Hello, I have noticed some ALC issues with files and directories. I use samba server 3.0.33 on CentOS 4.8 joined to Windows 2003 domain. Everything works fine, all users are authenticated to domain controller. My aim is to give FULL ACCESS (open/read/write/rename/delete..) to directory "testdir" to two users, john and mark without using groups because I have no permissions on domain controller (only add server to domain). Permissions of "testdir": getfacl testdir # file: testdir # owner: techadmin # group: root user::rwx user:john:rwx user:mark:rwx group::rwx mask::rwx other::--- default:user::rwx default:user:john:rwx default:user:mark:rwx default:mask::rwx default:other::--- The problem is that users john and mark have rwx permissions, they are able to create file, modify but _not_ delete neither rename the file under "testdir". Only owner of the directory "testdir" - user techadmin is able to delete/rename files under directory. As far as I know, only owner of the up level directory can delete or rename file(s). The question is: how is possible to allow both users to delete/modify files under "testdir" directory without using (domain) groups ? Filesystem ext3 is mounted with ACL options, SELinux enabled, audit.log has not deny entries, and the configuration of samba is following: [global] workgroup = ad server string = Intranet netbios name = IS follow symlinks=yes inherit permissions = no realm = AD.DOMAIN.ORG server signing = auto security = ads password server = 10.20.30.40 encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no domain master = no preferred master = no dns proxy = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no [tech] comment = Technical department path = /var/opt/intranet/tech public = yes writable = yes create mask = 0664 directory mask = 0775 browseable = yes Thanks, Krigler Pavol
On Wed, May 19, 2010 at 04:41:01PM +0200, Krigler Pavol wrote:> Hello, > > I have noticed some ALC issues with files and directories. I use samba > server 3.0.33 on CentOS 4.8 joined to Windows 2003 domain. Everything > works fine, all users are authenticated to domain controller. My aim is > to give FULL ACCESS (open/read/write/rename/delete..) to directory > "testdir" to two users, john and mark without using groups because I > have no permissions on domain controller (only add server to domain). > Permissions of "testdir": > > getfacl testdir > # file: testdir > # owner: techadmin > # group: root > user::rwx > user:john:rwx > user:mark:rwx > group::rwx > mask::rwx > other::--- > default:user::rwx > default:user:john:rwx > default:user:mark:rwx > default:mask::rwx > default:other::--- > > The problem is that users john and mark have rwx permissions, they are > able to create file, modify but _not_ delete neither rename the file > under "testdir". Only owner of the directory "testdir" - user techadmin > is able to delete/rename files under directory. As far as I know, only > owner of the up level directory can delete or rename file(s). The > question is: how is possible to allow both users to delete/modify files > under "testdir" directory without using (domain) groups ? > Filesystem ext3 is mounted with ACL options, SELinux enabled, audit.log > has not deny entries, and the configuration of samba is following:I think you also want "dos filemode = yes" and also possibly "acl group control = yes". Jeremy
On 05/19/2010 06:06 PM, Jeremy Allison wrote:> On Wed, May 19, 2010 at 04:41:01PM +0200, Krigler Pavol wrote: >> Hello, >> >> I have noticed some ALC issues with files and directories. I use samba >> server 3.0.33 on CentOS 4.8 joined to Windows 2003 domain. Everything >> works fine, all users are authenticated to domain controller. My aim is >> to give FULL ACCESS (open/read/write/rename/delete..) to directory >> "testdir" to two users, john and mark without using groups because I >> have no permissions on domain controller (only add server to domain). >> Permissions of "testdir": >> >> getfacl testdir >> # file: testdir >> # owner: techadmin >> # group: root >> user::rwx >> user:john:rwx >> user:mark:rwx >> group::rwx >> mask::rwx >> other::--- >> default:user::rwx >> default:user:john:rwx >> default:user:mark:rwx >> default:mask::rwx >> default:other::--- >> >> The problem is that users john and mark have rwx permissions, they are >> able to create file, modify but _not_ delete neither rename the file >> under "testdir". Only owner of the directory "testdir" - user techadmin >> is able to delete/rename files under directory. As far as I know, only >> owner of the up level directory can delete or rename file(s). The >> question is: how is possible to allow both users to delete/modify files >> under "testdir" directory without using (domain) groups ? >> Filesystem ext3 is mounted with ACL options, SELinux enabled, audit.log >> has not deny entries, and the configuration of samba is following: > > I think you also want "dos filemode = yes" > and also possibly "acl group control = yes". > > JeremyThank you Jeremy, these options are also good for me but does not helped me. I hope, there is some solution for me how to "bypass" the standard unix behaviour that only owner of the directory is able to delete/rename files under this directory without using groups. Thanks, Pavol