I'm having trouble with files being marked read-only in Windows because the Solaris file owner does not have write-permissions on the file; group-write is allowed: -r--rw---- 1 user group 32 Feb 13 14:19 testfile.txt I thought that setting "store dos attributes = yes" for this share would allow the "read only" setting to be stored in extended attributes, but it doesn't seem to be working - does Solaris 10 support extended attributes as needed by Samba? I'm using Samba 3.0.24 on Solaris 10, configuration file or the share below: [TEST] comment = server vartmp path = /var/tmp browseable = yes public = yes guest ok = yes writable = yes force create mode = 0664 force directory mode = 0775 map hidden = no map system = no map archive = no ea support = yes store dos attributes = yes Thanks in advance -- James
Neuwald, Björn
2007-Feb-15 08:06 UTC
[Samba] Solaris 10 + Samba 3.0.24 = AD-Member Win2003Server
Hi! I have problems with my Samba 3.0.24 on my Solaris 10 machine. I hope u can help me? I "google'd" a lot and asked many people but nobody can help me. So... I have... Solaris 10 with Samba 3.0.24 Kerberos installed OpenLDAP installed OpenSSL installed I configured and compiled Samba 3.0.24 (Options: ./configure --prefix=/usr/local/samba --with-winbind --with-ads --with-ldap --with-krb5=/usr/local --with-acl-support ) Know i want Samba to be a member of the ADS Domain. I maked an "Keytab"-File with the following command on the Windows 2003 Domaincontroller: C:\>ktpass -princ host/FQDN@XXX.XXXX.DE -mapuser XXX\user1 -pass ***** -out c:\user1.keytab After this i configured SWAT...and SWAT was working good. Then i registered the "Keytab"-File with the following commands: #/usr/local/sbin/ktutil #ktutil: rkt /usr/local/krb5/usr1.keytab #ktutil: wkt /usr/local/krb5/krb5.keytab I set copied the "libnss_winbind.so" and set the symbolic links. #cp .../samba-3.0.24/source/nsswitch/libnss_winbind.so /usr/lib #ln -s libnss_winbind.so libnss_winbind.so.1 #ln -s libnss_winbind.so nss_winbind.so.1 #ln -s libnss_winbind.so nss_winbind.so.2 After this is configured Kerberos...edited "krb5.conf" like this: # krb5.conf template # In order to complete this configuration file # you will need to replace the __<name>__ placeholders # with appropriate values for your network. # [libdefaults] ticket_lifetime = 24000 default_realm = XXX.XXXX.DE default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 [realms] NTBV.BZ-FREIBURG.DE = { kdc = server1.xx.xxxx.de kdc = server2.xx.xxxx.de admin_server = server1.xx.xxxx.de default_domain = xx.xxxx.de } [domain_realm] .mn.freinet.de = XXX.XXXX.DE mn.freinet.de = XXX.XXXX.DE [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log kdc_rotate = { # How often to rotate kdc.log. Logs will get rotated no more # often than the period, and less often if the KDC is not used # frequently. period = 1d # how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...) versions = 10 } [appdefaults] kinit = { renewable = true forwardable= true } Now i edited the "/etc/nscd.conf", I added the following: ... # logfile /var/adm/nscd.log enable-cache hosts no enable-cache passwd no enable-cache group no ... And the "/etc/nsswitch.conf" i edited too: .... passwd: files winbind group: files winbind .... Via "SWAT", i configured Samba like this: # Samba config file created using SWAT # from 172.16.124.6 (172.16.124.6) # Date: 2006/09/11 15:14:18 [global] workgroup = XX realm = XX.XXXX.DE netbios name = test1 server string = SambaTest interfaces = 192.168.20.19 bind interfaces only = Yes security = ADS password server = server1.xx.xxx.de log file = /user/local/samba/log/log.%m ldap ssl = No idmap uid = 5000-100000000 idmap gid = 5000-100000000 template homedir = /usr/local/samba/%D/%U template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes force create mode = 0775 force directory mode = 06775 [medianet] comment = TestShare path = /shared valid users = @XX\group1,@XX\group4 read only = No Then I Registered the Server in the Active Directory: #kinit domainadmin Password for domainadmin@XX.XXXX.DE: # #./net ads join Using short domain name - XX Joined 'test1' to realm 'XX.XXXXX.DE'# Then i tested the following: #/usr/local/samba/bin/wbinfo -u XX\user1 XX\user2 XX\user3 XX\user4 # /usr/local/samba/bin/wbinfo -g XX\group1 XX\group2 XX\group3 XX\group4 XX\group5 #/usr/local/samba/bin/net ads info LDAP server: 192.168.20.1 LDAP server name: server1.XX.XXXX.de Realm: XX.XXXX.DE Bind Path: dc=XX,dc=XXXX,dc=DE LDAP port: 389 Server time: Tue, 12 Sep 2006 14:10:57 MEST KDC server: 192.168.20.1 Server time offset: 0 # id "XX\user1" uid=5000(XX\user1) gid=5000(XX\group4) # ./wbinfo -r "XX\user1" group3 group4 I created a Test Share, like in the Samba config. Valid User/group for the Share was the group1 ("@XX\group1") and group4 ("@XX\group2"), like configured in smb.conf. The user user1 which have the primary-group group4 "XX\group4" and is also member of the group3 "XX\group3" must enter this share and should be allowed to enter it. Ok this works. But when i want to enter an folder in this share, which i created in Solaris (for example "/shared/testfolder") and added the ACL: #setfacl -m g:"XX\group3":rwx /shared/testfolder, then the window on my windows machine appears, that i have not the permission to enter it. But the user1 have the primary-group group4 and the secondary-group group3. The share have rights in samba (valid-users) for group4 and group1. the folder in the share have via acl permissions set (rwx) for the group3, and in group3 is the user 1 a member. So, think nested groups or secondary groups are completely ignored. I hope u can help me. Best Regards, Bj?rn __________________________________________________________________________________ MediaNet GmbH Netzwerk- und Applikations-Service L?rracher Stra?e 5a, D-79115 Freiburg Telefon 0761/496-1400 - e-mail: info@medianet.freinet.de Gesch?ftsf?hrer: Meinhard Fleig - Handelsregister Freiburg HRB 4869 Bankverbindung: Sparkasse Freiburg - BLZ 680 501 01 - Konto 211 085 7 __________________________________________________________________________________
Schaefer Jr, Thomas R.
2007-Feb-15 14:35 UTC
[Samba] Solaris 10 and "store dos attributes"
The user wouldn't be able to write to the file at a command prompt either.. schaefer@tomcat:~ -bash$ cat /etc/release Solaris 10 3/05 s10_74L2a X86 Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 22 January 2005 schaefer@tomcat:~ -bash$ id uid=241(schaefer) gid=203(stuff) schaefer@tomcat:~ -bash$ touch a_file.txt schaefer@tomcat:~ -bash$ ls -ld a_file.txt -rw-r--r-- 1 schaefer stuff 0 Feb 15 08:04 a_file.txt schaefer@tomcat:~ -bash$ echo blah >> a_file.txt schaefer@tomcat:~ -bash$ chmod u-w,g+w a_file.txt schaefer@tomcat:~ -bash$ ls -ld a_file.txt -r--rw-r-- 1 schaefer stuff 5 Feb 15 08:04 a_file.txt schaefer@tomcat:~ -bash$ echo blah >> a_file.txt -bash: a_file.txt: Permission denied -----Original Message----- From: samba-bounces+tom=umsl.edu@lists.samba.org [mailto:samba-bounces+tom=umsl.edu@lists.samba.org] On Behalf Of James Sent: Wednesday, February 14, 2007 1:58 PM To: samba@lists.samba.org Subject: [Samba] Solaris 10 and "store dos attributes" I'm having trouble with files being marked read-only in Windows because the Solaris file owner does not have write-permissions on the file; group-write is allowed: -r--rw---- 1 user group 32 Feb 13 14:19 testfile.txt I thought that setting "store dos attributes = yes" for this share would allow the "read only" setting to be stored in extended attributes, but it doesn't seem to be working - does Solaris 10 support extended attributes as needed by Samba? I'm using Samba 3.0.24 on Solaris 10, configuration file or the share below: [TEST] comment = server vartmp path = /var/tmp browseable = yes public = yes guest ok = yes writable = yes force create mode = 0664 force directory mode = 0775 map hidden = no map system = no map archive = no ea support = yes store dos attributes = yes Thanks in advance -- James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba