On Wed, Aug 27, 2008 at 10:28 AM, Roger Searle <[EMAIL PROTECTED]> wrote: > Hi, subject line is what I originally thought was going on. I have a hardy > machine sharing a couple of folders via samba. Various users assigned to > various groups, ownership and permissions set up and working well, for > example: > > [EMAIL PROTECTED]:~/documents$ ls -l | grep pay > drwxrwx--- 6 roger management 4096 2008-08-20 11:31 payroll > > and as expected roger and members of the management group have read/write > access to the payroll folder, and others get "permission denied". Good. > Except, I have found that from 2 XP workstations, 2 different users (1 per > workstation) are able to connect to the entire share appearing to disregard > this, the logged on username is NOT roger, nor is the user in the management > group, yet has full access to that particular folder. Bit of a worry, > definitely not what I was expecting...
Are they in the coordinators group? valid users = roger, @coordinators, @management > > smbstatus shows that the user is connecting with uid 1000, which is the user > roger - so it's not root after all. The username on the second workstation > is a different one, yet also makes the connection as uid 1000. > Can anyone shed any light on what is going on here? > The following additional information may or may not be relevant. In feisty > days, webmin would work to configure the shares. That is no longer the > case, and I found that there are lines that were present in the global > section of smb.conf that will prevent any connection to the share are the 2 > that are commented out below. There are three commented out below. All smb.conf lines are documented in smb.conf(5). It is available online too, eg: http://us1.samba.org/samba/docs/man/manpages-3/smb.conf.5.html However you need a lot of background knowledge to work out what a definition like: "passdb backend (G) ... tdbsam - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb in the private dir directory..." Unless you know what a TDB based storage backend is (and I don't), then you aren't any further ahead. One thing I can say, smb passwd file = /usr/bin/smbpasswd is well and truly screwed up. smb passwd file should point to the database, not to the binary that creates the database. Anyway, back to the problem in hand. After checking the coordinators group, consider this scenario, bearing in mind that I don't fully understand windows in that it's results in this area seem to be inconsistent (and may vary between versions, including between xp home and pro). If roger goes and sits at another user's (lets call him ben) xp machine which is logged in as ben, and wants to access the [data] share on \\hardy, he might go to "my network drives" and add the share, intending it to only be a temporary measure while he needs to test something. As part of this he authorises himself on \\hardy\data as roger/roger's password. This will work, and so it should. But how long does this authorisation stick around? Can ben go back later and still access \\hardy\data ? In some cases these "network places" seem to stick around a while. Sorry I am not really answering the question, merely rasing a possibility. > I would be interested in any feedback on what > these lines are or do, or if anyone can see anything else that is not needed > or may be contributing to the above situation. I'm no longer using webmin, > instead editing smb.conf, however the current file is derived from a webmin > one and therefore may be broked. > ; smb passwd file = /usr/bin/smbpasswd > ; obey pam restrictions = yes > ; passdb backend = tdbsam > > ("locate smbpasswd" shows there is a /etc/samba/smbpasswd file) > > smb.conf passes testparm, which ends giving the following dump of the > service definitions: > > [global] > map to guest = Bad User > pam password change = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > unix password sync = Yes > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 1000 > dns proxy = No > wins support = Yes > panic action = /usr/share/samba/panic-action %d > invalid users = root, members > > [printers] > comment = All Printers > path = /var/spool/samba > create mask = 0700 > printable = Yes > browseable = No > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > > [data] > path = /home/roger/documents/ > valid users = roger, @coordinators, @management > write list = roger, @coordinators, @management > read only = No > create mask = 0777 > directory mask = 0777 > > [backup] > path = /home/roger/backup > valid users = roger, @roger > write list = roger, @roger > > > Cheers, > Roger > > > > > > >
