I am fascinated!!!!!! 68 day from my last post, and 1142 more posts.... STILL no reply with even hint of solution.... In total 117 days and 1915 messages.... Nice score.... respectable..... And what I want?? This: - need share level of security - need forcing of user who access that share - need forcing of file/directory create mask Goal: Allowing network (windows and linux) users (as well as local user) to access defined share via samba (and local user also via file manager), without any user/password prompt, and with granting 755 permissions on all files/directories under that share and with ownership of local user/group. Of course, shared directory exists, it has permissions set up accordingly, and local user also exists, and have those permissions. All these rules are matched with following smb.conf (real entries are replaced with foo/bar) and it is working on 3.0.25b and 3.0.28a versions of samba on mandriva 2008.0 and 2008.1. Again, same ruleset IS NOT working on samba 3.2.3 on Mandriva 2009.0. (samba- server-3.2.3-3mdv2009.0) [global] ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? workgroup = FOO ? ? server string = FOO Server ? ? security = share ? ? hosts allow = 192.168.125. 127.0. ? ? log file = /var/log/samba/%m.log ? ? max log size = 50 ? ? local master = no ? ? os level = 33 ? ? dns proxy = no # ==================== Share Definitions ==================[Share] ? ? path = /home/foobar/Documents/Share/ ? ? public = yes ? ? force user = foobar ? ? force group = foobar ? ? create mask = 0755 ? ? force create mode = 0755 ? ? directory mask = 0755 ? ? force directory mode = 0755 ? ? writable = yes ? ? printable = no In short, I want to use this config file above, and it just has to work as explained. Please, can someone finally help me resolve this? DraxNS -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 489 bytes Desc: This is a digitally signed message part. Url : http://lists.samba.org/archive/samba/attachments/20090211/9503097d/attachment.bin
Try changing "force group = foobar" to "force group = DOMAIN\foobar" . The way Samba handles groups was changed (it was in the release notes around 3.0.28) and if you use read list and write list in smb.conf, users are now specified using DOMAIN\username and groups using +DOMAIN \groupname instead of the old @groupname . This way, you can specify permissions for multiple NT domains. Example from my smb.conf: [resources] comment = Open Share for Distribution path = /share/resources browseable = yes writeable = yes read list = +"BGS\Domain Admins" +BGS\staff +BGS\visitors +"BGS\Domain Users" write list = +"BGS\Domain Admins" +"BGS\staff" create mask = 440 directory mask = 770 I believe that you now also have to be a member of a group for force group = to work so everyone who creates a file in the share will have to be in group DOMAIN\foobar It may be that something's changed in v 3.2 (MS keeps moving the target) so check the release notes again if it doesn't work. Good Luck, Jools On Wed, 2009-02-11 at 21:22 +0000, Dragan Lukic wrote:> email message attachment > > -------- Forwarded Message -------- > > Subject: > > Date: Thu, 12 Feb 2009 08:29:22 -0000 > >
Can anyone help me? I cannot imagine why is my question so hard.... Looks like I will have to make at least one post to this thread each day until I finally get a reply/solution. 123 days with no solution, well my patience is getting thin... Please help me get this working in new samba....> - need share level of security > - need forcing of user who access that share > - need forcing of file/directory create mask > Goal: Allowing network (windows and linux) users (as well as local user) to > access defined share via samba (and local user also via file manager), > without any user/password prompt, and with granting 755 permissions > on all files/directories under that share and with ownership of local > user/group. > Of course, shared directory exists, it has permissions set up accordingly, > and local user also exists, and have those permissions. > All these rules are matched with following smb.conf (real entries are > replaced with foo/bar) and it is working on 3.0.25b and 3.0.28a versions of > samba on mandriva 2008.0 and 2008.1. > Again, same ruleset IS NOT working on samba 3.2.3 on Mandriva 2009.0. > (samba- server-3.2.3-3mdv2009.0) > > [global] ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? > ? ? workgroup = FOO > ? ? server string = FOO Server > ? ? security = share > ? ? hosts allow = 192.168.125. 127.0. > ? ? log file = /var/log/samba/%m.log > ? ? max log size = 50 > ? ? local master = no > ? ? os level = 33 > ? ? dns proxy = no > # ==================== Share Definitions ==================> [Share] > ? ? path = /home/foobar/Documents/Share/ > ? ? public = yes > ? ? force user = foobar > ? ? force group = foobar > ? ? create mask = 0755 > ? ? force create mode = 0755 > ? ? directory mask = 0755 > ? ? force directory mode = 0755 > ? ? writable = yes > ? ? printable = no > > > In short, I want to use this config file above, and it just has to work as > explained. > > Please, can someone finally help me resolve this? > > DraxNS-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 489 bytes Desc: This is a digitally signed message part. Url : http://lists.samba.org/archive/samba/attachments/20090216/c87aea7c/attachment.bin
On Mon, Feb 16, 2009 at 01:31:51PM +0100, Dragan Lukic wrote:> I cannot imagine why is my question so hard.... > > Looks like I will have to make at least one post to this > thread each day until I finally get a reply/solution. > > 123 days with no solution, well my patience is getting thin...If nobody helps you voluntarily, you might want to look for paid support under http://www.samba.org/samba/support/. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20090216/844f9049/attachment.bin
Hello Dale,
I must say, your answer pushed me into more testing, and although it was not
exactly answer that is visible in my solution, testing around your proposal
finally got me where I wanted to be.
