Meli Marco
2005-Oct-20 09:31 UTC
[Samba] Chapter 10 "Active Directory, Kerberos, and Security".
Hi all, Referred to Samba-3 by Example I don't have clear one point on Chapter 10 "Active Directory, Kerberos, and Security": How to set Windows 200x ACLs in 10.3.4.2 section you wrote at point 2: "Be very carefully. Many problems have been created by people who decided that Everyone should be rejected but one particular group should have full control. This is a catch-22 situation because members of that particular group also belong to the group Everyone, which therefore overrules any permissions set for the permitted group". So, about this matter I have some questions: I want to set ACL on my share as you said above not for a particular group but for a defined user. I have tried to set "Full Control" for this user to his personal folder and get off any permissions to "Everyone" group. The result is that the user cannot list his personal folder. Since it's clear what I should expect from my settings I would like to I ask you how can I set these ACLs to allow the user to list his folder, avoiding to others users to see them (Everyone). Also, why setting this rights on to samba box connected to an W3K ADS server in Chicago, ACL works as I expected, while when my samba box is replicated on my W3K ADS in Italy the behavior of ACL changes: In the first case each user can see personal's folder even if ACLs are "wrong" setted by me as I described above, while after replication the user login again to the same share and can't list his personal folder any more. I thougth the cause was probably due to some differences on both servers but they belong to the same realm and share the same policy, except that AD Chicago server is a normal pc while AD Italy server is a power edge 2500 with array controller (samba box with Suse9.2 is in Italy). Note: I've a mixed pc on my network but this problem persist only with W2K and XP workstation not with Win9X. Any help will be appreciated. I don't want to set a section share in smb.conf, for a particular user , I have only declared [data] share. Below my smb.conf file: [global] netbios name = MILLX01 os level = 16 wins server = xxx socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE workgroup = GKNSMI realm = SINTER.GKN.COM security = ADS password server = xxx.sinter.gkn.com encrypt passwords = yes allow trusted domains = Yes winbind use default domain = Yes winbind separator = / winbind enum users = Yes winbind enum groups = yes idmap uid = 10000-100000 idmap gid = 10000-100000 hide unreadable = Yes template homedir = /data/user/%U template shell = /bin/false use sendfile = No printer admin = xxx admin users = xxx log file = /var/log/samba/log.%m log level = 1 auth:5 sam:5 max log size = 50 printing = cups printcap name = cups load printers = Yes map acl inherit = Yes nt acl support = Yes client schannel = No [data] comment = %D Share path = /data read only = No create mask = 0775 security mask = 0777 force security mode = 0 directory mask = 0775 directory security mask = 0777 force directory security mode = 0 dos filetimes = Yes valid users = xxx Thanks a lot. Marco.