[Samba] inconsistence behavior concerning security
Hi all, I have a share for 2 groups of users in which I need this behavior: Group A: can create/delete files Group B: only can modify files I solve this with a share rw for both groups, and FS directory permissions are 2770 and groupA is the owner of the directory, and an acl for groupB which is r-x Then the default acl for this directory is rwx for GroupB, so, when something is created here, recive rwx permissions. Everything looks to work fine, I tested with .txt files in a w2k and it's ok. BUT!: it doesn't work with MS Office files! (xls, doc, ppt, etc) Example: drwxrws---2 CENCOSUD+Administrator CENCOSUD+Inventario_Easy_CL 4096 Apr 7 16:57 . # file: . # owner: CENCOSUD+Administrator # group: CENCOSUD+Inventario_Easy_CL user::rwx group::rwx group:CENCOSUD+Inventario_Easy_CL_RX:r-x mask::rwx other::--- default:user::rwx default:group::rwx default:group:CENCOSUD+Adm_FileSystem_CL:rwx default:group:CENCOSUD+Inventario_Easy_CL_RX:rwx default:mask::rwx default:other::--- -rw-rwx---1 root CENCOSUD+Inventario_Easy_CL11776 Apr 7 16:54 test.xls -rw-rwx---1 root CENCOSUD+Inventario_Easy_CL0 Apr 7 16:57 test.txt [EMAIL PROTECTED] Inventario_Easy_CL]# getfacl test* # file: test.txt # owner: root # group: CENCOSUD+Inventario_Easy_CL user::rw- group::rw- group:CENCOSUD+Inventario_Easy_CL_RX:rwx mask::rwx other::--- # file: test.xls # owner: root # group: CENCOSUD+Inventario_Easy_CL user::rw- group::rwx group:CENCOSUD+Inventario_Easy_CL_RX:rwx mask::rwx other::--- And this is the log of an operation of open with a xls file: [2004/04/07 16:54:55, 2] smbd/open.c:open_file(246) cl opened file Inventario_Easy_CL/test.xls read=Yes write=No (numopen=2) [2004/04/07 16:54:55, 2] smbd/close.c:close_normal_file(230) cencosud+cl closed file Inventario_Easy_CL/test.xls (numopen=1) [2004/04/07 16:54:55, 2] smbd/open.c:open_file(246) cl opened file Inventario_Easy_CL/test.xls read=Yes write=No (numopen=2) [2004/04/07 16:54:56, 2] smbd/close.c:close_normal_file(230) cencosud+cl closed file Inventario_Easy_CL/test.xls (numopen=1) [2004/04/07 16:54:56, 2] smbd/open.c:open_file(246) cl opened file Inventario_Easy_CL/test.xls read=Yes write=No (numopen=2) [2004/04/07 16:54:56, 2] smbd/close.c:close_normal_file(230) cencosud+cl closed file Inventario_Easy_CL/test.xls (numopen=1) [2004/04/07 16:54:56, 2] smbd/open.c:open_file(246) cl opened file Inventario_Easy_CL/test.xls read=Yes write=Yes (numopen=2) [2004/04/07 16:54:57, 2] smbd/open.c:open_file(246) cl opened file Inventario_Easy_CL/test.xls read=Yes write=No (numopen=3) [2004/04/07 16:54:57, 2] smbd/close.c:close_normal_file(230) cencosud+cl closed file Inventario_Easy_CL/test.xls (numopen=2) Someone had a similar experience ??? Advices ? Workarounds ?? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: access controls on shares
yeap, I'm talking about ACLs on files and directories, I'm using ext3 file system with acls and quotas, and works really fine. BuSab [EMAIL PROTECTED] 12/12/03 06:04am le Thu, 11 Dec 2003 15:03:35 -0300, Leandro Ariel Gomez Chavarria [EMAIL PROTECTED] wrote : I solve this using the option admin users in shares, like that: [Finances] path = /Groups/Finances valid users = @DOMAIN+Finances admin users = @DOMAIN+Domain Admins Everyone who belongs to the Finances group can access the share, but can't modify acls from windows, but, everyone who belongs to the Domain Admins group can modify acls without problem, if you look in the smbstatus the connection is made by root. It don't work for me. Are you talking about share ACLs or ACLs on files and directories? -- busab -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] access controls on shares