Now to describe my steps:
-1. Change mod for shared directory and it's all existing contents to 755
via
file manager (Dolphin)
-2. Changed permissions on shared directory and assigned GID also via file
manager
-3. Started smb service
smb.conf that does it all is bellow:
#======================= Global Settings
====================================[global]
workgroup = FOO
server string = FOO
security = share
hosts allow = 192.168.125. 127.0.0.
log file = /etc/samba/log/%m.log
local master = yes
#============================ Share Definitions
=============================[Share]
path = /home/foobar/Documents/Share
create mask = 0777
force create mode = 0777
directory mask = 0777
force directory mode = 0777
public = yes
writable = yes
Now to elaborate :-)
First step is self explanatory, directory on file system must have sufficient
permissions.
Second step is just for fixing group ownership for pasted files, and now all
files are owned by nobody:localgroup although all are rwxrwxrwx
And third step (you will notice a bit modified conf) was to load that conf
file.
Now, while testing all that comes to mind, I can relay this
"debugging" info:
- Assigning UID along with (or later on) GID on shared directory via file
manager does not work as GID, so ownership in that case is not
localuser:localgroup but nobody:localgroup, thus preventing local user of
changing pasted/shared files locally. fixed with 0777 permissions for create
mode&mask.
- No files can be changed via samba, ie. cant open .odt file via samba at all,
or even if possible, no changes can be saved, even if save as dialog is used
and pointed to the same file on share. 0777 permissions for create mode&mask
helped with all but any files that are opened with OOO
- There was ALWAYS error on first paste to shared dir via samba, while
overwrite of existing file worked fine. That was resolved with 0777
permissions for create mode&mask.
- if inherit owner = yes is omitted, there is no error, but I get back to
nobody:localgroup ownership, and again files can't be changed, also
resolved
with 0777 permissions for create mode&mask.
- since I have played at home, both remote and local user are the same, so I
get good results, but I am still not sure will that inherit owner option work
as I see now, or it will create file with remoteuser:localgroup permissions
- any usage of force user&group instructions will bring following error
message: An error occurred while loading smb://hostname/Share:
The file or folder smb://hostname/Share does not exist
So, while it is against all decent Linux usage, granting 0777 permissions
through smb.conf produces result that I needed.
In this way I can get behind forcing/inheriting owner and group, and local
user can change files from local filesystem.
Now also txt files can be edited via samba, but not files that are opened by
OpenOffice, so I guess that issue is within OOO.
So much hassle just to apply "normal" Linux usage and permissions.
It is still not so elegant solution, as smb.conf that I started with was, but
if it is working, I am happy :-).
P.S. I guess that 0666 for create mode&mask instead 0777 would also work,
but
that number just look odd ;-)
Once again, many thanks to you all. If sometimes later on becomes possible to
enforce user and group (that is true to produce "does not exist"
error), as it
was on older versions, I would be more than happy to use it again. Giving 777
permissions just does not feel right.
On Wednesday, 18. February 2009. 17:25:43 you wrote:> Dragan,
>
> I have reread your original post, and it sounds as if you have
> everything working except for user/group ownership of files created by
> Samba.
> The following steps have worked for me with security = user. I do not
> know if they will work for security = share.
>
> chmod 2755 /home/foobar/Documents/Share (and to any existing
> subdirectories, if any)
>
> In [Share], change the following
> directory mask = 2755
> force directory mode = 2755
>
> add to [Share]
> inherit owner = Yes
>
> Also, in [global], the current syntax is
> security = share
> not
> Server security = share
>
> See if this might work for you.
>
> Dale
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: This is a digitally signed message part.
Url :
http://lists.samba.org/archive/samba/attachments/20090219/85a44fc5/attachment.bin