENCTYPE
HAVE_KV5M_KEYTAB
HAVE_LDAP
HAVE_LDAP_DOMAIN2HOSTLIST
HAVE_LDAP_INIT
HAVE_LDAP_INITIALIZE
HAVE_LDAP_SET_REBIND_PROC
HAVE_LGETXATTR
HAVE_LIBGSSAPI_KRB5
HAVE_LIBK5CRYPTO
HAVE_LIBKRB5
HAVE_LIBLBER
HAVE_LIBLDAP
HAVE_LIBREADLINE
HAVE_LIBRESOLV
HAVE_LINK
HAVE_LINUX_XFS_QUOTAS
HAVE_LISTXATTR
HAVE_LLISTXATTR
HAVE_LLSEEK
HAVE_LONGLONG
HAVE_LREMOVEXATTR
HAVE_LSEEK64
HAVE_LSETXATTR
HAVE_LSTAT64
HAVE_MAKEDEV
HAVE_MEMMOVE
HAVE_MEMSET
HAVE_MKNOD
HAVE_MKTIME
HAVE_MMAP
HAVE_NANOSLEEP
HAVE_NATIVE_ICONV
HAVE_NEW_LIBREADLINE
HAVE_NL_LANGINFO
HAVE_OPEN64
HAVE_PATHCONF
HAVE_PIPE
HAVE_POLL
HAVE_POSIX_ACLS
HAVE_PREAD
HAVE_PREAD64
HAVE_PUTUTLINE
HAVE_PUTUTXLINE
HAVE_PWRITE
HAVE_PWRITE64
HAVE_QUOTACTL_LINUX
HAVE_RAND
HAVE_RANDOM
HAVE_READDIR64
HAVE_READLINK
HAVE_REALPATH
HAVE_REMOVEXATTR
HAVE_RENAME
HAVE_ROOT
HAVE_SECURE_MKSTEMP
HAVE_SELECT
HAVE_SENDFILE64
HAVE_SETBUFFER
HAVE_SETENV
HAVE_SETGROUPS
HAVE_SETLINEBUF
HAVE_SETLOCALE
HAVE_SETMNTENT
HAVE_SETNETGRENT
HAVE_SETPGID
HAVE_SETRESGID
HAVE_SETRESUID
HAVE_SETSID
HAVE_SETXATTR
HAVE_SHMGET
HAVE_SIGACTION
HAVE_SIGBLOCK
HAVE_SIGPROCMASK
HAVE_SIGSET
HAVE_SIG_ATOMIC_T_TYPE
HAVE_SNPRINTF
HAVE_SNPRINTF_DECL
HAVE_SOCKLEN_T_TYPE
HAVE_SRAND
HAVE_SRANDOM
HAVE_STAT64
HAVE_STAT_ST_BLKSIZE
HAVE_STAT_ST_BLOCKS
HAVE_STRCASECMP
HAVE_STRCHR
HAVE_STRDUP
HAVE_STRERROR
HAVE_STRFTIME
HAVE_STRNDUP
HAVE_STRNLEN
HAVE_STRPBRK
HAVE_STRTOUL
HAVE_STRUCT_DIRENT64
HAVE_STRUCT_FLOCK64
HAVE_STRUCT_STAT_ST_RDEV
HAVE_ST_RDEV
HAVE_SYMLINK
HAVE_SYSCALL
HAVE_SYSCONF
HAVE_SYSLOG
HAVE_SYS_QUOTAS
HAVE_TIMEGM
HAVE_UNIXSOCKET
HAVE_UPDWTMP
HAVE_UPDWTMPX
HAVE_USLEEP
HAVE_UTIMBUF
HAVE_UTIME
HAVE_UTIMES
HAVE_VASPRINTF
HAVE_VASPRINTF_DECL
HAVE_VA_COPY
HAVE_VOLATILE
HAVE_VSNPRINTF
HAVE_VSNPRINTF_DECL
HAVE_VSYSLOG
HAVE_WAITPID
HAVE_WRFILE_KEYTAB
HAVE_XFS_QUOTAS
HAVE_YP_GET_DEFAULT_DOMAIN
HAVE___CLOSE
HAVE___DUP2
HAVE___FCNTL
HAVE___FORK
HAVE___FSTAT
HAVE___FXSTAT
HAVE___LSEEK
HAVE___LSTAT
HAVE___LXSTAT
HAVE___OPEN
HAVE___OPEN64
HAVE___PREAD64
HAVE___PWRITE64
HAVE___READ
HAVE___STAT