I solve this using the option admin users in shares, like that: [Finances] path = /Groups/Finances valid users = @DOMAIN+Finances admin users = @DOMAIN+Domain Admins Everyone who belongs to the Finances group can access the share, but can't modify acls from windows, but, everyone who belongs to the Domain Admins group can modify acls without problem, if you look in the smbstatus the connection is made by root. Gerald (Jerry) Carter [EMAIL PROTECTED] 12/11/03 02:28pm -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 BuSab wrote: | hello, | | I'm trying to set up a samba serveur with access controls on shares, | like described in chapter 13 section 4 of the samba howto collection, | but I didn't succeed. | | I don't know if I need to set security = DOMAIN, to join the domain | and/or to use winbind. | | My server is a simple domain member (the PDC is a NT4 server). I've | tried samba 3.0.0 and 2.2.3a on a debian stable box. | | I've tried various configurations, on somes, got an error (access | denied) on the windows box while setting the ACL on the share, on | others, got an access denied trying to access to the share even with | correct ACLs. | | Can anybody post a samba smb.conf ready for ACL on shares or explain me | a way to configure it? you must create a local Samba account for root. Only root (uid == 0) can set share acls. We're working on extending this to use group membership (e.g. Domain Admins) but havne't finished it yet. - -- cheers, jerry ~ -- ~ Hewlett-Packard- http://www.hp.com ~ SAMBA Team -- http://www.samba.org ~ GnuPG Key http://www.plainjoe.org/gpg_public.asc ~ If we're adding to the noise, turn off this song --Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/2KlRIR7qMdg1EfYRAq3nAKDLfNhhEgctcQqtRqqUMjAk9UsKTQCfcyKG HfhyXaoSCaf/QuU11B7kX6k= =+JY0 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] too many users?
Hi all, I'm running in my production enviroment Samba 2.2.8a-0 using security = domain in a RH9 box and I start to find error messages in log files like that: [2003/12/10 11:47:11, 0] smbd/service.c:make_connection(599) spmatscl11 (10.5.108.10) Can't change directory to /home/CENCOSUD/Chile/Users/cestay (Permission denied) [2003/12/10 11:47:11, 1] smbd/password.c:add_session_user(367) Too many session users?? [2003/12/10 11:47:11, 0] smbd/service.c:make_connection(599) spmatscl11 (10.5.108.10) Can't change directory to /home/CENCOSUD/Chile/Users/cestay (Permission denied) [2003/12/10 11:47:11, 1] smbd/password.c:add_session_user(367) Too many session users?? directory permisions are OK ( the entire path) and authentication works fine, actually users are mapping another resource. I have now 850 sessions, I think that CAN'T be TOO many, isn't? I'm planning to have close to 4000 users !!! in the next months. I never asked to my self about these limits (sessions/connections, open files, quantity of shares - I have many and I'm planning to make more -), someone know wich these limits are? regards, Leandro.- PD: I'll be upgrading to Samba 3 in the next weeks, because the idmap = ldap feature. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: samba + winbindd with NT-DC problem... i'm stuck.
