Dude, Thanks for your help. I made the modifications to the "valid users=" line in the smb.conf but was still not able to browse to the directory without being a member of the primary group AVMAX+Planning. However there was also a problem with the way I set up the ACL which I have now discovered and corrected. The details are as follows:
Along with having to list all allowed groups in the "valid users=" line in the smb.conf file for the share I also had to modify each shares ACL permissions as well. Originally I had given "AVMAX+Domain Users" a :r permission in that directories ACL. I aslo needed to put in a :x permission to allow browsing to work on that folder. So I fixed the problem by doing: setfacl -m group:"AVMAX+Domain Users":rx Planning This allows me to now browse to the directory problem free without being a member of the primary domain group AVMAX+Planning. I am also able to leave the "valid users=" parameter out of the smb.conf share detail and let winbind and the ACL's work on the security of the directory. So anyway thanks to those who replied to my request for assistance. Cheers, Travis -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Monday, January 24, 2005 9:33 AM To: [EMAIL PROTECTED] Subject: RE: RE [Samba] More help on ACLproblemplease...anyone...anyone...Bueller? Extract of smb.conf : valid users (S) This is a list of users that should be allowed to login to this service. Names starting with '@', '+' and '&' are interpreted using the same rules as described in the invalid users parameter. If this is empty (the default) then any user can login. If a username is in both this list and the invalid users list then access is denied for that user. The current servicename is substituted for %S . This is useful in the [homes] section. Default: valid users = # No valid users list (anyone can login) Example: valid users = greg, @pcusers "Travis Bullock" <[EMAIL PROTECTED] a> A <[EMAIL PROTECTED]> 24/01/2005 17:28 cc Objet RE: RE [Samba] More help on ACL problemplease...anyone...anyone...B ueller? I modified your setting Sure: [Planning] comment = Avmax Domain Shares browseable = yes writable = yes read only = no # valid users = AVMAX+Planning create mode = 0664 directory mode = 0775 path = /usr/avamx_shares/Planning There she is. Do I have to include all groups in 'valid users'? If so what would the separator be? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Monday, January 24, 2005 9:03 AM To: Samba (E-mail) Subject: RE [Samba] More help on ACL problemplease...anyone...anyone...Bueller? Hi, I think is not a ACL problem, it's a smb.conf share configuration problem, could you sent a part of your smb.conf which about of this share. ----------------------------------- St�phane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 "Travis Bullock" <[EMAIL PROTECTED] a> A Envoy� par : "Samba (E-mail)" samba-bounces+ste <[email protected]> phane.purnelle=co cc [EMAIL PROTECTED] ba.org Objet [Samba] More help on ACL problem please...anyone...anyone...Bueller? 24/01/2005 16:59 Hello, I am running Fedora Core 2. Kernel: linux-2.6.5-1.358 Kernel supports ACL: [EMAIL PROTECTED] configs]# grep FS_SECURITY kernel-2.6.5-i686-smp.config CONFIG_EXT2_FS_SECURITY=y CONFIG_EXT3_FS_SECURITY=y CONFIG_XFS_SECURITY=y CONFIG_DEVPTS_FS_SECURITY=y [EMAIL PROTECTED] configs]# grep XATTR kernel-2.6.5-i686-smp.config CONFIG_EXT2_FS_XATTR=y CONFIG_EXT3_FS_XATTR=y CONFIG_DEVPTS_FS_XATTR=y Have extended attributes set in /etc/fstab is as follows: /dev/Goliath/root / ext3 acl,user_xattr 1 1 I have a directory called Planning with ACL permissions assigned via the setfacl command: drwxrwx---+ 2 root AVMAX+Planning 4096 Jan 14 09:55 Planning which looks like this with getfacl: [EMAIL PROTECTED] avamx_shares]# getfacl Planning/ # file: Planning # owner: root # group: AVMAX+Planning user::rwx group::rwx group:AVMAX+Domain Users:r-- mask::rwx other::--- Problem: If I add my user to the AVMAX+Planning group on my NT DOMAIN PDC there is no problem. I can browse to the Planning directory via My Network Places. However if I remove my account from the AVMAX+Planning group and browse to the Planning directory it prompts me for a password. Because my account is by default a member of the AVMAX+Domain Users and I have configured (i think) the Planning directory ACL to allow read access to the AVMAX+Domain Users group.....I should be able to browse this directory without being prompted for a username and password.... QUESTION: What did I do wrong or not do at all to make the applied ACL function correctly and allow all users in the AVMAX+Domain Users group read acces to the Planning samba share? Cheers, Travis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba ----------------------------------- St�phane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
