John H Terpstra wrote:
What are the ownership and permissions settings on the /home directory?
"drwxr-xr-x" root/root
OK, this means that noone (except root) can create or delete a directory in
the /home directory.
----
Right...only 'root' is expected to be able to add new directories
under 'home' right now ...
Are you seriously allowing users to write to each other's home
directories?
read only = No
---
Intent was for it to remain under user control -- that's why I use
the create mask of 0750 (next)....
But this way group members can access each others home directories. Hmmm.
I'm sure I would not like that!
----
Can't users use file permissions to deny read access to any/all if
they want? It's just that home dirs aren't administratively protected...
but users are free to lock them up further... It isn't designed for
a hostile environment, but a 'sharing' & 'cooperative' environment. It's
not exposed to the outside world...:-)
Why these two parameters? What are you trying to achieve with them?
create mask = 0750
inherit acls = Yes
ACLs are POSIX things. You can see them using the getfacl utility. They can
be set using the setfacl utility. And, they can be set through Windows
client applications.
----
Ok....yikes -- I thought this was some type of Win-ACL emulation
feature -- where one could create an ACL list at a top level and have it
apply to created files/dirs underneath it.
Since this is only affecting the POSIX ACL's, it seems that's not
what I want...(so deleting the inherit acls)....
Keep your configuration as simple as possible. Follow the examples in
Samba3-ByExample. Chapters 3 or 4 should be as much as you need at your
site.
---
Well, I do have that book -- but I sometimes experiment with
trying out the more complex features .... Is the online version
kept up-to-date with evolving samba? That's a fun "feature" of samba,
is that it evolves faster than paper can usually keep up! :-)
The homes share is really a service that makes a user's home directory
available from the Windows environment. Under OpenSUSE/SUSE Linux you could
set the path like this:
[homes]
...
path = /home/%U/Documents
...
This way the use is kept away from the dit files (.*) and his Windows files
are in a safe "container" - so to speak.
------
I don't mind the "mixing"...
I also use CYGWIN, on Windows. I set my home dir to
"\home\<user>" (I renamed "Documents and Settings" to "Home").
"Documents" is still a subdir under the user's "Home" dir on
the Windows machine: "\home\<user>\Documents\".
Why do you want POSIX ACLs in your Linux file system? How are you going to
back them up? POSIX ACLs are not the same as UGO (user, group, other)
permissions - they are a superset that sits over the top of UGO permissions.
Avoid them if you can.
----
I don't use them yet -- no progs create them -- but it is my intent
to support/allow them. My backup does dump them -- I use "xfsdump/xfsrestore",
which saves extended file attributes.
If everyone used XFS as their backing store for samba volumes, they'd
get auto-save of ACL's for free.
permissions on /Share=
755, u=law, g=wheel; below /Share any dir's I don't want guest to have
access to, are
mode 750, (or 700)...
[backups]
comment = Host backup-dirs
path = /backups/%m
Again, add the domain specifier (@BLISS\admin). What is the purpose of
the "%m" parameter here? It makes no sense/
write list = @admin, @%m
----
Oh poo...yeah... meant to (never got around to it) creating
groups for each machine name that accessed the Share to include userid's
that were not admin's (like 'backup'); but never got around to creating a
user 'backup' to do backups with -- just use an admin signin....
For the remaining shares, the same questions as above apply. It is best
to keep your configuration simple, then add complexity only as it is
proven to be necessary.
---
Well....that's how it started out -- it's just grown warts over
time...:-)
the setup works under the old samba 3.0.23...just haven't kept up with the
times so well on this server...
Please show us the output of executing on both servers:
net groupmap list
----
Null (no output)
So with Samba-3.0.26 you have Windows groups. This means that:
valid users = @"BLISS\law"
----
Actually "law" isn't a group...it's a uid that I added
on top of the group specifications because the group specifications were
not working when I switched to the newer samba.
But similar point...all the groups -- and they are groups
in the unix sense: trusted, trusted_local_net_users, admin, users
They are all groups in /etc/group -- I also tried adding them to
"/etc/samba/smbgroup"... but that didn't seem to work.
will not allow anyone to access the share because there is no law group under
Windows.
----
Was suspecting that. Doesn't samba use the /etc/samba/smbgroup file
anymore?
So here is how you can solve that:
#root > groupadd law
#root> net groupmap add unixgroup=law ntgroup=law type=domain
---
What happens (or happened) to my smbgroup file entries? It had
"Domain Admins" (=wheel,=admin,=operator, =uid#10)
"Domain Users" (=users,=uid#200)
trusted, sshd, "trusted_local_net_users", and "localnet"
I thought the intent was for groups that were not "identical to the
unix groups, to be listed in "/etc/samba/smbgroup"?
Then you will have a group called "law" both for Windows clients and in the
Linux OS.
---
By default, I take it that unix-groups are no longer accessible as
NT groups unless explicitly mapped with the "net groupmap..." you mention
above?
Also, what is the output of "net getdomainsid"?
SID for domain BLISS....
That's a good output!
---
Great...one thing was correct...maybe two...:-)
You should also learn how to set the "log level", collect log file per client
machine, etc. so that you can diagnose why connection attempts are failing.
Here's a snippet:
log level = 3
max log size = 0
log file = /var/log/samba/%L-%m.log
---
I had it set at one point -- I eliminated it when things seemed to
work correctly and I wanted to try speeding I/O.
I used to have "/var/log/samba/log.%m", and max log = 2048.
any reason to have max log = 0? Doesn't that mean grow w/o limit, where 2048
means keep the last 2Meg?
Cheers,
John T.
---
Better than "Jeers,"...
Cheerio!, :-)
Linda W.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
