I'm sorry, perhaps you don't understand my poor english - I'm french...
- but did someone know how to force ACLs to be apply particulary in the
case described below ? Or is there a way to execute script at directory
creation (a kind of trigger) ?
Thank you,
Sylvain DAVID.
[EMAIL PROTECTED] a écrit :
Hi all,
I use Debian Sarge and Samba 3.0.22 with ACLs. The server is a PDC. I
have about 70 clients workstation running both Windows XP SP1 and SP2.
All works pretty good, all but the directory copy, wich forget ACLs in
a particular case :
When a client copy a local directory on a samba share, the defaults
ACLs aren't applied. But this problem comes only when the client local
directory owner is DOMAIN\USER. If the client local directory owner is
LOCALPC\USER, the default ACLs are applied during the copy.
In fact I wonder if this is the normal behavior of Samba : if the
owner is the domain user, perhaps samba try to copy the ACLs with the
file? But that's not what I want samba does. I would like that the
only the default ACLs to be applied. And the things which makes me
think that it's a bug, is that this behavior is not appening on a file
copy : a local file owner DOMAIN\USER copied on a samba share gets the
default ACLs of the directory in which they are copied.
So, I think I have 3 solutions :
- create all the group and all users on all the workstations, and then
sets the local security correctly on every workstation directory tree.
but this is impossible because i'm alone to manage all the
workstation, and new users are created and old deleted every month
- make a script watching the ACLs on the server. But this is dirty...
- Hope there's a solution in configuration or a patch. I tried
"security mask" and "directory security mode" to prevent user from
modifying ACLs, it works, but only on POSIX and the default ACLs are
still forget. inherit permission is neither the solution.
In fact the dream solution is a way wich makes the samba behavior
totally ignoring local security and applying the server security. But
how ?
Here's my smb.conf :
#
-----------------------------------------------------------------------------
# Global parameters
#
-----------------------------------------------------------------------------
[global]
dos charset = 850
unix charset = ISO8859-1
workgroup = elb-lyon
netbios name = server02
server string = server02.elb-lyon
os level = 65
domain logons = Yes
domain master = Yes
local master = Yes
preferred master = Yes
wins support = Yes
obey pam restrictions = Yes
passdb backend = tdbsam, guest
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n
*ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
passwd chat debug = Yes
pam password change = Yes
unix password sync = Yes
syslog = 0
log level = 2
# log level max = 10
log file = /var/log/samba/log.%m
max log size = 25600
dns proxy = No
panic action = /usr/share/samba/panic-action %d
invalid users = root2
# paramètres samba utilisateur par defaut
logon drive = P:
logon home = \\server02\%U
logon path = \\server02\profiles\%U
logon script = %U.cmd
# gestion des comptes posix automatique :)
# Gestion des comptes POSIX
add machine script = /usr/sbin/useradd -g sambamachines -c
Machine -d /dev/null -s /bin/false '%u'
add user script = /usr/sbin/useradd -g sambausers -c
Utilisateur -d /dev/null -s /bin/false '%u'
add group script = /usr/sbin/groupadd '%g'
add user to group script = /usr/bin/gpasswd -a '%u' '%g'
delete user script = /usr/sbin/userdel -r '%u'
delete group script = /usr/sbin/groupdel '%g'
delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
set primary group script = /usr/sbin/usermod -g '%g' '%u'
veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/
guest account = guest
hosts allow = 192.168.0. 127.
#
-----------------------------------------------------------------------------
# Necessaire Domaine
#
-----------------------------------------------------------------------------
[homes]
path = /mnt/SAN01/vd3_home2/home2/%u
comment = Home Directories
valid users = %S
guest ok = No
writable = Yes
create mask = 0700
directory mask = 0700
browseable = No
[netlogon]
path = /mnt/SAN01/vd3_home2/netlogon
comment = Partage NetLogon
valid users = @sambausers @sambaguests root
guest ok = No
read only = Yes
browseable = No
[profiles]
path = /mnt/SAN01/vd3_home2/profiles
comment = Profils utilisateurs
valid users = @sambausers @sambaguests root
guest ok = No
writable = Yes
create mode = 0700
browseable = No
#
-----------------------------------------------------------------------------
# Imprimantes
#
-----------------------------------------------------------------------------
[printers]
path = /tmp
comment = All printers
valid users = @sambausers
guest ok = No
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
#
-----------------------------------------------------------------------------
# Partages :)
#
-----------------------------------------------------------------------------
[vd1_echange]
comment = Zone d'echange interne et FTP Pantin.
path = /mnt/SAN01/vd1_echange
valid users = root @sambaadmins @sambaguests @User_Standard
guest ok = No
writable = Yes
create mask = 0770
directory mask = 0770
browseable = yes
inherit acls = yes
hide unreadable = Yes
# directory security mask = 0000
# force directory security mode = 0777
[vd2_gestion]
comment = Administration, compta, gestion.
path = /mnt/SAN01/vd2_gestion
valid users = root @sambaadmins @Gestion_Level0,
@Gestion_Level1, @Gestion_Level2, @Gestion_Level3
guest ok = No
writable = Yes
create mask = 0770
directory mask = 0770
browseable = Yes
inherit acls = yes
hide unreadable = Yes
[vd3_home2]
comment = Dossiers privés
path = /mnt/SAN01/vd3_home2
valid users = root @sambaadmins
guest ok = No
writable = Yes
create mask = 0770
directory mask = 0770
browseable = Yes
inherit acls = yes
hide unreadable = Yes
csc policy = disable
[vd4_archive]
comment = Archives Design, Develop, Graphisme, Logiciels
path = /mnt/SAN01/vd4_archive
valid users = root @sambaadmins @User_Standard,
@Archive_Develop, @Archive_Design, @Archive_Graphisme, @Archive_Logiciels
guest ok = No
writable = Yes
create mask = 0770
directory mask = 0770
browseable = Yes
inherit acls = yes
hide unreadable = Yes
[vd5_projet]
comment = Les Projets
path = /mnt/SAN01/vd5_projet
valid users = root @sambaadmins @Projet_one @Projet_two
@Projet_three @Projet_four
guest ok = No
writable = Yes
create mask = 0770
directory mask = 0770
browseable = Yes
inherit acls = yes
hide unreadable = Yes
[vd6_backup]
comment = Backups [reservé admin]
path = /mnt/SAN01/vd6_backup
valid users = root @sambaadmins
guest ok = No
writable = Yes
create mask = 0770
directory mask = 0770
browseable = Yes
inherit acls = yes
hide unreadable = Yes
[vd7_video]
comment = Montages Videos
path = /mnt/SAN01/vd7_video
valid users = root @sambaadmins @User_MontageVideo
guest ok = No
writable = Yes
create mask = 0770
directory mask = 0770
browseable = Yes
inherit acls = yes
hide unreadable = Yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