HAVE___WRITE
HAVE___XSTAT
--with Options:
WITH_ADS
WITH_AUTOMOUNT
WITH_QUOTAS
WITH_SENDFILE
WITH_SMBMOUNT
WITH_SYSLOG
WITH_UTMP
WITH_WINBIND
Build Options:
COMPILER_SUPPORTS_LL
DEFAULT_DISPLAY_CHARSET
DEFAULT_DOS_CHARSET
DEFAULT_UNIX_CHARSET
LDAP_SET_REBIND_PROC_ARGS
LINUX
LINUX_SENDFILE_API
PACKAGE_BUGREPORT
PACKAGE_NAME
PACKAGE_STRING
PACKAGE_TARNAME
PACKAGE_VERSION
REALPATH_TAKES_NULL
REPLACE_GETPASS
RETSIGTYPE
SEEKDIR_RETURNS_VOID
SIZEOF_INO_T
SIZEOF_INT
SIZEOF_LONG
SIZEOF_OFF_T
SIZEOF_SHORT
STAT_STATVFS64
STAT_ST_BLOCKSIZE
STDC_HEADERS
STRING_STATIC_MODULES
SYSCONF_SC_NGROUPS_MAX
TIME_WITH_SYS_TIME
USE_SETRESUID
WITH_ADS
WITH_AUTOMOUNT
WITH_QUOTAS
WITH_SENDFILE
WITH_SMBMOUNT
WITH_SYSLOG
WITH_WINBIND
_FILE_OFFSET_BITS
_GNU_SOURCE
_LARGEFILE64_SOURCE
_POSIX_C_SOURCE
_POSIX_SOURCE
charset_CP437_init
charset_CP850_init
offset_t
static_init_auth
static_init_charset
static_init_idmap
static_init_pdb
static_init_rpc
static_init_vfs
vfs_audit_init
vfs_cap_init
vfs_default_quota_init
vfs_expand_msdfs_init
vfs_extd_audit_init
vfs_fake_perms_init
vfs_full_audit_init
vfs_netatalk_init
vfs_readonly_init
vfs_recycle_init
vfs_shadow_copy_init
Type sizes:
sizeof(char): 1
sizeof(int): 4
sizeof(long): 4
sizeof(uint8): 1
sizeof(uint16): 2
sizeof(uint32): 4
sizeof(short): 2
sizeof(void*): 4
Builtin modules:
pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_guest rpc_lsa rpc_reg rpc_lsa_ds
rpc_wks rpc_net rpc_dfs rpc_srv rpc_spoolss rpc_samr idmap_ldap idmap_tdb
auth_rhosts auth_sam auth_unix auth_winbind auth_server auth_domain auth_builtin
-------------- next part --------------
[global]
realm = 000.LOVELIFE.ORG.ZA
netbios name = BOX
workgroup = LOVELIFE
security = ADS
encrypt passwords = yes
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind nested groups= yes
winbind use default domain = yes
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
# host msdfs = yes
nt acl support = yes
# username map = /etc/samba/smbusers
map acl inherit = yes
hosts allow = 10.0. 127.
