[Samba] Samba Folder Permissions

2012-01-03 Thread Stefan Horning 

Hello list members,
my name is Stefan, this is my first post to this Mailinglist, so please 
bear with me. ;)
I am working as a Network Administrator of a small Office Network. We 
use Debian Server as Samba PDC and Fileserver.
The Domain runs pretty well with all the Windows 7 Clients. I have just 
one thing that bugs me.
In the groupshare we set up, users can only access folders that are 
world readable, for some reason. As a temporary fix I put all users into 
the Domain Admin group, so they can at least use the groupshare.


But first of all you probably want to know the details. The Samba 
Version is 3.5.6


This is my smb.conf:
-
[global]
   netbios name = SCM-SRV-01
   server string = Domain Server (%h)
   workgroup = SCM
   interfaces = eth1 eth2 eth3
   bind interfaces only = yes
   security = user
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .

   local master = yes
   preferred master = yes
   os level = 200
   domain master = yes
   domain logons = yes
   logon path = \\%L\%U\profile
   logon drive = h:
   logon script = login.bat
   profile acls = yes
   hide files = 
/desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/AppData/profile.V2/

   hide dot files = yes
   wins support = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   socket options = TCP_NODELAY

#=== Share Definitions ===

[homes]
   comment = Home Directories
   browseable = no
   valid users = %S
   writeable = yes
   create mode = 0600
   directory mode = 0700

[netlogon]
   comment = Network Logon Service
   path = /home/samba/netlogon
   guest ok = yes
   writeable = no
   share modes = no

[groups]
   writable = yes
   path = /home/groups
   force group = users
   comment = All group folders
   create mode = 660
   directory mode = 770
---

Output of net groupmap list:

Domain Users (S-1-5-21-2431676908-1022338963-3230702413-513) - users
Domain Guests (S-1-5-21-2431676908-1022338963-3230702413-514) - guests
Domain Admins (S-1-5-21-2431676908-1022338963-3230702413-512) - domainadmin
---

Like I said everyting works well, except the permissions in the share 
[groups].


All linux (and therefore domain) users are in the primary group users. 
All the employees are in the group 'mitarbeiter'.


So if I set /home/groups to
drwxr-x-- 11 root users 4096  2. Jan 13:08 groups/
the share is not accessible. Eventhough alle users are in the group 
users and should therefore be able to read that folder.
If I put users into the domainadmin group, group permissions work as 
expected. All employees can access subfolders of groups which are 
readable to mitarbeiter (but not others they have no permissions for) 
and can also read the content of /home/groups. So the mapping of unix 
groups from Windows7 works without problems.


Folder permission in Samba can only be realized if I make folders world 
readable, which is not what I want for all folders.


After extensive internet research I could not figure out what I am doing 
wrong. I also had similar samba setups where unix group permissions 
always where correctly used in samba.


I suspect it being a problem with domain groups and there mapping. I 
also tried to create some samba Domain Groups and map them to the local 
unix groups, which didn't make a difference either.


So I hope anybody on this list knows what the problem is. I am happy to 
give more information as needed!



Thanks,
Stefan Horning


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba Folder Permissions

2012-01-03 Thread Stefan Horning 

Hi Aaron,
thanks for your reply. I already have the /home Partition mounted with 
ACL enabled. However I don't use ACL permissions for the described 
folders. If I would set permissions with setfacl I would just give the 
same permissions then with unix rights. I only need one group to have 
rwx access, nothing more. In other samba setups I used, that was never a 
problem, but those were no Domain setups...


Stefan


Am 03.01.2012 17:31, schrieb Aaron E.:

Check your extended ACL permissions and verify that they are enabled for
your kernel..

On 01/03/2012 09:05 AM, Stefan Horning wrote:

Hello list members,
my name is Stefan, this is my first post to this Mailinglist, so please
bear with me. ;)
I am working as a Network Administrator of a small Office Network. We
use Debian Server as Samba PDC and Fileserver.
The Domain runs pretty well with all the Windows 7 Clients. I have just
one thing that bugs me.
In the groupshare we set up, users can only access folders that are
world readable, for some reason. As a temporary fix I put all users into
the Domain Admin group, so they can at least use the groupshare.

But first of all you probably want to know the details. The Samba
Version is 3.5.6

This is my smb.conf:
-
[global]
netbios name = SCM-SRV-01
server string = Domain Server (%h)
workgroup = SCM
interfaces = eth1 eth2 eth3
bind interfaces only = yes
security = user
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
local master = yes
preferred master = yes
os level = 200
domain master = yes
domain logons = yes
logon path = \\%L\%U\profile
logon drive = h:
logon script = login.bat
profile acls = yes
hide files =
/desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/AppData/profile.V2/
hide dot files = yes
wins support = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
socket options = TCP_NODELAY

#=== Share Definitions ===

[homes]
comment = Home Directories
browseable = no
valid users = %S
writeable = yes
create mode = 0600
directory mode = 0700

[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = yes
writeable = no
share modes = no

[groups]
writable = yes
path = /home/groups
force group = users
comment = All group folders
create mode = 660
directory mode = 770
---

Output of net groupmap list:

Domain Users (S-1-5-21-2431676908-1022338963-3230702413-513) - users
Domain Guests (S-1-5-21-2431676908-1022338963-3230702413-514) - guests
Domain Admins (S-1-5-21-2431676908-1022338963-3230702413-512) -
domainadmin
---

Like I said everyting works well, except the permissions in the share
[groups].

All linux (and therefore domain) users are in the primary group users.
All the employees are in the group 'mitarbeiter'.

So if I set /home/groups to
drwxr-x-- 11 root users 4096 2. Jan 13:08 groups/
the share is not accessible. Eventhough alle users are in the group
users and should therefore be able to read that folder.
If I put users into the domainadmin group, group permissions work as
expected. All employees can access subfolders of groups which are
readable to mitarbeiter (but not others they have no permissions for)
and can also read the content of /home/groups. So the mapping of unix
groups from Windows7 works without problems.

Folder permission in Samba can only be realized if I make folders world
readable, which is not what I want for all folders.

After extensive internet research I could not figure out what I am doing
wrong. I also had similar samba setups where unix group permissions
always where correctly used in samba.

I suspect it being a problem with domain groups and there mapping. I
also tried to create some samba Domain Groups and map them to the local
unix groups, which didn't make a difference either.

So I hope anybody on this list knows what the problem is. I am happy to
give more information as needed!


Thanks,
Stefan Horning






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba