search for: allow_group

Am 19.06.24 um 12:36 schrieb Rowland Penny via samba: >> ALLOW_GROUPS="domain\ admins" > ^^^^^^^^^^^^^^^^ > Where are you getting this from ? :-) > If I run this in a terminal: > > ALLOW_GROUPS="domain\ admins" ; echo "$ALLOW_GROUPS" > > I get this: > > domain\ admins >...

...x+ 1 root root 208 Jun 19 11:00 .. > -rw------- 1 root root 187 Jun 19 11:00 info.xml > drwxrwx--- 1 nobody domain users 478 Apr 15 08:01 snapshot > > so a member should be allowed to traverse > > in snapper > > ALLOW_USERS="user1 sgw" > ALLOW_GROUPS="domain\ admins" ^^^^^^^^^^^^^^^^ Where are you getting this from ? If I run this in a terminal: ALLOW_GROUPS="domain\ admins" ; echo "$ALLOW_GROUPS" I get this: domain\ admins Note that the '\' has become part of the group n...

...ml starting to set up the pieces, I have snapshots in btrfs with snapper itself but so far nothing visible on the windows explorer side. As always I rtfm all over ;-) I assume I have to do some extra magic to allow the winbind users/groups in ... in the related snapper-config I already have: ALLOW_GROUPS="domain\ admins" SYNC_ACL="yes" Maybe we miss the correct setup for Windows ACLs, I have to wait for their admin to check that also thanks for any real world examples or so greetings, Stefan

...t root 32 Jun 19 11:00 . drwxr-x--x+ 1 root root 208 Jun 19 11:00 .. -rw------- 1 root root 187 Jun 19 11:00 info.xml drwxrwx--- 1 nobody domain users 478 Apr 15 08:01 snapshot so a member should be allowed to traverse in snapper ALLOW_USERS="user1 sgw" ALLOW_GROUPS="domain\ admins" SYNC_ACL="yes" but this seems not to be applied to the snapshots, right? I currently don't see on which layer I should act at first. Does "previous versions" in Windows access as the actual AD user or as somebody else?

Am 19.06.24 um 12:46 schrieb Stefan G. Weichinger via samba: > Am 19.06.24 um 12:36 schrieb Rowland Penny via samba: > >>> ALLOW_GROUPS="domain\ admins" >> ??????????????? ^^^^^^^^^^^^^^^^ >> ??????????????? Where are you getting this from ? > > :-) > >> If I run this in a terminal: >> >> ALLOW_GROUPS="domain\ admins" ; echo "$ALLOW_GROUPS" >> >> I...

...using SASL + saslauthd + PAM for that case. /etc/sasl2/libvirt.conf: mech_list: PLAIN pwcheck_method: saslauthd /etc/sasl2/qemu.conf: mech_list: PLAIN pwcheck_method: saslauthd /etc/pam.d/libvirt: auth requisite pam_listfile.so item=group sense=allow file=/etc/libvirt/allow_group auth required pam_tally2.so onerr=succeed auth required pam_nologin.so auth required pam_unix.so try_first_pass likeauth nullok account requisite pam_listfile.so item=group sense=allow file=/etc/libvirt/allow_group accoun...

...for (i = 0; i < access.num_allow_users; i++) + if (match_user(pw->pw_name, hostname, ipaddr, + access.allow_users[i])) + break; + /* i < access.num_allow_users iff we break for loop */ + if ( i >= access.num_allow_users) + return 0; + } + + if (access.num_allow_groups > 0 || access.num_deny_groups > 0) { + /* load up the user's group list */ + if (ga_init(pw->pw_name, pw->pw_gid) == 0) + return 0; + + /* return false if the user is in a denied group */ + if (access.num_deny_groups > 0) + if (ga_match(access.deny_groups, +...

...s.allow_users[i])) - break; - /* i < options.num_allow_users iff we break for loop */ - if (i >= options.num_allow_users) { - log("User %.100s not allowed because not listed in AllowUsers", + goto success; + + if (options.num_deny_groups == 0 && + options.num_allow_groups == 0) { + log("User %.100s not allowed because not in AllowUsers", pw->pw_name); return 0; } @@ -136,20 +137,28 @@ return 0; } /* - * Return false if AllowGroups isn't empty and one of user's groups - * isn't listed there + * Return false...

...raversal for any users wishing to access > snapshots via the Windows Explorer previous versions dialog. By > default, traversal is forbidden for all non-root users. Additionally, > users must be granted permission to list snapshots managed by > snapper, via snapper's ALLOW_USERS or ALLOW_GROUPS options. Snapper > can grant these users and groups .snapshots traversal access > automatically via the SYNC_ACL option." > > how do I allow traversal? By setting the 'x' on 'rwx'. 'r' = read 'w' = write 'x' = enter or traverse on a direct...

...options.num_deny_groups, hostname, ipaddr)) { +#endif /* GROUP_MATCH_HOST_AND_IP */ ga_free(); logit("User %.100s from %.100s not allowed " "because a group is listed in DenyGroups", @@ -223,8 +228,13 @@ * isn't listed there */ if (options.num_allow_groups > 0) +#ifndef GROUP_MATCH_HOST_AND_IP if (!ga_match(options.allow_groups, options.num_allow_groups)) { +#else /* GROUP_MATCH_HOST_AND_IP */ + if (!ga_match_host_and_ip(options.allow_groups, + options.num_allow_groups, hostname, ipaddr)) { +#endif /* GROUP_MATCH_HOST_AND_IP *...

..., linenum); + options->chroot_users[options->num_chroot_users++] = + xstrdup(arg); + } + break; + case sAllowGroups: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_groups >= MAX_ALLOW_GROUPS) --- openssh-3.4p1.vanilla/servconf.h Thu Jun 20 21:09:47 2002 +++ openssh-3.4p1/servconf.h Wed Jul 3 11:23:26 2002 @@ -20,6 +20,7 @@ #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */ #define MAX_DENY_USERS 256 /* Max # users on deny list. */ +#define MAX_C...

...options->allow_users[options->num_allow_users++] = xstrdup(arg); } + debug3("Found %d AllowUsers", options->num_allow_users); break; case sDenyUsers: @@ -795,6 +796,7 @@ options->allow_groups[options->num_allow_groups++] = xstrdup(arg); } + debug3("Found %d AllowGroups", options->num_allow_groups); break; case sDenyGroups: -- James Dennis Harvard Law School "Not everything th...

...sers > 0) { *************** *** 85,97 **** if (match_pattern(pw->pw_name, options.allow_users[i])) break; /* i < options.num_allow_users iff we break for loop */ ! if (i >= options.num_allow_users) return 0; } if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { /* Get the user's group access list (primary and supplementary) */ ! if (ga_init(pw->pw_name, pw->pw_gid) == 0) return 0; /* Return false if one of user's groups is listed in DenyGroups */ if (options.num_deny_groups > 0) --- 94,112 ---- if (ma...

...gain, there may be a better solution. Craig ------------------------------------------------------------ --- openssh-1.2pre13/servconf.c.orig Fri Nov 19 23:30:33 1999 +++ openssh-1.2pre13/servconf.c Fri Nov 19 23:36:56 1999 @@ -62,6 +62,7 @@ options->num_deny_users = 0; options->num_allow_groups = 0; options->num_deny_groups = 0; + options->max_connections = -1; } void fill_default_server_options(ServerOptions *options) @@ -161,7 +162,7 @@ sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,...

Am 17.06.24 um 16:06 schrieb Rowland Penny via samba: >> The user is member of "domain admins", isn't that enough? > > No, because they would be classed as 'others'. > >> >> Or does "SYNC_ACL" not yet work OK, because we miss the steps in >> >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >>

...s_ipaddr) { + allowed = 1; + } + } + + if (allowed == 0) { + logit("User %.100s not allowed because not listed in AllowUsers, AllowUsersFixedname or AllowUsersIpaddr", + pw->pw_name); + return 0; + } + if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { /* Get the user's group access list (primary and supplementary) */ if (ga_init(pw->pw_name, pw->pw_gid) == 0) { logit("User %.100s not allowed because not in any group", pw->pw_name); return 0; } diff -r -U 8 openssh-3.9p1.orig/match.c op...

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

Could everyone please test the latest snapshots as we will be making a new release soon. If you have any patches you would like us to consider, please resend them to the list ASAP. -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer

OpenSSH 3.0 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. This release contains many portability bug-fixes (listed in the ChangeLog) as well as several new features (listed below). We would like to thank the

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the