log file = /var/log/samba.%m
max log size = 50
log level = 10
[public]
comment = Public Share
path = /usr/local/data
read only = no
#[dfs]
# comment = Dfs share
# path = /usr/local/dfs
# msdfs root = yes
On 6/28/05, Warwick Bruce Chapman <warwick@thusa.co.za> wrote:> Dear All > > I've been working at building a file server to provide file sharing for a > Windows 2003 Active Directory Domain. > > Our requirements are for the Windows Server Administrator to be able to create > all the users' home folders in the Samba share and apply restrictive > permissions. Ie. User joe, //samba/joe$ or //samba/share/joe (Dfs), with > permissions for only the user "joe" and "domain admins".they don't need to create anything for home dirs. just use the 'root preexec' directive to call a script which creates the home dir on demand if needed. [homes] comment = %U's Home Directory path = /home/%D/%U read only = No browseable = No root preexec = /etc/samba/scripts/mk_sambadir %D %U %G samba knows which user is connecting (%U), their primary group (%G) and domain (%D). the actual share is created dynamically. in ad, set their profile to \\server\%username% mk_sambadir is a shell script, run as root *before* the user is actually granted access to the share (as it may not even exist yet). At my main site, it just checks for existance of the domain directory (/home/DOMAIN), and then the user's home directory (/home/DOMAIN/USER). If any of these don't exist, they are created. Permissions are then set. it all just takes a few lines of code for a simple setup. hope this helps> > So basically, is what I am trying to do possible? Can I configure Samba so that > an MCSE can create a folder on the a samba share (Dfs) and assign that user > rights to the folder via the "Permissions" tab of the folder properties dialog? > Ie. Can it be setup so clickety-clickers can manage the permissions and create > new folders within a Dfs share? > > So far, I have: > > - mit-krb5 1.4 successfully compiled and configured, and has been successfully > authenticated to the realm with kinit. > > - samba 3.0.14a successfully compiled with ADS, IDMAP, ACL, LDAP, Winbind, > MS-Dfs and Krb5 support. (smb.conf/output of smbd -b is attached) > > ** I'm experiencing odd behaviour from the ACL support, where when I use the > Windows "Permissions" tab on a share or folder within a share, and changes I > make are lost on clicking the Apply button. Like Windows is not allowed to > write ACLs back to the linux box. ** > > - kernel, filesystem (mounted acl,user_attr) and library support for POSIX ACLs. > smbd -b | grep ACL returns the two flags confirming samba acl support. Confirmed > that the setfacl and getfacl commands work. Output from from mount command: > /dev/md0 / reiserfs defaults,acl,user_xattr 1 1 > > - nsswitch.conf configured: > passwd: compat winbind > shadow: compat > group: compat winbind > > - a public share for testing which is root:users 755. I couldn't browse to it as > Administrator from the Windows 2003 Server if it was 750. Must I user the > username map functionality at all? > > - tried to configure a Dfs share, but I think it may not be the same sort of > thing I used to use in Windows 2000. In Windows 2000 I used a root Dfs share > in order to share on directory, eg. \\server\users$, and in that directory each > user's home directory existed with their specific permissions. > > - wbinfo -t returns: "checking the trust secret via RPC calls succeeded" > - wbinfo -u returns: "Error looking up domain users" > > ** I'm assuming this is where the error is? Is it that winbind cannot list the > users therefore when a Windows user connects, Samba think that user does not > exist and boots it for lack of permission? ** > > - wbinfo -g returns the AD groups: > BUILTIN/system operators > BUILTIN/replicators > BUILTIN/guests > BUILTIN/power users > BUILTIN/print operators > BUILTIN/administrators > BUILTIN/account operators > BUILTIN/backup operators > BUILTIN/users > domain computers > domain controllers > schema admins > enterprise admins > domain admins > domain users > domain guests > group policy creator owners > dnsupdateproxy > call_centre > finance > > Ciao > Warwick Chapman > Marketing and Operations > Thusa Business Support cc > > Cellular: +27 83 7797 094 > Telephone: +27 31 563 1180 > Facsimile: +27 31 563 1182 > Website: http://www.thusa.co.za > > -- There are 10 types of people in this world. Those who understand binary, and > those who don't. > > ---------------------------------------------------------------- > Sent with Thusa Internet Gateway Services http://www.thusa.co.za > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > > >-- Noah Dain noahdain@gmail.com