[Samba] inconsistence behavior concerning security

2004-04-07 Thread Leandro Ariel Gomez Chavarria 

Hi all, I have a share for 2 groups of users in which I need this behavior:

Group A: can create/delete files
Group B: only can modify files

I solve this with a share rw for both groups, and FS directory permissions are 2770 
and groupA is the owner of the directory, and an acl for groupB which is r-x

Then the default acl for this directory is rwx for GroupB, so, when something is 
created here, recive rwx permissions.

Everything looks to work fine, I tested with .txt files in a w2k and it's ok.

BUT!: it doesn't work with MS Office files! (xls, doc, ppt, etc)

Example:

drwxrws---2 CENCOSUD+Administrator CENCOSUD+Inventario_Easy_CL 4096 Apr  7 
16:57 .
# file: .
# owner: CENCOSUD+Administrator
# group: CENCOSUD+Inventario_Easy_CL
user::rwx
group::rwx
group:CENCOSUD+Inventario_Easy_CL_RX:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:CENCOSUD+Adm_FileSystem_CL:rwx
default:group:CENCOSUD+Inventario_Easy_CL_RX:rwx
default:mask::rwx
default:other::---

-rw-rwx---1 root CENCOSUD+Inventario_Easy_CL11776 Apr  7 16:54 test.xls
-rw-rwx---1 root CENCOSUD+Inventario_Easy_CL0 Apr  7 16:57 test.txt

[EMAIL PROTECTED] Inventario_Easy_CL]# getfacl test*
# file: test.txt
# owner: root
# group: CENCOSUD+Inventario_Easy_CL
user::rw-
group::rw-
group:CENCOSUD+Inventario_Easy_CL_RX:rwx
mask::rwx
other::---

# file: test.xls
# owner: root
# group: CENCOSUD+Inventario_Easy_CL
user::rw-
group::rwx
group:CENCOSUD+Inventario_Easy_CL_RX:rwx
mask::rwx
other::---

And this is the log of an operation of open with a xls file:

[2004/04/07 16:54:55, 2] smbd/open.c:open_file(246)
  cl opened file Inventario_Easy_CL/test.xls read=Yes write=No (numopen=2)
[2004/04/07 16:54:55, 2] smbd/close.c:close_normal_file(230)
  cencosud+cl closed file Inventario_Easy_CL/test.xls (numopen=1) 
[2004/04/07 16:54:55, 2] smbd/open.c:open_file(246)
  cl opened file Inventario_Easy_CL/test.xls read=Yes write=No (numopen=2)
[2004/04/07 16:54:56, 2] smbd/close.c:close_normal_file(230)
  cencosud+cl closed file Inventario_Easy_CL/test.xls (numopen=1) 
[2004/04/07 16:54:56, 2] smbd/open.c:open_file(246)
  cl opened file Inventario_Easy_CL/test.xls read=Yes write=No (numopen=2)
[2004/04/07 16:54:56, 2] smbd/close.c:close_normal_file(230)
  cencosud+cl closed file Inventario_Easy_CL/test.xls (numopen=1) 
[2004/04/07 16:54:56, 2] smbd/open.c:open_file(246)
  cl opened file Inventario_Easy_CL/test.xls read=Yes write=Yes (numopen=2)
[2004/04/07 16:54:57, 2] smbd/open.c:open_file(246)
  cl opened file Inventario_Easy_CL/test.xls read=Yes write=No (numopen=3)
[2004/04/07 16:54:57, 2] smbd/close.c:close_normal_file(230)
  cencosud+cl closed file Inventario_Easy_CL/test.xls (numopen=2)


Someone had a similar experience ???

Advices ? Workarounds ??




--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: access controls on shares

2003-12-12 Thread Leandro Ariel Gomez Chavarria 

yeap, I'm talking about ACLs on files and directories, I'm using ext3
file system with acls and quotas, and works really fine.

 BuSab [EMAIL PROTECTED] 12/12/03 06:04am 
le Thu, 11 Dec 2003 15:03:35 -0300, Leandro Ariel Gomez Chavarria
[EMAIL PROTECTED] wrote :

 I solve this using the option admin users in shares, like that:
 
 [Finances]
   path = /Groups/Finances
   valid users = @DOMAIN+Finances
   admin users = @DOMAIN+Domain Admins
 
 Everyone who belongs to the Finances group can access the share, but
 can't modify acls from windows, but, everyone who belongs to the
 Domain Admins group can modify acls without problem, if you look in
 the smbstatus the connection is made by root.

It don't work for me. Are you talking about share ACLs or ACLs on
files
and directories?

-- 
 busab
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] access controls on shares

2003-12-11 Thread Leandro Ariel Gomez Chavarria 
I solve this using the option admin users in shares, like that:

[Finances]
path = /Groups/Finances
valid users = @DOMAIN+Finances
admin users = @DOMAIN+Domain Admins

Everyone who belongs to the Finances group can access the share, but
can't modify acls from windows, but, everyone who belongs to the Domain
Admins group can modify acls without problem, if you look in the
smbstatus the connection is made by root.

 Gerald (Jerry) Carter [EMAIL PROTECTED] 12/11/03 02:28pm 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

BuSab wrote:
| hello,
|
| I'm trying to set up a samba serveur with access controls on shares,
| like described in chapter 13 section 4 of the samba howto
collection,
| but I didn't succeed.
|
| I don't know if I need to set security = DOMAIN, to join the
domain
| and/or to use winbind.
|
| My server is a simple domain member (the PDC is a NT4 server). I've
| tried samba 3.0.0 and 2.2.3a on a debian stable box.
|
| I've tried various configurations, on somes, got an error (access
| denied) on the windows box while setting the ACL on the share, on
| others, got an access denied trying to access to the share even
with
| correct ACLs.
|
| Can anybody post a samba smb.conf ready for ACL on shares or explain
me
| a way to configure it?

you must create a local Samba account for root.  Only root
(uid == 0) can set share acls.  We're working on extending this
to use group membership (e.g. Domain Admins) but havne't
finished it yet.




- --
cheers, jerry
~
--
~ Hewlett-Packard-
http://www.hp.com 
~ SAMBA Team --
http://www.samba.org 
~ GnuPG Key  
http://www.plainjoe.org/gpg_public.asc 
~ If we're adding to the noise, turn off this song --Switchfoot
(2003)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org 

iD8DBQE/2KlRIR7qMdg1EfYRAq3nAKDLfNhhEgctcQqtRqqUMjAk9UsKTQCfcyKG
HfhyXaoSCaf/QuU11B7kX6k=
=+JY0
-END PGP SIGNATURE-

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] too many users?

2003-12-10 Thread Leandro Ariel Gomez Chavarria 

Hi all, I'm running in my production enviroment Samba 2.2.8a-0 using
security =
domain in a RH9 box and I start to find error messages in log files
like
that:

[2003/12/10 11:47:11, 0] smbd/service.c:make_connection(599)
  spmatscl11 (10.5.108.10) Can't change directory to
/home/CENCOSUD/Chile/Users/cestay
 (Permission denied)
[2003/12/10 11:47:11, 1] smbd/password.c:add_session_user(367)
  Too many session users?? 
[2003/12/10 11:47:11, 0] smbd/service.c:make_connection(599)
  spmatscl11 (10.5.108.10) Can't change directory to
/home/CENCOSUD/Chile/Users/cestay
 (Permission denied)
[2003/12/10 11:47:11, 1] smbd/password.c:add_session_user(367)
  Too many session users?? 

directory permisions are OK ( the entire path) and authentication
works
fine, actually users are mapping another resource. I have now 850
sessions, I think that CAN'T be TOO many, isn't? I'm planning to have
close to 4000 users !!! in the next months.

I never asked to my self about these limits (sessions/connections,
open
files, quantity of shares - I have many and I'm planning to make more
-),
someone know wich these limits are?

regards, Leandro.-

PD: I'll be upgrading to Samba 3 in the next weeks, because the idmap =
ldap
feature.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: samba + winbindd with NT-DC problem... i'm stuck.

2003-11-21 Thread Leandro Ariel Gomez Chavarria 

I think your problem is this:
  passwd: files winbind
  group:  files winbind
  shadow: files winbind nis

the correct modification for nsswitch is 
 passwd: files winbind
 group:  files winbind
 shadow: files nis

DON'T put winbind in shadow line!

then try with getenet passwd or getent group and you should see all
users in /etc/passwd and after them domain users.

let me know if it works 

good luck, leandro.-

 leopardb [EMAIL PROTECTED] 11/21/03 07:30am 
Björn Andersen wrote:

Hello Group,

I'm really stuck here.  I try to get an samba to authenticate it's
users
nicely
against an NT-DC, which will later be upgraded to W2K or W2K3

My system : Suse 8.1, samba-2.2.5-80, samba-client-2.2.5-80

My test-config for smb:
[global]
winbind separator = +
winbind cache time = 0
template shell = /bin/bash
template homedir = /home/%D/%U
winbind uid = 1-2
winbind gid = 1-2
workgroup = FOERDE
security = domain
encrypt passwords = Yes
password server = SMSERVER SERVER01
[daten]
path = /srv/samba/daten
writeable = no
write list = root FOERDE+300
valid users = root 300 FOERDE+300 @FOERDE+218

winbindd runs as daemon, wbinfo -u and  wbinfo -g  gives the
right
domain users  groups,
as well as getent group  and   getent passwd.
strangely even ...
  # wbinfo -a foerde+300%password
works with an output of...
  plaintext password authentication succeeded
  error code was NT_STATUS_OK (0x0)
  challenge/response password authentication succeeded
  error code was NT_STATUS_OK (0x0)

I inserted in /etc/nsswitch.conf
  passwd: files winbind
  group:  files winbind
  shadow: files winbind nis
to activate winbind. I have not changed anything in PAM because I only
need
Domain Users
to access Win-Shares, not to login or anything else.
But with ... :
  web1-50:~ # smbclient //web3-77/daten -U 300 -W foerde
i only get this output... :
  added interface ip=150.10.30.50 bcast=150.10.30.255
nmask=255.255.255.0
  added interface ip=10.1.110.20 bcast=10.1.110.255
nmask=255.255.255.0
  Password: *
  Domain=[FOERDE] OS=[Unix] Server=[Samba 2.2.5]
  tree connect failed: NT_STATUS_WRONG_PASSWORD

Logfiles :
messages: nothing
log.winbind : nothing
log.smbd : nothing
log.nmbd : nothing

With a wrong PW i get logentries Error was
NT_STATUS_WRONG_PASSWORD.
which seems right. But nothing with right PW. Sadly no logon as well.
My
Testuser is 300,
as you can see i tryed some different syntax for user in smb.conf as
well as
in smbclient. No good.

What am I doing wrong ? Especially because wbinfo -a works, I
thought I
was quite close.
But I didn't make any progress for days now..
What did I forget ?

Please Help..

Björn Andersen




  

I've exactly the same problem. Did you receive any answer ?

[Samba] Re: samba + winbindd with NT-DC problem... i'm stuck.

2003-11-21 Thread Leandro Ariel Gomez Chavarria 

I think your problem is this:
  passwd: files winbind
  group:  files winbind
  shadow: files winbind nis

the correct modification for nsswitch is 
 passwd: files winbind
 group:  files winbind
 shadow: files nis

DON'T put winbind in shadow line!

then try with getenet passwd or getent group and you should see all
users in /etc/passwd and after them domain users.

let me know if it works 

good luck, leandro.-

 leopardb [EMAIL PROTECTED] 11/21/03 07:30am 
Björn Andersen wrote:

Hello Group,

I'm really stuck here.  I try to get an samba to authenticate it's
users
nicely
against an NT-DC, which will later be upgraded to W2K or W2K3

My system : Suse 8.1, samba-2.2.5-80, samba-client-2.2.5-80

My test-config for smb:
[global]
winbind separator = +
winbind cache time = 0
template shell = /bin/bash
template homedir = /home/%D/%U
winbind uid = 1-2
winbind gid = 1-2
workgroup = FOERDE
security = domain
encrypt passwords = Yes
password server = SMSERVER SERVER01
[daten]
path = /srv/samba/daten
writeable = no
write list = root FOERDE+300
valid users = root 300 FOERDE+300 @FOERDE+218

winbindd runs as daemon, wbinfo -u and  wbinfo -g  gives the
right
domain users  groups,
as well as getent group  and   getent passwd.
strangely even ...
  # wbinfo -a foerde+300%password
works with an output of...
  plaintext password authentication succeeded
  error code was NT_STATUS_OK (0x0)
  challenge/response password authentication succeeded
  error code was NT_STATUS_OK (0x0)

I inserted in /etc/nsswitch.conf
  passwd: files winbind
  group:  files winbind
  shadow: files winbind nis
to activate winbind. I have not changed anything in PAM because I only
need
Domain Users
to access Win-Shares, not to login or anything else.
But with ... :
  web1-50:~ # smbclient //web3-77/daten -U 300 -W foerde
i only get this output... :
  added interface ip=150.10.30.50 bcast=150.10.30.255
nmask=255.255.255.0
  added interface ip=10.1.110.20 bcast=10.1.110.255
nmask=255.255.255.0
  Password: *
  Domain=[FOERDE] OS=[Unix] Server=[Samba 2.2.5]
  tree connect failed: NT_STATUS_WRONG_PASSWORD

Logfiles :
messages: nothing
log.winbind : nothing
log.smbd : nothing
log.nmbd : nothing

With a wrong PW i get logentries Error was
NT_STATUS_WRONG_PASSWORD.
which seems right. But nothing with right PW. Sadly no logon as well.
My
Testuser is 300,
as you can see i tryed some different syntax for user in smb.conf as
well as
in smbclient. No good.

What am I doing wrong ? Especially because wbinfo -a works, I
thought I
was quite close.
But I didn't make any progress for days now..
What did I forget ?

Please Help..

Björn Andersen




  

I've exactly the same problem. Did you receive any answer ?


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba