Last year I worked with samba connected as domain member to an NT4 PDC.
I setted rights and permission on folders with ACL settings, in a structure
like below:
/data ---> samba share
/user ---> same as "home" dir
/marco ---> users's personal folder.
/john
/jim
/...
"Everyone" group is always present in the windows security tab it is
mapped
on (o)thers/world unix account on /data.
Also "Domain users" have read/list on /data and /user folders.
But on each personal folder (marco,john...) I had get off any
"Everyone" and
"Domain Users" rights and permissions leaving "Full
controll" only on the
owner's folder.
When I browsed data share login as John I looked only john's personal folder
and his content and this is the behaviour that I'm expected when I'm in
user
folder.
This behaviours also worked with groups folders.
This year we have replaced NT4 PDC with Windows Server 2003 working not in
native mode.
I've leave the same rights and permissions on the folders but ACL behaviour
is changed.
In the case above now if I login with John account and try to list shares I
cannot view John's personal folder and any others.
I have investigate and I discover a point on THOSHARG that tell about to
leave rights and permissions on "Everyone" group because all users
belongs
to this group and even if John have "Full controll" but
"Everyone" group
doesn't have any permissions (= deny) neither John can't look at his
folder.
Noticed that I have also try to connected to ADS with "net ads join
..."
command On a ADS test server I try to connect via the NT4 style "net rpc
..." join command and all seems to work as I'm expected like in NT4
style.
So what you suggest me?
Probably I have to connect with net ads join only when my ADS will work in
"native mode" or could be something parameters that I can change on my
Windows 2003 server?
Probably a parameter that regards authentication mode or whatever?
Below I have attached my smb.conf:
[global]
netbios name = MILLX01
os level = 16
wins server = xxx.xxx.xxx.xxx
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
workgroup = GKNSMI
realm = SINTER.GKN.COM
security = ADS
password server = milad01.sinter.gkn.com
encrypt passwords = yes
allow trusted domains = Yes
winbind use default domain = Yes
winbind separator = /
winbind enum users = Yes
winbind enum groups = yes
idmap uid = 10000-100000
idmap gid = 10000-100000
hide unreadable = Yes
template homedir = /data/user/%U
template shell = /bin/false
use sendfile = No
printer admin = xxx
admin users = xxx
log file = /var/log/samba/log.%m
log level = 1 auth:5 sam:5
max log size = 50
printing = cups
printcap name = cups
load printers = Yes
map acl inherit = Yes
nt acl support = Yes
client schannel = No
[data]
comment = %D Share
path = /data
read only = No
create mask = 0775
security mask = 0777
force security mode = 0
directory mask = 0775
directory security mask = 0777
force directory security mode = 0
dos filetimes = Yes
valid users = xxx
It's very important for me.
Thanks.
Marco.
-----Original Message-----
From: Jeremy Allison [mailto:jra@samba.org]
Sent: luned? 24 ottobre 2005 22.05
To: Meli Marco
Cc: 'samba@lists.samba.org'
Subject: Re: [Samba] Everyone group.
On Mon, Oct 24, 2005 at 04:12:39PM +0200, Meli Marco
wrote:> Hi all,
> I have a problem setting ACL on a share like below:
> /data
> /user
> /user_1
> /user_2
> /user_ ...
>
> Particularry if I want to get complete control to a user on his
> personal folder but get off any permission to Everyone group also this
> user (that belongs to Everyone) cannot list and access to his folder.
> When I was connected to NT4 server I didn't have this kind of problem.
> I have check also connecting via security = domain to W2K3 and it
> works fine like previously, maybe because my AD server works in mixed
> mode and in this way it works in NT4 style.
> But how can I have this behaviour with security = ads, it is probably
> any parameters on my ADS W2k3?
> Also why it works as I expected working with security = domain and not
> with security = ads?
> How can I play around this?
This post is a little confusing to me. Can you explain *exactly* what you're
trying to do please ?
Jeremy.