I think your problem is this: passwd: files winbind group: files winbind shadow: files winbind nis the correct modification for nsswitch is passwd: files winbind group: files winbind shadow: files nis DON'T put winbind in shadow line! then try with getenet passwd or getent group and you should see all users in /etc/passwd and after them domain users. let me know if it works good luck, leandro.- leopardb [EMAIL PROTECTED] 11/21/03 07:30am Björn Andersen wrote: Hello Group, I'm really stuck here. I try to get an samba to authenticate it's users nicely against an NT-DC, which will later be upgraded to W2K or W2K3 My system : Suse 8.1, samba-2.2.5-80, samba-client-2.2.5-80 My test-config for smb: [global] winbind separator = + winbind cache time = 0 template shell = /bin/bash template homedir = /home/%D/%U winbind uid = 1-2 winbind gid = 1-2 workgroup = FOERDE security = domain encrypt passwords = Yes password server = SMSERVER SERVER01 [daten] path = /srv/samba/daten writeable = no write list = root FOERDE+300 valid users = root 300 FOERDE+300 @FOERDE+218 winbindd runs as daemon, wbinfo -u and wbinfo -g gives the right domain users groups, as well as getent group and getent passwd. strangely even ... # wbinfo -a foerde+300%password works with an output of... plaintext password authentication succeeded error code was NT_STATUS_OK (0x0) challenge/response password authentication succeeded error code was NT_STATUS_OK (0x0) I inserted in /etc/nsswitch.conf passwd: files winbind group: files winbind shadow: files winbind nis to activate winbind. I have not changed anything in PAM because I only need Domain Users to access Win-Shares, not to login or anything else. But with ... : web1-50:~ # smbclient //web3-77/daten -U 300 -W foerde i only get this output... : added interface ip=150.10.30.50 bcast=150.10.30.255 nmask=255.255.255.0 added interface ip=10.1.110.20 bcast=10.1.110.255 nmask=255.255.255.0 Password: * Domain=[FOERDE] OS=[Unix] Server=[Samba 2.2.5] tree connect failed: NT_STATUS_WRONG_PASSWORD Logfiles : messages: nothing log.winbind : nothing log.smbd : nothing log.nmbd : nothing With a wrong PW i get logentries Error was NT_STATUS_WRONG_PASSWORD. which seems right. But nothing with right PW. Sadly no logon as well. My Testuser is 300, as you can see i tryed some different syntax for user in smb.conf as well as in smbclient. No good. What am I doing wrong ? Especially because wbinfo -a works, I thought I was quite close. But I didn't make any progress for days now.. What did I forget ? Please Help.. Björn Andersen I've exactly the same problem. Did you receive any answer ?
[Samba] Re: samba + winbindd with NT-DC problem... i'm stuck.
I think your problem is this: passwd: files winbind group: files winbind shadow: files winbind nis the correct modification for nsswitch is passwd: files winbind group: files winbind shadow: files nis DON'T put winbind in shadow line! then try with getenet passwd or getent group and you should see all users in /etc/passwd and after them domain users. let me know if it works good luck, leandro.- leopardb [EMAIL PROTECTED] 11/21/03 07:30am Björn Andersen wrote: Hello Group, I'm really stuck here. I try to get an samba to authenticate it's users nicely against an NT-DC, which will later be upgraded to W2K or W2K3 My system : Suse 8.1, samba-2.2.5-80, samba-client-2.2.5-80 My test-config for smb: [global] winbind separator = + winbind cache time = 0 template shell = /bin/bash template homedir = /home/%D/%U winbind uid = 1-2 winbind gid = 1-2 workgroup = FOERDE security = domain encrypt passwords = Yes password server = SMSERVER SERVER01 [daten] path = /srv/samba/daten writeable = no write list = root FOERDE+300 valid users = root 300 FOERDE+300 @FOERDE+218 winbindd runs as daemon, wbinfo -u and wbinfo -g gives the right domain users groups, as well as getent group and getent passwd. strangely even ... # wbinfo -a foerde+300%password works with an output of... plaintext password authentication succeeded error code was NT_STATUS_OK (0x0) challenge/response password authentication succeeded error code was NT_STATUS_OK (0x0) I inserted in /etc/nsswitch.conf passwd: files winbind group: files winbind shadow: files winbind nis to activate winbind. I have not changed anything in PAM because I only need Domain Users to access Win-Shares, not to login or anything else. But with ... : web1-50:~ # smbclient //web3-77/daten -U 300 -W foerde i only get this output... : added interface ip=150.10.30.50 bcast=150.10.30.255 nmask=255.255.255.0 added interface ip=10.1.110.20 bcast=10.1.110.255 nmask=255.255.255.0 Password: * Domain=[FOERDE] OS=[Unix] Server=[Samba 2.2.5] tree connect failed: NT_STATUS_WRONG_PASSWORD Logfiles : messages: nothing log.winbind : nothing log.smbd : nothing log.nmbd : nothing With a wrong PW i get logentries Error was NT_STATUS_WRONG_PASSWORD. which seems right. But nothing with right PW. Sadly no logon as well. My Testuser is 300, as you can see i tryed some different syntax for user in smb.conf as well as in smbclient. No good. What am I doing wrong ? Especially because wbinfo -a works, I thought I was quite close. But I didn't make any progress for days now.. What did I forget ? Please Help.. Björn Andersen I've exactly the same problem. Did you receive any answer ? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba