Re: [Samba] Samba + acl,user_xattr

2011-12-19 Thread Dmitry Mordovin 



At first, has your file system already enabled xattr?
For example, are following commands successfull?

  # touch test.txt
  # setfattr -n user.test -v test test.txt
  # setfattr -n security.test -v test2 test.txt
  # getfattr -d test.txt
  # getfattr -n security.test -d test.txt

And your Samba (smbd) is xattr-ready?
For example the following commands show HAVE_*XATTR line?

# smbd -b | grep SETXATTR
HAVE_FSETXATTR
HAVE_LSETXATTR
HAVE_SETXATTR

---
TAKAHASHI Motonobumo...@samba.gr.jp

All commands successfull.

#mount
/dev/sda4 on /mnt/public type ext3 (rw,nosuid,nodev,acl,user_xattr)

#cd /mnt/public


#getfattr -d hello.txt
# file: hello.txt
user.test=test

#getfattr -n security.test -d hello.txt
# file: hello.txt
security.test=test2


#smbd -b|grep SETXATTR
   HAVE_FSETXATTR
   HAVE_LSETXATTR
   HAVE_SETXATTR

SAMBA ready, but don't change xattr. Very strange with my system.
Also, I joined TT 8414 where is strange with file access rights.

https://bugzilla.samba.org/show_bug.cgi?id=8414

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + acl,user_xattr

2011-12-18 Thread TAKAHASHI Motonobu 
From: Dmitry Mordovin d.mordo...@dwide.com
Date: Fri, 16 Dec 2011 10:39:44 +0400

 Now, when I try to Apply hidden attribute, popup message - Error change 
 file attributes. Access Denied.

At first, has your file system already enabled xattr?
For example, are following commands successfull?

 # touch test.txt
 # setfattr -n user.test -v test test.txt
 # setfattr -n security.test -v test2 test.txt
 # getfattr -d test.txt
 # getfattr -n security.test -d test.txt

And your Samba (smbd) is xattr-ready?
For example the following commands show HAVE_*XATTR line?

# smbd -b | grep SETXATTR
   HAVE_FSETXATTR
   HAVE_LSETXATTR
   HAVE_SETXATTR

---
TAKAHASHI Motonobu mo...@samba.gr.jp
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + acl,user_xattr

2011-12-15 Thread Dmitry Mordovin 



Added to global section

vfs objects = acl_xattr


No changes. Still dont store DOS attr.

You only need acl_xattr is you want to store Windows ACLs, not DOS attrs.

Have you tried using setfattr on that filesystem ? Does it work ?

Jeremy.


Hello Jeremy!

You are right!

I don't want to store Windows ACLs, need only DOS attrs (hidden file attr).

What Is enough to add to my smb.conf?
'store dos attributes (S)  or 'map hidden (S)' or together or else?

#cat /opt/samba/smb.conf
[global]
pid directory = /opt/samba/run
lock directory = /opt/samba/cache
private dir = /opt/samba/cache
log file = /opt/samba/smbd.log
log level = 10
workgroup = TEST
security = share
show add printer wizard = no
max log size = 10240
bind interfaces only = true
interfaces = eth1

[homes]
browseable = no
printable = no

[public]
path = /mnt/public
comment = 
read only = no
guest ok = yes
follow symlinks = no
writable = yes

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + acl,user_xattr

2011-12-15 Thread Jeremy Allison 
On Thu, Dec 15, 2011 at 12:17:21PM +0400, Dmitry Mordovin wrote:
 
 Added to global section
 
 vfs objects = acl_xattr
 
 
 No changes. Still dont store DOS attr.
 You only need acl_xattr is you want to store Windows ACLs, not DOS attrs.
 
 Have you tried using setfattr on that filesystem ? Does it work ?
 
 Jeremy.
 
 Hello Jeremy!
 
 You are right!
 
 I don't want to store Windows ACLs, need only DOS attrs (hidden file attr).
 
 What Is enough to add to my smb.conf?
 'store dos attributes (S)  or 'map hidden (S)' or together or else?

I use:

   store dos attributes = yes
   map readonly = no
   map system = no
   map hidden = no
   map archive = no

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + acl,user_xattr

2011-12-15 Thread Dmitry Mordovin 



Hello Jeremy!

You are right!

I don't want to store Windows ACLs, need only DOS attrs (hidden file attr).

What Is enough to add to my smb.conf?
'store dos attributes (S)  or 'map hidden (S)' or together or else?

I use:

store dos attributes = yes
map readonly = no
map system = no
map hidden = no
map archive = no

Jeremy.


Added to smb.conf

Now, when I try to Apply hidden attribute, popup message - Error change 
file attributes. Access Denied.


I suspect this due to Bug 8414 
(https://bugzilla.samba.org/show_bug.cgi?id=8414) for me.


Thank you.

PS: With hacked version of smbd this error happens too.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + acl,user_xattr

2011-12-14 Thread Jeremy Allison 
On Fri, Dec 09, 2011 at 04:36:51PM +0400, Dmitry Mordovin wrote:
 On 12/09/2011 04:26 PM, Jonathan Buzzard wrote:
 On Fri, 2011-12-09 at 16:05 +0400, Dmitry Mordovin wrote:
 
 [SNIP]
 
 Samba config:
 
 [global]
 workgroup = HOME
 security = share
 max log size = 1024
 store dos attributes = yes
 map archive = no
 map read only = no
 map hidden = no
 map system = no
 create mode = 777
 directory mode = 777
 
 [homes]
 browseable = no
 printable = no
 store dos attributes = yes
 
 [public]
 path = /mnt/public
 comment = 
 read only = no
 guest ok = yes
 follow symlinks = no
 store dos attributes = yes
 writable = yes
 map archive = no
 map read only = no
 map hidden = no
 map system = no
 create mode = 777
 directory mode = 777
 I see no vfs objects = acl_xattr in your Samba config. Without that it
 won't work as there is nothing telling Samba where to store the ACL
 information.
 
 JAB.
 
 
 Added to global section
 
 vfs objects = acl_xattr
 
 
 No changes. Still dont store DOS attr.

You only need acl_xattr is you want to store Windows ACLs, not DOS attrs.

Have you tried using setfattr on that filesystem ? Does it work ?

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba + acl,user_xattr

2011-12-09 Thread Dmitry Mordovin 

Hello All!

Can't make Samba use acl and extended user attributes to save DOS file 
attributes.


Please, help me configure properly.

My steps on Windows XP:
1 - Open share
2 - Open property of file 1122/22.bmp
3 - Check file attribute: hidden
4 - Click Apply
5 - Click Close

6 - Open property again
7 - Attribute Hidden not checked.

Samba dont save attributes!!!

getfattr -d /mnt/public/1122/22.bmp
Show no any attributes for 22.bmp file

*Environment*

Server configuration:

OS: Ubuntu 10.04.3 LTS 2.6.32-36-generic
Samba: 3.6.1
Share: /mnt/public
Mount: /dev/sda3 on /mnt/public type ext3 (rw,acl,user_xattr)

Unix file permissions:

ls -la /mnt/public/
total 18
drwxrwxrwx 2 nobody nogroup  1024 2011-12-09 14:45 1122
drwx-- 2 root   root12288 2011-12-09 14:43 lost+found

ls -la /mnt/public/1122
total 218
-rwxrwxrwx 1 nobody nogroup 220074 2011-12-09 14:45 22.bmp

Samba config:

[global]
workgroup = HOME
security = share
max log size = 1024
store dos attributes = yes
map archive = no
map read only = no
map hidden = no
map system = no
create mode = 777
directory mode = 777

[homes]
browseable = no
printable = no
store dos attributes = yes

[public]
path = /mnt/public
comment = 
read only = no
guest ok = yes
follow symlinks = no
store dos attributes = yes
writable = yes
map archive = no
map read only = no
map hidden = no
map system = no
create mode = 777
directory mode = 777



Samba configure params: --prefix=/usr/local/samba
...
checking whether to support ACLs... auto
configure: checking whether ACL support is available:
checking for acl_get_file in -lacl... yes
checking for getxattr in -lattr... yes
checking for POSIX ACL support... yes
configure: Using posix ACLs
checking for acl_get_perm_np... no
...

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + acl,user_xattr

2011-12-09 Thread Jonathan Buzzard 
On Fri, 2011-12-09 at 16:05 +0400, Dmitry Mordovin wrote:

[SNIP]

 Samba config:
 
 [global]
 workgroup = HOME
 security = share
 max log size = 1024
 store dos attributes = yes
 map archive = no
 map read only = no
 map hidden = no
 map system = no
 create mode = 777
 directory mode = 777
 
 [homes]
 browseable = no
 printable = no
 store dos attributes = yes
 
 [public]
 path = /mnt/public
 comment = 
 read only = no
 guest ok = yes
 follow symlinks = no
 store dos attributes = yes
 writable = yes
 map archive = no
 map read only = no
 map hidden = no
 map system = no
 create mode = 777
 directory mode = 777

I see no vfs objects = acl_xattr in your Samba config. Without that it
won't work as there is nothing telling Samba where to store the ACL
information.

JAB.

-- 
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + acl,user_xattr

2011-12-09 Thread Dmitry Mordovin 

On 12/09/2011 04:26 PM, Jonathan Buzzard wrote:

On Fri, 2011-12-09 at 16:05 +0400, Dmitry Mordovin wrote:

[SNIP]


Samba config:

[global]
workgroup = HOME
security = share
max log size = 1024
store dos attributes = yes
map archive = no
map read only = no
map hidden = no
map system = no
create mode = 777
directory mode = 777

[homes]
browseable = no
printable = no
store dos attributes = yes

[public]
path = /mnt/public
comment = 
read only = no
guest ok = yes
follow symlinks = no
store dos attributes = yes
writable = yes
map archive = no
map read only = no
map hidden = no
map system = no
create mode = 777
directory mode = 777

I see no vfs objects = acl_xattr in your Samba config. Without that it
won't work as there is nothing telling Samba where to store the ACL
information.

JAB.



Added to global section

vfs objects = acl_xattr


No changes. Still dont store DOS attr.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + ACL + Linux Client

2011-06-05 Thread TAKAHASHI Motonobu 
From: Oliver Guerino oguer...@gmail.com
Date: Wed, 1 Jun 2011 13:29:44 -0300

 What happened is the following:
 My network has windows and linux clients, the permissions described above
 operates normally with the windows client, but when I try to connect
 with the linux client does not operates.

As far as I examined to connect from self-compiled Samba 3.5.6 and
mount.cifs to ext3 filesystem on lenny, the same problem occurred. And
from Windows, no problems occurred.

It seems that mount.cifs (and your mount.smb perhaps) can not
recognize ACLs set on files on the mounted-filesystems...

---
TAKAHASHI Motonobu mo...@samba.gr.jp

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba + ACL + Linux Client

2011-06-03 Thread Oliver Guerino 
Hello,

I'm Oliver and I need help for a experiment.
I have a sharing with Samba version 3.2.5, my distribution Linux is
Debian(Lenny) and the acl version is 2.2.47.
Below my configurations files:

#/etc/fstab
/dev/sda3   /shared   reiserfs defaults,acl 0   1

#smb.conf
[data]
 comment = files
 path = /shared
 inherit acls = yes
 inherit permissions = yes
 map acl inherit = Yes

# users and groups
user1 and user2 into group1
user3 and user4 into  group2

#permission directory files and acl's
drwxr-x---+ 4 root root 96 Mai 27 11:48 group1

getfacl group1/
# file: group1/
# owner: root
# group: root
user::rwx
group::r-x
group:group1:r-x
mask::r-x
other::---
default:user::rwx
default:group::rwx
default:other::---

drwxrwx---+ 4 root root 96 Mai 27 11:48 group2

getfacl group2/
# file: group2/
# owner: root
# group: root
user::rwx
group::r-x
group:group1:r-x
group:group2:rwx
mask::rwx
other::---

The kernel version: 2.6.26

What happened is the following:
My network has windows and linux clients, the permissions described above
operates normally with the windows client, but when I try to connect
with the linux client does not operates.

The mount command in the machine client linux:
 mount  -t smbfs  -o acl,rw,username=user1,passwd=pass
//172.25.0.193/data/mnt/files/

When I try to access the folder group1 with the user1 display the message:
Permission denied
cd /mnt/files/group1 Permission denied.

Some suggestion?

Thanks
Oliver
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba + ACL + Linux Client

2011-06-03 Thread Oliver Guerino 
Hello,

I'm Oliver and I need help for a experiment.
I have a sharing with Samba version 3.2.5, my distribution Linux is
Debian(Lenny) and the acl version is 2.2.47.
Below my configurations files:

#/etc/fstab
/dev/sda3   /shared   reiserfs defaults,acl 0   1

#smb.conf
[data]
 comment = files
 path = /shared
 inherit acls = yes
 inherit permissions = yes
 map acl inherit = Yes

# users and groups
user1 and user2 into group1
user3 and user4 into  group2

#permission directory files and acl's
drwxr-x---+ 4 root root 96 Mai 27 11:48 group1

getfacl group1/
# file: group1/
# owner: root
# group: root
user::rwx
group::r-x
group:group1:r-x
mask::r-x
other::---
default:user::rwx
default:group::rwx
default:other::---

drwxrwx---+ 4 root root 96 Mai 27 11:48 group2

getfacl group2/
# file: group2/
# owner: root
# group: root
user::rwx
group::r-x
group:group1:r-x
group:group2:rwx
mask::rwx
other::---

The kernel version: 2.6.26

What happened is the following:
My network has windows and linux clients, the permissions described above
operates normally with the windows client, but when I try to connect
with the linux client does not operates.

The mount command in the machine client linux:
 mount  -t smbfs  -o acl,rw,username=user1,passwd=pass
//172.25.0.193/data/mnt/files/

When I try to access the folder group1 with the user1 display the message:
Permission denied
cd /mnt/files/group1 Permission denied.

Some suggestion?

Thanks
Oliver
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba acl restore error

2011-01-27 Thread suresh.kandukuru 
Dear Jeremy and samba team ,

 This is suresh from EMC.I am  having samba 3.4.8 on my NAS  with posix acls 
support.



 When a backup software backs up files and folders, it typically backs up the 
security settings on the files/folders
too. Then during restore, the software will try to restore the files/folders
along with their security settings. The restore is now broken because security
settings cannot be restored any more.

I have enabled samba loglevel 10 . I  see the problem is coming here.
--
2011/01/26 10:41:04, 10] smbd/open.c:2896(create_file_unixpath)
  create_file_unixpath: access_mask = 0x11e019f file_attributes = 0x80, 
share_access = 0x3, create_disposition = 0x1 create_options = 0x4004 
oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname = Share2/file2.txt
--
SEC_FLAG_SYSTEM_SECURITY is 0x0100

/* We need to support SeSecurityPrivilege for this. */



if (access_mask  SEC_FLAG_SYSTEM_SECURITY) {



status = NT_STATUS_PRIVILEGE_NOT_HELD;



goto fail;



}


and I see the restore is working fine when I Restore all information except 
security for files and directories


  create_file_unixpath: access_mask = 0x11 file_attributes = 0x0, 
share_access = 0x7, create_disposition = 0x1 create_options = 0x4001 
oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname = .
[2011/01/26 10:41:04,  5] smbd/open.c:2391(open_directory)
---


the if (access_mask  SEC_FLAG_SYSTEM_SECURITY)  condition is not passing here 
and error is not coming.



Jeremy, what for we are checking this condition   on SeSecurityPrivilege ( 
Manage auditing and security log ) in samba code ?.

How tp restore files with ACL's. ?



I am anticipating your reply.





Thanks

Suresh















-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl restore error

2011-01-27 Thread Jeremy Allison 
On Thu, Jan 27, 2011 at 04:26:10AM -0500, suresh.kanduk...@emc.com wrote:
 Dear Jeremy and samba team ,
 
  This is suresh from EMC.I am  having samba 3.4.8 on my NAS  with posix acls 
 support.
 
  
 
  When a backup software backs up files and folders, it typically backs up the 
 security settings on the files/folders
 
 too. Then during restore, the software will try to restore the files/folders
 
 along with their security settings. The restore is now broken because security
 
 settings cannot be restored any more.
 
  
 
 I have enabled samba loglevel 10 . I  see the problem is coming here.
 
 --
 
 2011/01/26 10:41:04, 10] smbd/open.c:2896(create_file_unixpath)
 
   create_file_unixpath: access_mask = 0x11e019f file_attributes = 0x80,
 share_access = 0x3, create_disposition = 0x1 create_options = 0x4004
 oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname = Share2/file2.txt
 
 --
 
 SEC_FLAG_SYSTEM_SECURITY is 0x0100
 
 /* We need to support SeSecurityPrivilege for this. */
 
  
 
 if (access_mask  SEC_FLAG_SYSTEM_SECURITY) {
 
  
 
 status = NT_STATUS_PRIVILEGE_NOT_HELD;
 
  
 
 goto fail;
 
  
 
 }
 
  
 
 and I see the restore is working fine when I Restore all information except 
 security for files and directories

The SEC_FLAG_SYSTEM_SECURITY flag is for setting the audit ACE entries
in an ACL - it isn't used for normal restoring of ACL ACE entries.

We return this error here as it's required by MS-Office (Excel) which
expects to get this error when changing ACLs on files (don't ask :-).

This is fixed in 3.5.7 and above by adding it as a privilege that
can be selected for a user who is doing restores.

Ping me off-list if you need a back port of this code.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl support

2011-01-08 Thread Nico Kadel-Garcia 
On Thu, Jan 6, 2011 at 11:40 PM, Jeremy Allison j...@samba.org wrote:
 On Thu, Jan 06, 2011 at 10:58:27PM -0500, suresh.kanduk...@emc.com wrote:
 Hi jeremey , This is Suresh from EMC . what is minimum version of samba 
 which got ACL ( posix) support?. it looks to me samba 3.0.32 also got that 
 ACL support.

 Can you please confirm on this?.

 Oh yes, we've had POSIX ACL support for a *long*
 time. I can't remember exactly what the earliest
 version was (probably a 2.2.x version).

 However we've been slowly getting better over
 the years in doing the ACL mapping, culminating
 with the extra Windows ACL layer stored in EA's
 we now have that provides a 100% Windows compatible
 protocol response to the client, but then is mapped
 onto POSIX ACLs for filesystems that can't store
 native (or NFSv4) ACLs.

 Jeremy.

Note that at least some of the more sophisticated ACL's, such as
NFSv4, are. awkward to use. You can reference an old thread on it
at http://lists.samba.org/archive/samba/2010-April/155243.html..
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl support

2011-01-07 Thread Jeremy Allison 
On Thu, Jan 06, 2011 at 11:52:46PM -0500, suresh.kanduk...@emc.com wrote:
 Thanks this helps.

Let me know if you really need the first version with ACL
support and I'll track it down.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba acl support

2011-01-06 Thread suresh.kandukuru 
Hi jeremey , This is Suresh from EMC . what is minimum version of samba which 
got ACL ( posix) support?. it looks to me samba 3.0.32 also got that ACL 
support.

Can you please confirm on this?.

Thanks
Suresh
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl support

2011-01-06 Thread Jeremy Allison 
On Thu, Jan 06, 2011 at 10:58:27PM -0500, suresh.kanduk...@emc.com wrote:
 Hi jeremey , This is Suresh from EMC . what is minimum version of samba which 
 got ACL ( posix) support?. it looks to me samba 3.0.32 also got that ACL 
 support.
 
 Can you please confirm on this?.

Oh yes, we've had POSIX ACL support for a *long*
time. I can't remember exactly what the earliest
version was (probably a 2.2.x version).

However we've been slowly getting better over
the years in doing the ACL mapping, culminating
with the extra Windows ACL layer stored in EA's
we now have that provides a 100% Windows compatible
protocol response to the client, but then is mapped
onto POSIX ACLs for filesystems that can't store
native (or NFSv4) ACLs.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl support

2011-01-06 Thread suresh.kandukuru 
Thanks this helps.


-Suresh

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Jeremy Allison
Sent: Friday, January 07, 2011 10:10 AM
To: Kandukuru, Suresh
Cc: samba@lists.samba.org; j...@samba.org
Subject: Re: [Samba] samba acl support

On Thu, Jan 06, 2011 at 10:58:27PM -0500, suresh.kanduk...@emc.com wrote:
 Hi jeremey , This is Suresh from EMC . what is minimum version of samba which 
 got ACL ( posix) support?. it looks to me samba 3.0.32 also got that ACL 
 support.
 
 Can you please confirm on this?.

Oh yes, we've had POSIX ACL support for a *long*
time. I can't remember exactly what the earliest
version was (probably a 2.2.x version).

However we've been slowly getting better over
the years in doing the ACL mapping, culminating
with the extra Windows ACL layer stored in EA's
we now have that provides a 100% Windows compatible
protocol response to the client, but then is mapped
onto POSIX ACLs for filesystems that can't store
native (or NFSv4) ACLs.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-09 Thread suresh.kandukuru 
Thanks Smith. This explains in detail.

-Suresh

-Original Message-
From: Chris Smith [mailto:smb...@chrissmith.org] 
Sent: Thursday, September 09, 2010 8:19 AM
To: Kandukuru, Suresh
Cc: samba@lists.samba.org
Subject: Re: [Samba] samba acl - able to change permissions that contradict 
user security setting

On Wed, Sep 8, 2010 at 10:04 PM,  suresh.kanduk...@emc.com wrote:
 it looks like code is not designed like this.

 if you don't mind , Can you please explain this ,

 --
 - although you would be asking
 it to restrict the admin's rights, which wouldn't be proper behavior.
 Plus it then wouldn't work like a Windows box, which is a primary
 goal.
 

File level security and share level security are separate - you can
limit what a user can do with either one, or both. Consider one box -
with no remote file sharing, a system (file level security) is needed
to prevent unauthorized access to files and directories for local
users. Consider a box that has no idea of file level security, say pre
Windows NT such as Windows 95 for instance, files are shared via the
network but with an OS that has no concept of file level security
something is needed to prevent unauthorized access - share level
security. AFAIK, the systems are not integrated, work separately and
provide some backward compatibility.

As the admin has full share level RW access to the share, he/she can
surely make changes to the file level security (that is, if it's
allowed by the current file level security) but he's not changing
share level security through this, only file level; so locally the
non-admin user could (presumably) login locally and access those
files, but still be blocked remotely by the share level permissions.
It's the way Windows works (and why Samba does also), plus I'm sure
other network sharing systems, NFS, etc. have similar attributes.

Think of it like trying to gain access to an office in a building. I
can keep you from gaining entry in two ways; one is that I prevent you
from entering the building (share level), or two, I prevent you from
entering the particular office by locking its door (file level). If I
prevent you from entering the building it doesn't matter whether or
not I lock the office door - you cannot get there. If I lock the
office door it doesn't matter if I allow you to enter the building -
either way you are effectively locked out. And just because you are
prevented, in the one case, from entering the building, there is
nothing, nor should there be, to prevent me (the admin) from unlocking
the office door, which would give you access if, and only if, you had
egress into the building - my access is not affected (I can still
unlock the office door), only yours (you still have no access unless I
allow you into the building as well).

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-09 Thread suresh.kandukuru 
Allison,
  My Question was ,
1) we have a share test and user admin has RW access and user1 has R only 
access. from the windows PC , I have connected test share with user admin. 
and created subfolder test_subfolder
2) and on that sub folder admin user has given RW access to user user1 . Why 
samba is not preventing this, since user1 has R only access on that share  
test.??

Smith explained  this in last mail.

Thanks for asking

Suresh

-Original Message-
From: Jeremy Allison [mailto:j...@samba.org] 
Sent: Thursday, September 09, 2010 9:13 AM
To: Kandukuru, Suresh
Cc: smb...@chrissmith.org; samba@lists.samba.org
Subject: Re: [Samba] samba acl - able to change permissions that contradict 
user security setting

On Wed, Sep 08, 2010 at 11:14:40AM -0400, suresh.kanduk...@emc.com wrote:
 Thanks smith for the quick reply. what I want to know is ,can not samba 
 source code  prevent the changing setting rw access to test_subfolder user1 
 , since he has only read only access on  the share test.

The processing of security on shares and security
in the underlying file system are completely separate.

A user who is only granted read access on a share
should not be able to change permissions on a directory
inside the share, as this is a write operation on an
underlying directory.

An admin user should be able to change such permissions
at will, as they have full root access to the exported
share.

Can you explain a little more clearly what you are trying
to do (sorry, but I've been a little distracted by other
things at the moment) so I can understand if you are describing
a bug or not ?

Thanks,

Jeremy.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-08 Thread suresh.kandukuru 
Did not get the response . bumping it. friends , Please help me on the below 
issue.

Thanks
Suresh

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of suresh.kanduk...@emc.com
Sent: Wednesday, September 08, 2010 11:13 AM
To: samba@lists.samba.org
Subject: [Samba] samba acl - able to change permissions that contradict user 
security setting

Dear friends, I am having following issue on my samba device . Please help me 
on this.

1) created share test given read and write access to the user admin and 
read only access to user user1.

2) from my windows PC logged into the samba share  test  with admin  user . 
created subfolder in that test_subfolder.

3) on that subfolder  , from the windows security tab I could add user user1 
and can give read and write access to  that.
How to prevent this ??. Actually on the share test user1 has read only access 
.How samba code is allowing to change permissions that contradict user security 
settings.

4) when I login to share test with user1 , I cannot write into subfolder 
test_subfolder

This is smb.conf for test share part ..
---
[test]
path= /mnt/samba/shares/SP0/test/
max connections= 50
max connections= 250
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= yes
dos filemode= yes
writeable= no
valid users= admin user1
read list= user1
store dos attributes= yes
write list= admin
-


I am anticipating your reply.

Thanks
Suresh



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-08 Thread Chris Smith 
On Wed, Sep 8, 2010 at 1:43 AM,  suresh.kanduk...@emc.com wrote:
 1) created share test given read and write access to the user admin and 
 read only access to user user1.

 2) from my windows PC logged into the samba share  test  with admin  user 
 . created subfolder in that test_subfolder.

 3) on that subfolder  , from the windows security tab I could add user 
 user1 and can give read and write access to  that.
 How to prevent this ??. Actually on the share test user1 has read only 
 access .How samba code is allowing to change permissions that contradict user 
 security settings.

 4) when I login to share test with user1 , I cannot write into subfolder 
 test_subfolder

Seems perfectly normal. Share level security will take precedence over
file level security when connected via the share. I'm sure you would
find the same results working with an actual Windows share (always a
good thing to test before you post).
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-08 Thread Chris Smith 
On Wed, Sep 8, 2010 at 10:55 AM, Chris Smith smb...@chrissmith.org wrote:
 Share level security will take precedence over
 file level security when connected via the share.

Sorry about that: more accurate would be to state that the most
restrictive security permissions will be active. If share level
permissions allow RW access but the file level permissions only allow
for R access then that is all the user will receive (and vice versa).
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-08 Thread suresh.kandukuru 
Thanks smith for the quick reply. what I want to know is ,can not samba source 
code  prevent the changing setting rw access to test_subfolder user1 , since 
he has only read only access on  the share test.


-Suresh

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Chris Smith
Sent: Wednesday, September 08, 2010 8:25 PM
To: Kandukuru, Suresh
Cc: samba@lists.samba.org
Subject: Re: [Samba] samba acl - able to change permissions that contradict 
user security setting

On Wed, Sep 8, 2010 at 1:43 AM,  suresh.kanduk...@emc.com wrote:
 1) created share test given read and write access to the user admin and 
 read only access to user user1.

 2) from my windows PC logged into the samba share  test  with admin  user 
 . created subfolder in that test_subfolder.

 3) on that subfolder  , from the windows security tab I could add user 
 user1 and can give read and write access to  that.
 How to prevent this ??. Actually on the share test user1 has read only 
 access .How samba code is allowing to change permissions that contradict user 
 security settings.

 4) when I login to share test with user1 , I cannot write into subfolder 
 test_subfolder

Seems perfectly normal. Share level security will take precedence over
file level security when connected via the share. I'm sure you would
find the same results working with an actual Windows share (always a
good thing to test before you post).
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-08 Thread Chris Smith 
On Wed, Sep 8, 2010 at 11:14 AM,  suresh.kanduk...@emc.com wrote:
 Thanks smith for the quick reply. what I want to know is ,can not samba 
 source code  prevent the changing setting rw access to test_subfolder user1 
 , since he has only read only access on  the share test.

I suppose you could patch it to do so - although you would be asking
it to restrict the admin's rights, which wouldn't be proper behavior.
Plus it then wouldn't work like a Windows box, which is a primary
goal.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-08 Thread suresh.kandukuru 
Smith, Thanks again  for answering. I have gone through samba source code , I 
have assumed that when the samba user admin  gives read write access to 
test_subfolder for the user user1 from the windows security tab  ( user1 
has read only access to share test)  samba code posix_acl.c look at the read 
list of the share test ( since the user1 in read list ) and denies  assigning 
rw access to test_subfolder. it looks like code is not designed like this.

if you don't mind , Can you please explain this ,

--
- although you would be asking
it to restrict the admin's rights, which wouldn't be proper behavior.
Plus it then wouldn't work like a Windows box, which is a primary
goal.



Thanks
Suresh

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Chris Smith
Sent: Wednesday, September 08, 2010 9:24 PM
To: Kandukuru, Suresh
Cc: samba@lists.samba.org
Subject: Re: [Samba] samba acl - able to change permissions that contradict 
user security setting

On Wed, Sep 8, 2010 at 11:14 AM,  suresh.kanduk...@emc.com wrote:
 Thanks smith for the quick reply. what I want to know is ,can not samba 
 source code  prevent the changing setting rw access to test_subfolder user1 
 , since he has only read only access on  the share test.

I suppose you could patch it to do so - although you would be asking
it to restrict the admin's rights, which wouldn't be proper behavior.
Plus it then wouldn't work like a Windows box, which is a primary
goal.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-08 Thread Chris Smith 
On Wed, Sep 8, 2010 at 10:04 PM,  suresh.kanduk...@emc.com wrote:
 it looks like code is not designed like this.

 if you don't mind , Can you please explain this ,

 --
 - although you would be asking
 it to restrict the admin's rights, which wouldn't be proper behavior.
 Plus it then wouldn't work like a Windows box, which is a primary
 goal.
 

File level security and share level security are separate - you can
limit what a user can do with either one, or both. Consider one box -
with no remote file sharing, a system (file level security) is needed
to prevent unauthorized access to files and directories for local
users. Consider a box that has no idea of file level security, say pre
Windows NT such as Windows 95 for instance, files are shared via the
network but with an OS that has no concept of file level security
something is needed to prevent unauthorized access - share level
security. AFAIK, the systems are not integrated, work separately and
provide some backward compatibility.

As the admin has full share level RW access to the share, he/she can
surely make changes to the file level security (that is, if it's
allowed by the current file level security) but he's not changing
share level security through this, only file level; so locally the
non-admin user could (presumably) login locally and access those
files, but still be blocked remotely by the share level permissions.
It's the way Windows works (and why Samba does also), plus I'm sure
other network sharing systems, NFS, etc. have similar attributes.

Think of it like trying to gain access to an office in a building. I
can keep you from gaining entry in two ways; one is that I prevent you
from entering the building (share level), or two, I prevent you from
entering the particular office by locking its door (file level). If I
prevent you from entering the building it doesn't matter whether or
not I lock the office door - you cannot get there. If I lock the
office door it doesn't matter if I allow you to enter the building -
either way you are effectively locked out. And just because you are
prevented, in the one case, from entering the building, there is
nothing, nor should there be, to prevent me (the admin) from unlocking
the office door, which would give you access if, and only if, you had
egress into the building - my access is not affected (I can still
unlock the office door), only yours (you still have no access unless I
allow you into the building as well).
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-08 Thread Jeremy Allison 
On Wed, Sep 08, 2010 at 11:14:40AM -0400, suresh.kanduk...@emc.com wrote:
 Thanks smith for the quick reply. what I want to know is ,can not samba 
 source code  prevent the changing setting rw access to test_subfolder user1 
 , since he has only read only access on  the share test.

The processing of security on shares and security
in the underlying file system are completely separate.

A user who is only granted read access on a share
should not be able to change permissions on a directory
inside the share, as this is a write operation on an
underlying directory.

An admin user should be able to change such permissions
at will, as they have full root access to the exported
share.

Can you explain a little more clearly what you are trying
to do (sorry, but I've been a little distracted by other
things at the moment) so I can understand if you are describing
a bug or not ?

Thanks,

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba acl - able to change permissions that contradict user security setting

2010-09-07 Thread suresh.kandukuru 
Dear friends, I am having following issue on my samba device . Please help me 
on this.

1) created share test given read and write access to the user admin and 
read only access to user user1.

2) from my windows PC logged into the samba share  test  with admin  user . 
created subfolder in that test_subfolder.

3) on that subfolder  , from the windows security tab I could add user user1 
and can give read and write access to  that.
How to prevent this ??. Actually on the share test user1 has read only access 
.How samba code is allowing to change permissions that contradict user security 
settings.

4) when I login to share test with user1 , I cannot write into subfolder 
test_subfolder

This is smb.conf for test share part ..
---
[test]
path= /mnt/samba/shares/SP0/test/
max connections= 50
max connections= 250
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= yes
dos filemode= yes
writeable= no
valid users= admin user1
read list= user1
store dos attributes= yes
write list= admin
-


I am anticipating your reply.

Thanks
Suresh



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba ACL problems in some of the Wokgroup PC's

2010-09-05 Thread suresh.kandukuru 
Dear friends,
  I am facing the problem while adding the  ACL user into subfolder security 
permissions from some of the WORKGROUPS PCs . While adding  the ACL user itself 
it is asking for samba login  credentials ( I did not notice this behavior in 
other PC's ) and after entering it, it is displaying  user object not found. 
Though user2 user exists in backend. it is giving this error.

This is not giving any problem in some of the workgroup PC's and PC's which are 
some in domain.

I have enabled samba log level 10 , while adding acl user task is going on , I 
did not find any comparable errors between workable PC's and non workable PC's.

Can you please suggest why only some of Workgroup machines are giving this 
problem?.I found this is not specific to any OS . one pc which is having 
windows XP another having windows 7 exhibiting this issue. workgroup is common 
WORKGROUP.

Please suggest me . I am anticipating your reply.

Thanks
Suresh


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba ACL sub folder permission changes

2010-08-18 Thread suresh.kandukuru 
Dear samba team,
Please help me on the below issue.

I have connected a samba share from my device to my  windows XP
machine . that samba share has ACL support enabled . 
1) The shared folder names is user1 and the user  name I logged into
samba share is also user1.

2) I have created a text file , and sub folder in the samba share from
my windows PC.

3) I can change write permission of the owner user1 and the group
users  , and Everyone from the security - advanced settings -

4) for the sub folder I cannot change the permissions for the owner
user1 , I can change for the group users and Everyone also.

whenever I tried to disable the Write attributes and Write extended
attributes , it is simply ignoring the changes and again showing full
control in advance security windows.


Please suggest how to handle this?.
here is my samba.conf

-[Global]
server string= storage
Workgroup= WORKGROUP
security= user
domain master= yes
preferred master= yes
local master= yes
os level= 20
invalid users= bin daemon adm sync shutdown halt mail news uucp gopher
map to guest= Bad User
host msdfs= yes
null passwords= yes
strict allocate= no
encrypt passwords= yes
passdb backend= smbpasswd
printcap name= lpstat
printing= cups
printable= no
load printers= yes
max smbd processes= 500
max smbd processes= 2500
getwd cache= yes
display charset= UTF-8
log level= 10
syslog= 0
max log size= 50
use sendfile= yes

[Printers]
path= /mnt/soho_storage/samba/spool
printable= yes
only guest= yes
use client driver= yes
comment= All Printers

[Backups]
path= /mnt/soho_storage/samba/shares/SP0/Backups/
max connections= 50
max connections= 250
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= no
dos filemode= no
writeable= yes
public= yes
store dos attributes= yes
write list= guest

[Documents]
path= /mnt/soho_storage/samba/shares/SP0/Documents/
max connections= 50
max connections= 250
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= no
dos filemode= no
writeable= yes
public= yes
store dos attributes= yes
write list= guest

[Pictures]
path= /mnt/soho_storage/samba/shares/SP0/Pictures/
max connections= 50
max connections= 250
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= no
dos filemode= no
writeable= yes
public= yes
store dos attributes= yes
write list= guest

[user1]
path= /mnt/soho_storage/samba/shares/SP0/user1/
max connections= 50
max connections= 250
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= yes
dos filemode= yes
writeable= no
valid users= admin user1 user2
store dos attributes= yes
write list= admin user1 user2

[user2]
path= /mnt/soho_storage/samba/shares/SP0/user2/
max connections= 50
max connections= 250
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= yes
dos filemode= yes
writeable= no
valid users= admin user1 user2
store dos attributes= yes
write list= admin user1 user2
--

Thanks in advance
Suresh


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba ACL open-for-delete problem

2009-09-28 Thread Shaochun Wang 
All my fault. I forget to execute make clean before compiling samba
with ACL support.


-- 
Shaochun Wang(王绍春) scw...@ios.ac.cn
PH.D Candidate
State Key Laboratory of Computer Science,
Institute of Software,
Chinese Academy of Sciences
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba ACL open-for-delete problem

2009-09-27 Thread Shaochun Wang 
Hi, all

It seems that samba-3.4.1 still has something wrong with ACL for
open-for-delete operation. I give a group of users full access, which
means rwx permission, to a directory and make this as the default ACL
for this directory. Then I found that I can do anthing as a member of
that group but deleting files and this directory.

After skiming through its source code, I did not find any ACL check at
function can_delete_file_in_directory() in file file_access.c.

Am I right?

The following is my ACL setting:
-bash-4.0$ getfacl Downloads/
# file: Downloads/
# owner: tsmn
# group: bt
user::rwx
group::r-x
group:smb_g0:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:smb_g0:rwx
default:mask::rwx
default:other::r-x

-bash-4.0$ getfacl Downloads/aaa
# file: Downloads/aaa
# owner: tsmn
# group: bt
user::rw-
group::r-x  #effective:r--
group:smb_g0:rwx#effective:rw-
mask::rw-
other::r--

I can't delete file aaa when logining in as SAMBA user smb_u0 whose
main group is smb_g0.

-- 
Shaochun Wang scw...@ios.ac.cn

Jabber: fung...@jabber.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba ACL and Office 2007

2009-04-28 Thread David Vaz 
Harry Jede wrote:
 Am Montag, 27. April 2009 15:33 schrieb David Vaz:
   
 I am using samba 3.3.2-1 in a debian squeze installation, using ext3
 with acl support.

 The problem I am experiencing is easy to replicate as I have tried it
 in different machines.

 In a given share, user A is the owner of the folder test, inside
 this folder there is a office file test.doc for example. User B
 has write privileges over file test.doc but not over test. When
 user B tries to save the office document (using office 2007) an
 error appears Access Denied. Contact your administrator.

 # file: test
 # owner: A
 # group: G
 user::rwx
 group::r-x
 other::---

 # file: test.doc
 # owner: A
 # group: G
 user::rwx
 user:B:rwx
 group::r-x
 mask::rwx
 other::---

 Notice that if the user copy the file to his desktop, modifies it and
 later overwrites the original there is no problem.
 
 That's normal with Office 2007. Thanks to M$.

 They create a NEW file, when the user saves the old one, delete the old 
 one, then rename the new file to the old name.

 So, your users are able to update files with office 2007, only when they 
 have write permissons on the directory.

 Search this list archive for a more detailed explanation.
   
Is there any workaround to this?

   
 This error is similar in some ways to this
 https://bugzilla.samba.org/show_bug.cgi?id=6160, but i suppose now
 the lock over the folder.
 

   

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba ACL and Office 2007

2009-04-27 Thread David Vaz 
I am using samba 3.3.2-1 in a debian squeze installation, using ext3
with acl support.

The problem I am experiencing is easy to replicate as I have tried it in
different machines.

In a given share, user A is the owner of the folder test, inside
this folder there is a office file test.doc for example. User B has
write privileges over file test.doc but not over test. When user B
tries to save the office document (using office 2007) an error appears
Access Denied. Contact your administrator.

# file: test
# owner: A
# group: G
user::rwx
group::r-x
other::---

# file: test.doc
# owner: A
# group: G
user::rwx
user:B:rwx
group::r-x
mask::rwx
other::---

Notice that if the user copy the file to his desktop, modifies it and
later overwrites the original there is no problem.

This error is similar in some ways to this
https://bugzilla.samba.org/show_bug.cgi?id=6160, but i suppose now the
lock over the folder.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba ACL and Office 2007

2009-04-27 Thread Harry Jede 
Am Montag, 27. April 2009 15:33 schrieb David Vaz:
 I am using samba 3.3.2-1 in a debian squeze installation, using ext3
 with acl support.

 The problem I am experiencing is easy to replicate as I have tried it
 in different machines.

 In a given share, user A is the owner of the folder test, inside
 this folder there is a office file test.doc for example. User B
 has write privileges over file test.doc but not over test. When
 user B tries to save the office document (using office 2007) an
 error appears Access Denied. Contact your administrator.

 # file: test
 # owner: A
 # group: G
 user::rwx
 group::r-x
 other::---

 # file: test.doc
 # owner: A
 # group: G
 user::rwx
 user:B:rwx
 group::r-x
 mask::rwx
 other::---

 Notice that if the user copy the file to his desktop, modifies it and
 later overwrites the original there is no problem.
That's normal with Office 2007. Thanks to M$.

They create a NEW file, when the user saves the old one, delete the old 
one, then rename the new file to the old name.

So, your users are able to update files with office 2007, only when they 
have write permissons on the directory.

Search this list archive for a more detailed explanation.


 This error is similar in some ways to this
 https://bugzilla.samba.org/show_bug.cgi?id=6160, but i suppose now
 the lock over the folder.

-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+acl problem on OSX

2009-02-19 Thread Eero Volotinen 


Is that the only option? We've noticed the same behavior of osx clients 
recently, but we also have linux clients connecting and I don't wish to 
degrade the experience by disabling unix extensions. 


What is effect of disabling unix extensions? At least with it acls work 
on OSX too.


--
Eero
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+acl problem on OSX

2009-02-18 Thread Christian McHugh 
On Tuesday 17 February 2009 16:19:19 James Peach wrote:
 2009/2/17 Eero Volotinen eero.voloti...@iki.fi:
  I have problem using samba+acl (ext3+acl) on OSX client.
 
  Access rights works fine on Linux and Windows series, but OSX Leopard
  says access denied to every directory that is using acl.
 
  Is OSX cifs client too stripped that it cannot use acl or is this OSX
  bug? Is there any solution on OSX that can access samba+acl directories?

 The Mac OS X client looks at the posix mode bits to preflight access
 checks. you can disable this on the server side by setting unix
 extensions = no

Is that the only option? We've noticed the same behavior of osx clients 
recently, but we also have linux clients connecting and I don't wish to 
degrade the experience by disabling unix extensions. 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba+acl problem on OSX

2009-02-17 Thread Eero Volotinen 

I have problem using samba+acl (ext3+acl) on OSX client.

Access rights works fine on Linux and Windows series, but OSX Leopard 
says access denied to every directory that is using acl.


Is OSX cifs client too stripped that it cannot use acl or is this OSX 
bug? Is there any solution on OSX that can access samba+acl directories?


thanks,
--
Eero
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+acl problem on OSX

2009-02-17 Thread James Peach 
2009/2/17 Eero Volotinen eero.voloti...@iki.fi:
 I have problem using samba+acl (ext3+acl) on OSX client.

 Access rights works fine on Linux and Windows series, but OSX Leopard says
 access denied to every directory that is using acl.

 Is OSX cifs client too stripped that it cannot use acl or is this OSX bug?
 Is there any solution on OSX that can access samba+acl directories?

The Mac OS X client looks at the posix mode bits to preflight access
checks. you can disable this on the server side by setting unix
extensions = no

-- 
James Peach | jor...@gmail.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba + acl

2008-08-18 Thread bikrish 
Hello

I am using samba 3.2.1 version on centos 5.2 with ldap. Everything is working 
fine as i expected. I have shared a share , say , NOA on samba server. 
Now i log into windows and access the share and tried to give rights on share 
by right click  properties  security . I want to give a group call noag only 
read , write and but no permission of delete on share NOA . I have a group who 
can full access to the share NOA. I right click on it , use security tab to 
give only read permission , it works fine, but when i select? all the options 
except delete and full control and click ok , it chages to full control , which 
is what i don't want. I am searched a lot but couldn't find the solution. Is 
there any solutiont for this or this is not possible in samba.

Thanks in advance

Bikrish
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba / ACL / File System Permissions Active Directory winbind

2008-07-30 Thread Keith Sudbury 

Hi Guys,

I have a windows 2003 SBS handling domain logins, I also have an Ubuntu 
machine being used as a file server this is using winbind and is on the 
domain I can chown dirs etc with Active Directory users.


However I have the following problem, I need to allow certain users to 
access some dirs and not others... for example.


folder1 would need to be accessed by user1 user2 and user3

Now my understanding of this would be to add users 1,2  3 to a group 
say for example group1 then chown folder1 with that group?


chown -R :DOMAIN\Domain Users folder1

Thats fine but then when user 1,2 or 3 access folder1 and write to the 
folder and there primary group is Domain Users for example it will 
make it unreadable for other users?


I could force it to take permissions from the parent directory using 
sticky bit? but what if the users creates a dir and then another dir 
would it still take its permissions from its parent directory then?


It must be fairly common to want to set a bunch of users that are not in 
the same primary group access to one dir that no other users can access?



If any one has any ideas / feedback at all on how they have done this it 
would be great as im melting my brain thinking a way around this if im 
honest...




Many Thanks
Keith

--
Keith Sudbury
Netzen Solution Ltd
Suite 5, Piccadilly House, London Rd, Bath, BA1 6PL, UK
Mobile: +44 (0)7921464106
Tel: +44 (0)1225 588 588
Fax: +44 (0)1225 580 061

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba / ACL / File System Permissions Active Directory winbind

2008-07-30 Thread Jeremy Allison 
On Wed, Jul 30, 2008 at 11:17:10PM +0100, Keith Sudbury wrote:
 Hi Guys,
 
 I have a windows 2003 SBS handling domain logins, I also have an Ubuntu 
 machine being used as a file server this is using winbind and is on the 
 domain I can chown dirs etc with Active Directory users.
 
 However I have the following problem, I need to allow certain users to 
 access some dirs and not others... for example.
 
 folder1 would need to be accessed by user1 user2 and user3
 
 Now my understanding of this would be to add users 1,2  3 to a group 
 say for example group1 then chown folder1 with that group?
 
 chown -R :DOMAIN\Domain Users folder1
 
 Thats fine but then when user 1,2 or 3 access folder1 and write to the 
 folder and there primary group is Domain Users for example it will 
 make it unreadable for other users?
 
 I could force it to take permissions from the parent directory using 
 sticky bit? but what if the users creates a dir and then another dir 
 would it still take its permissions from its parent directory then?

Use the setgid bit on the directory. This causes the group ownership
of the created directory to be inherited from the owning directory,
not the creating process (and also inherit the setgid bit).

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba+ACL+w2k domain

2008-02-26 Thread Фролов Иван Александрович 
I have set up samba as a member of w2k the domain, has made Share with
ACL support. I distribute the rights through Windows ticks
sucsessfully. But I can not be remove them - windows says that You can
not remove the user  because this object is inheriting permission from
his parent After I remove inheritence on the share user still stays
in the ACL withoue any permissions.
Windows writes, that these rights are as though inherited. I do not
know, that I do not so.

FreeBSD 6.2
Samba Version 3.0.28
heimdal 1.0.1

Samba config:
[global]
workgroup = MYDOMAIN
security = domain
server string = ws01 Samba Server
netbiosname = ws01

local master = no
domain master = no
preferred master = no
dns proxy = no

display charset = koi8-r
unix charset = koi8-r
dos charset = cp866

idmap uid = 1-2
idmap gid = 1-2
winbind cache time = 15
winbind enum users = Yes
winbind enum groups = Yes

hosts allow = 192.168.0. 192.168.1. 127.
bind interfaces only = Yes
interfaces = 192.168.0.125

log file = /var/log/samba/log.%m
max log size = 50

load printers = no

# Share Definitions
==
[store]
   comment = qwerty!

   path = /store
   read list = @MYDOMAIN\Domain Users
   write list = @MYDOMAIN\Domain Admins
   admin users = @MYDOMAIN\Domain Admins, [EMAIL PROTECTED]
   read only = No
   create mask = 700
   directory mask = 700
   inherit owner = yes
   inherit acls = yes
   inherit permissions = yes
   map acl inherit = yes
   locking = nophotoarch

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba+ACL+w2k domain

2008-02-13 Thread nix_kot 
Hi, nix.

 I have set up samba as a member of w2k the domain, has made Share with
 ACL support. I distribute the rights through Windows ticks
 sucsessfully. But I can not be remove them - windows says that You can
 not remove the user  because this object is inheriting permission from
 his parent After I remove inheritence on the share user still stays
 in the ACL withoue any permissions.
 Windows writes, that these rights are as though inherited. I do not
 know, that I do not so.

 FreeBSD 6.2
 Samba Version 3.0.28
 heimdal 1.0.1

 Samba config:
 [global]
 workgroup = MYDOMAIN
 security = domain
 server string = ws01 Samba Server
 netbiosname = ws01

 local master = no
 domain master = no
 preferred master = no
 dns proxy = no

 display charset = koi8-r
 unix charset = koi8-r
 dos charset = cp866

 idmap uid = 1-2
 idmap gid = 1-2
 winbind cache time = 15
 winbind enum users = Yes
 winbind enum groups = Yes

 hosts allow = 192.168.0. 192.168.1. 127.
 bind interfaces only = Yes
 interfaces = 192.168.0.125

 log file = /var/log/samba/log.%m
 max log size = 50

 load printers = no

 # Share Definitions
 ==
 [store]
comment = qwerty!

path = /store
read list = @MYDOMAIN\Domain Users
write list = @MYDOMAIN\Domain Admins
admin users = @MYDOMAIN\Domain Admins, [EMAIL PROTECTED]
read only = No
create mask = 700
directory mask = 700
inherit owner = yes
inherit acls = yes
inherit permissions = yes
map acl inherit = yes
locking = nophotoarch


Anybody help me please!

-- 
Best regards,
 nix_kot  mailto:[EMAIL PROTECTED]

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba+ACL+w2k domain

2008-02-07 Thread nix_kot 
I have set up samba as a member of w2k the domain, has made Share with
ACL support. I distribute the rights through Windows ticks
sucsessfully. But I can not be remove them - windows says that You can
not remove the user  because this object is inheriting permission from
his parent After I remove inheritence on the share user still stays
in the ACL withoue any permissions.
Windows writes, that these rights are as though inherited. I do not
know, that I do not so.

FreeBSD 6.2
Samba Version 3.0.28
heimdal 1.0.1

Samba config:
[global]
workgroup = MYDOMAIN
security = domain
server string = ws01 Samba Server
netbiosname = ws01

local master = no
domain master = no
preferred master = no
dns proxy = no

display charset = koi8-r
unix charset = koi8-r
dos charset = cp866

idmap uid = 1-2
idmap gid = 1-2
winbind cache time = 15
winbind enum users = Yes
winbind enum groups = Yes

hosts allow = 192.168.0. 192.168.1. 127.
bind interfaces only = Yes
interfaces = 192.168.0.125

log file = /var/log/samba/log.%m
max log size = 50

load printers = no

# Share Definitions
==
[store]
   comment = qwerty!

   path = /store
   read list = @MYDOMAIN\Domain Users
   write list = @MYDOMAIN\Domain Admins
   admin users = @MYDOMAIN\Domain Admins, [EMAIL PROTECTED]
   read only = No
   create mask = 700
   directory mask = 700
   inherit owner = yes
   inherit acls = yes
   inherit permissions = yes
   map acl inherit = yes
   locking = nophotoarch

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba acl + winxp, win2000 server

2007-09-27 Thread Vadim Vatlin 

Hi there.

I need help.
I installed samba + nt acl.
I switched on acl on the filesystem, added users in the /etc/passwd and 
in the tdb database samba, using tdbedit.


When I logged in the share, I created a test file, clicked on the right 
mouse button, chose  properties-security.
And  When I clicked on add button into Win 2000 server, I saw all my 
samba account.
But When I did it into WinXP I saw nobody from my samba account, a 
locals only.


Have any idea??


p.s.
sorry for my english. I'm not native.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba acl + winxp, win2000 server

2007-09-27 Thread Vadim Vatlin 

Vadim Vatlin wrote:

Hi there.

I need help.
I installed samba + nt acl.
I switched on acl on the filesystem, added users in the /etc/passwd 
and in the tdb database samba, using tdbedit.


When I logged in the share, I created a test file, clicked on the 
right mouse button, chose  properties-security.
And  When I clicked on add button into Win 2000 server, I saw all my 
samba account.
But When I did it into WinXP I saw nobody from my samba account, a 
locals only.


Have any idea??


p.s.
sorry for my english. I'm not native. 

http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id375713

Am I right?  That this function doesn't work now?

But Why this is work under 2000 server ?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba ACL bug?

2007-02-12 Thread H.Kitagawa 
Hi,jerry.
How are you?

Afterwards, I kept investigating. 
This problem doesn't occur in the ext3 filesystem. 
(This problem occurs by the vxfs filesystem. )

There are some questions. 

Q1.Does not Samba correspond to VxFS?

Q2.Does the program that sets ACL have the difference by the filesystem?


- Original Message - 
From: Gerald (Jerry) Carter [EMAIL PROTECTED]
To: H.Kitagawa [EMAIL PROTECTED]
Cc: samba@lists.samba.org
Sent: Tuesday, January 30, 2007 2:05 PM
Subject: Re: [Samba] Samba ACL bug?


 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Hiro,
 
  [EMAIL PROTECTED] pub]# getfacl testfolder
  # file: testfolder
  # owner: [EMAIL PROTECTED]
  # group: [EMAIL PROTECTED]
  user::rwx
  mask::rwx
  mask::rwx
  other::---
 
 Any idea why the mask listed twice here.  What file system is
 this?
 
  default:user::rwx
  default:group::rwx
  default:group:[EMAIL PROTECTED]:rwx
  default:mask::rwx
  default:other::---
 
  Then, the member of the Domain Users group became inaccessible
  the folder.
 
 
 The default aces are not used to determine access to a folder.
 Only for files and subfolders created within the directory.
 So that shouldn't make any difference.  I would suggest
 looking at a level 10 debug log from smbd and seeing
 the root cause of the ACCESS_DENIED error.
 
 
 
 
 
 cheers, jerry
 =
 Samba--- http://www.samba.org
 Centeris ---  http://www.centeris.com
 What man is a man who does not make the world better?  --Balian
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.2.2 (Darwin)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
 iD8DBQFFvtIrIR7qMdg1EfYRAk1HAJ4wN/V2dOtksgEDGoVKZhdCNHMyegCgrxFF
 gWbdDPOh+8JwxrxRBtPt3oA=
 =MRuR
 -END PGP SIGNATURE-
 

*
Hironori Kitagawa
E-Mail: [EMAIL PROTECTED]
*

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba ACL bug?

2007-01-29 Thread Gerald (Jerry) Carter 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hiro,

 [EMAIL PROTECTED] pub]# getfacl testfolder
 # file: testfolder
 # owner: [EMAIL PROTECTED]
 # group: [EMAIL PROTECTED]
 user::rwx
 mask::rwx
 mask::rwx
 other::---

Any idea why the mask listed twice here.  What file system is
this?

 default:user::rwx
 default:group::rwx
 default:group:[EMAIL PROTECTED]:rwx
 default:mask::rwx
 default:other::---

 Then, the member of the Domain Users group became inaccessible
 the folder.


The default aces are not used to determine access to a folder.
Only for files and subfolders created within the directory.
So that shouldn't make any difference.  I would suggest
looking at a level 10 debug log from smbd and seeing
the root cause of the ACCESS_DENIED error.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFvtIrIR7qMdg1EfYRAk1HAJ4wN/V2dOtksgEDGoVKZhdCNHMyegCgrxFF
gWbdDPOh+8JwxrxRBtPt3oA=
=MRuR
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba ACL bug?

2007-01-29 Thread H.Kitagawa 
Hi Jerrry

- Original Message - 
From: Gerald (Jerry) Carter [EMAIL PROTECTED]
To: H.Kitagawa [EMAIL PROTECTED]
Cc: samba@lists.samba.org
Sent: Tuesday, January 30, 2007 2:05 PM
Subject: Re: [Samba] Samba ACL bug?


 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Hiro,

  [EMAIL PROTECTED] pub]# getfacl testfolder
  # file: testfolder
  # owner: [EMAIL PROTECTED]
  # group: [EMAIL PROTECTED]
  user::rwx
  mask::rwx
  mask::rwx
  other::---

 Any idea why the mask listed twice here.

I do not understand the reason why the mask is listed two times.

 What file system is this?

We are using vxfs(VERITAS).


  default:user::rwx
  default:group::rwx
  default:group:[EMAIL PROTECTED]:rwx
  default:mask::rwx
  default:other::---
 
  Then, the member of the Domain Users group became inaccessible
  the folder.
 

 The default aces are not used to determine access to a folder.
 Only for files and subfolders created within the directory.
 So that shouldn't make any difference.  I would suggest
 looking at a level 10 debug log from smbd and seeing
 the root cause of the ACCESS_DENIED error.


I gathered the log with leve10.


LOG1.
It is a log when accessing it from the this server.

[EMAIL PROTECTED] pub]# smbclient '//sambaSV/SMBpublic' -U fjsv003
Password:
Domain=[KITA] OS=[Unix] Server=[Samba 3.0.21b-2]
smb: \ cd testfolder
smb: \testfolder\ ls
NT_STATUS_ACCESS_DENIED listing \testfolder\*


[2007/01/30 14:55:59, 5] smbd/uid.c:change_to_user(309)
  change_to_user uid=(10002,10002) gid=(0,1)
[2007/01/30 14:55:59, 3] smbd/trans2.c:call_trans2findfirst(1632)
  call_trans2findfirst: dirtype = 16, maxentries = 1366, close_after_first=0, 
close_if_end = 2 requires_resume_key = 4 l
evel = 0x104, max_data_bytes = 16644
[2007/01/30 14:55:59, 5] smbd/filename.c:unix_convert(108)
  unix_convert called on file testfolder/*
[2007/01/30 14:55:59, 10] smbd/statcache.c:stat_cache_lookup(215)
  stat_cache_lookup: lookup failed for name [TESTFOLDER/*]
[2007/01/30 14:55:59, 10] smbd/statcache.c:stat_cache_lookup(248)
  stat_cache_lookup: lookup succeeded for name [TESTFOLDER] - [testfolder]
[2007/01/30 14:55:59, 5] smbd/filename.c:unix_convert(185)
  unix_convert begin: name = testfolder/*, dirpath = testfolder, start = *
[2007/01/30 14:55:59, 10] smbd/mangle_hash2.c:is_mangled(276)
  is_mangled * ?
[2007/01/30 14:55:59, 10] smbd/mangle_hash2.c:is_mangled_component(215)
  is_mangled_component * (len 1) ?
[2007/01/30 14:55:59, 10] smbd/mangle_hash2.c:is_mangled(276)
  is_mangled * ?
[2007/01/30 14:55:59, 10] smbd/mangle_hash2.c:is_mangled_component(215)
  is_mangled_component * (len 1) ?
[2007/01/30 14:55:59, 5] smbd/filename.c:unix_convert(335)
  New file *
[2007/01/30 14:55:59, 5] smbd/trans2.c:call_trans2findfirst(1688)
  dir=testfolder, mask = *
[2007/01/30 14:55:59, 5] smbd/dir.c:dptr_create(391)
  dptr_create dir=testfolder
[2007/01/30 14:55:59, 5] smbd/dir.c:OpenDir(1033)
  OpenDir: Can't open testfolder. Permission denied
2007/01/30 14:55:59, 3] smbd/error.c:unix_error_packet(90)
  unix_error_packet: error string = Permission denied
[2007/01/30 14:55:59, 3] smbd/error.c:error_packet(146)
  error packet at smbd/trans2.c(1742) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED



LOG2.
This is a log when accessing it from the Windows client.

[2007/01/30 15:03:33, 3] smbd/process.c:switch_message(993)
  switch message SMBntcreateX (pid 6872) conn 0xa06d258
[2007/01/30 15:03:33, 4] smbd/uid.c:change_to_user(222)
  change_to_user: Skipping user change - already user
[2007/01/30 15:03:33, 10] smbd/nttrans.c:reply_ntcreate_and_X(506)
  reply_ntcreateX: flags = 0x16, access_mask = 0x20089 file_attributes = 0x80, 
share_access = 0x7, create_disposition =
0x1 create_options = 0x0 root_dir_fid = 0x0
[2007/01/30 15:03:33, 5] smbd/filename.c:unix_convert(108)
  unix_convert called on file testfolder
[2007/01/30 15:03:33, 10] smbd/statcache.c:stat_cache_lookup(248)
  stat_cache_lookup: lookup succeeded for name [TESTFOLDER] - [testfolder]
[2007/01/30 15:03:33, 2] smbd/dosmode.c:unix_mode(70)
  unix_mode(testfolder) inheriting from .
[2007/01/30 15:03:33, 2] smbd/dosmode.c:unix_mode(78)
  unix_mode(testfolder) inherit mode 40770
[2007/01/30 15:03:33, 3] smbd/dosmode.c:unix_mode(121)
  unix_mode(testfolder) returning 0760
[2007/01/30 15:03:33, 10] smbd/open.c:open_file_ntcreate(1110)
  open_file_ntcreate: fname=testfolder, dos_attrs=0x80 access_mask=0x20089 
share_access=0x7 create_disposition = 0x1 cre
ate_options=0x0 unix mode=0760 oplock_request=3
[2007/01/30 15:03:33, 8] smbd/dosmode.c:dos_mode(300)
  dos_mode: testfolder
[2007/01/30 15:03:33, 8] smbd/dosmode.c:dos_mode_from_sbuf(167)
  dos_mode_from_sbuf returning d
[2007/01/30 15:03:33, 8] smbd/dosmode.c:dos_mode(334)
  dos_mode returning d
[2007/01/30 15:03:33, 10] smbd/open.c:open_file_ntcreate(1278)
  open_file_ntcreate: fname=testfolder, after mapping access_mask=0x20089
[2007/01/30 15:03:33, 5] smbd/files.c:file_new(128)
  allocated file structure 537, fnum = 4633 (2 used

[Samba] Samba ACL bug?

2007-01-25 Thread H.Kitagawa 

Hello,
My name is Hiro.

I'm using samba 3.0.21b-2(acl) and RHEL4.1(kernel 2.6.9-11.ELsmp) + AD Server

Following problem:
When the attribute of the group of the folder was set to a full control twice, 
the member of the group became inaccessible. 

I want to know this problem is BUG or SPEC.

One example

[smb.conf]
 security = ADS
 acl check permissions = no
 acl group control = no
 acl map full control = yes
 inherit acls = yes

[User]
 [EMAIL PROTECTED] [uid=1([EMAIL PROTECTED]) gid=1([EMAIL PROTECTED] 
users) groups=1([EMAIL PROTECTED] users)]
 [EMAIL PROTECTED] [uid=10002([EMAIL PROTECTED]) gid=1([EMAIL PROTECTED] 
users) groups=1([EMAIL PROTECTED] users)]

STEP1.The folder was made by using the Explorer of Windows. 

ACL state is as follows. 
[EMAIL PROTECTED] pub]# getfacl testfolder
# file: testfolder
# owner: [EMAIL PROTECTED]
# group: [EMAIL PROTECTED]
user::rwx
group::rwx
other::---

STEP2.The folder attribute is changed from the security tab. 

Domain Users(KITA\Domain Users)
  →full control checked and execute.

[EMAIL PROTECTED] pub]# getfacl testfolder
# file: testfolder
# owner: [EMAIL PROTECTED]
# group: [EMAIL PROTECTED]
user::rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:other::---

At this point, the member of the Domain Users group can access the 
testfolder. 

STEP3.The folder attribute is changed again. 

Domain Users(KITA\Domain Users)
  →full control checked and execute.

[EMAIL PROTECTED] pub]# getfacl testfolder
# file: testfolder
# owner: [EMAIL PROTECTED]
# group: [EMAIL PROTECTED]
user::rwx
mask::rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:[EMAIL PROTECTED]:rwx
default:mask::rwx
default:other::---

Then, the member of the Domain Users group became inaccessible the folder. 

[EMAIL PROTECTED] pub]# smbclient '//sambaSV/SMBpublic' -U fjsv003
Password:
Domain=[KITA] OS=[Unix] Server=[Samba 3.0.21b-2]
smb: \ cd testfolder
smb: \testfolder\ ls
NT_STATUS_ACCESS_DENIED listing \testfolder\*

32768 blocks of size 131072. 30551 blocks available
smb: \testfolder\ cd ..

***
Hironori KITAGAWA

Japan
***

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba ACL bug?

2007-01-25 Thread H.Kitagawa 

Hello,
My name is Hiro.

I'm using samba 3.0.21b-2(acl) and RHEL4.1(kernel 2.6.9-11.ELsmp) + AD Server

Following problem:
When the attribute of the group of the folder was set to a full control twice, 
the member of the group became inaccessible. 

I want to know this problem is BUG or SPEC.

One example

[smb.conf]
 security = ADS
 acl check permissions = no
 acl group control = no
 acl map full control = yes
 inherit acls = yes

[User]
 [EMAIL PROTECTED] [uid=1([EMAIL PROTECTED]) gid=1([EMAIL PROTECTED] 
users) groups=1([EMAIL PROTECTED] users)]
 [EMAIL PROTECTED] [uid=10002([EMAIL PROTECTED]) gid=1([EMAIL PROTECTED] 
users) groups=1([EMAIL PROTECTED] users)]

STEP1.The folder was made by using the Explorer of Windows. 

ACL state is as follows. 
[EMAIL PROTECTED] pub]# getfacl testfolder
# file: testfolder
# owner: [EMAIL PROTECTED]
# group: [EMAIL PROTECTED]
user::rwx
group::rwx
other::---

STEP2.The folder attribute is changed from the security tab. 

Domain Users(KITA\Domain Users)
  →full control checked and execute.

[EMAIL PROTECTED] pub]# getfacl testfolder
# file: testfolder
# owner: [EMAIL PROTECTED]
# group: [EMAIL PROTECTED]
user::rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:other::---

At this point, the member of the Domain Users group can access the 
testfolder. 

STEP3.The folder attribute is changed again. 

Domain Users(KITA\Domain Users)
  →full control checked and execute.

[EMAIL PROTECTED] pub]# getfacl testfolder
# file: testfolder
# owner: [EMAIL PROTECTED]
# group: [EMAIL PROTECTED]
user::rwx
mask::rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:[EMAIL PROTECTED]:rwx
default:mask::rwx
default:other::---

Then, the member of the Domain Users group became inaccessible the folder. 

[EMAIL PROTECTED] pub]# smbclient '//sambaSV/SMBpublic' -U fjsv003
Password:
Domain=[KITA] OS=[Unix] Server=[Samba 3.0.21b-2]
smb: \ cd testfolder
smb: \testfolder\ ls
NT_STATUS_ACCESS_DENIED listing \testfolder\*

32768 blocks of size 131072. 30551 blocks available
smb: \testfolder\ cd ..

***
Hironori KITAGAWA

Japan
***

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba ACL questions

2006-09-27 Thread Graham, David 
Greetings, 

 

I seem to have Samba+AD+ACL's working on a RH ES4 server; however, I'm
looking for clarification in regard to how the ACL's differ between
windows and samba... or if they differ?

 

With windows ACL's, I can give out user permission traverse directory,
but not read its contents. Then I can give said user more permission to
a sub folders contents.  Meaning: I don't want a user to see what is in
\\files1\IS file:///\\files1\IS  but I want to give them permissions
to the contents of \\files1\IS\meetingminutes
file:///\\files1\mamba\meetingminutes  I cant seem to get this to work
with samba.

 

I suppose one could always create another share, but it's really not the
ideal solution when this has to be done in many scenarios.

 

I am running RH ES4, and from my searching for the answer to this, I
recall reading that the Linux POSIX specifications aren't as robust as
NTFS's, would this be correct to assume this is why samba doesn't seem
to be able to use the traverse security permission?

 

 

Any insight is appreciated.

-dg

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba ACL questions

2006-09-27 Thread Aaron Kincer 

David,

I think you'll find this document helpful. I do not know for certain if the
permissions are the same on Linux, but it _should_ be.

http://docs.hp.com/en/B8725-90101/ch03s04.html

On 9/27/06, Graham, David [EMAIL PROTECTED] wrote:


Greetings,



I seem to have Samba+AD+ACL's working on a RH ES4 server; however, I'm
looking for clarification in regard to how the ACL's differ between
windows and samba... or if they differ?



With windows ACL's, I can give out user permission traverse directory,
but not read its contents. Then I can give said user more permission to
a sub folders contents.  Meaning: I don't want a user to see what is in
\\files1\IS file:///\\files1\IS  but I want to give them permissions
to the contents of \\files1\IS\meetingminutes
file:///\\files1\mamba\meetingminutes  I cant seem to get this to work
with samba.



I suppose one could always create another share, but it's really not the
ideal solution when this has to be done in many scenarios.



I am running RH ES4, and from my searching for the answer to this, I
recall reading that the Linux POSIX specifications aren't as robust as
NTFS's, would this be correct to assume this is why samba doesn't seem
to be able to use the traverse security permission?





Any insight is appreciated.

-dg

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba + (ACL=off)

2006-07-04 Thread TSZ 

Hello,

Could you tell am I right in case: I am not able to add other 
users/groups than unix's user: owner,owner's group and others to 
folders/files localized on Samba server, despite doing that as root from 
XP client station. I also work without nt acl support = off. This is 
normal? I am asking because, when I try to change folder rights and I 
click add button I recive an error ...my domain.. couldn't be found. 
This happenes only with folder/files on Samba server, there is no 
problem with folders on clients XP stations.


--
Pozdrawiam,
Filip Zeniawski

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba + (ACL=off)

2006-07-03 Thread TSZ 

Hello,

Sorry, if you have recived this message already, but I have problem with 
my email service.


Could you tell am I right in case: I am not able to add other 
users/groups than unix's user: owner,owner's group and others to 
folders/files localized on Samba server, despite doing that as root from 
XP client station. I also work without nt acl support = off. This is 
normal? I am asking because, when I try to change folder rights and I 
click add button I recive an error ...my domain.. couldn't be found. 
This happenes only with folder/files on Samba server, there is no 
problem with folders on clients XP stations.


--
Pozdrawiam,
Filip Zeniawski
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba ACL and Krb5.

2005-09-16 Thread Meli Marco 
Hi,
I have FC3 with samba-3.0.10-1.fc3, samba-common and samba-client joined to
Windows 2003 AD with the followings library installed:
ldd /usr/sbin/winbindd 
libcrypt.so.1 = /lib/libcrypt.so.1 (0xf6e14000)
libresolv.so.2 = /lib/libresolv.so.2 (0xf6e0)
libnsl.so.1 = /lib/libnsl.so.1 (0xf6de9000)
libdl.so.2 = /lib/libdl.so.2 (0xf6de5000)
libpopt.so.0 = /usr/lib/libpopt.so.0 (0xf6dde000)
libgssapi_krb5.so.2 = /usr/lib/libgssapi_krb5.so.2 (0xf6dca000)
libkrb5.so.3 = /usr/lib/libkrb5.so.3 (0xf6d65000)
libk5crypto.so.3 = /usr/lib/libk5crypto.so.3 (0xf6d44000)
libcom_err.so.2 = /lib/libcom_err.so.2 (0xf6d4)
libldap-2.2.so.7 = /usr/lib/libldap-2.2.so.7 (0xf6d0f000)
liblber-2.2.so.7 = /usr/lib/liblber-2.2.so.7 (0xf6d03000)
libc.so.6 = /lib/tls/libc.so.6 (0xf6bdc000)
/lib/ld-linux.so.2 (0xf6e4f000)
libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0xf6bc8000)
libssl.so.4 = /lib/libssl.so.4 (0xf6b93000)
libcrypto.so.4 = /lib/libcrypto.so.4 (0xf6aab000)
libz.so.1 = /usr/lib/libz.so.1 (0xf6a9b000)

Kerberos 1.3.4-7 was already installed with the distribution and related
file /etc/krb5.conf configured as following:
[libdefaults]
 default_realm = SINTER.GKN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 SINTER.GKN.COM = {
  kdc = krb5srv.sinter.gkn.com:88
  admin_server = krb5srv.sinter.domain.com:749
  default_domain = sinter.gkn.com
 }

[domain_realm]
 .sinter.gkn.com = SINTER.GKN.COM
 sinter.gkn.com = SINTER.GKN.COM

I have set /etc/nsswitch: 
passwd: files winbind
shadow: files winbind
group:  files winbind

I have configured /etc/samba/smb.conf:
[global]
netbios name = MYNAME
os level = 16
wins server = xxx.xxx.xxx.xxx
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
unix charset = LOCALE
workgroup = GKNSMI
realm = SINTER.GKN.COM
security = ADS
password server = krb5srv.sinter.gkn.com
encrypt passwords = yes
allow trusted domains = Yes
winbind use default domain = Yes
winbind separator = /
winbind enum users = Yes
winbind enum groups = Yes
idmap uid = 1-10
idmap gid = 1-10
hide unreadable = Yes
template shell = /bin/false
use sendfile = Yes
printer admin = 
admin users = 
log file = /var/log/samba/log.%m
log level = 1 auth:10 sam:10
max log size = 50
nt acl support = Yes
map acl inherit = Yes
[data]
comment = DATA repository
path = /data
read only = No
create mask = 0775
security mask = 0777
force security mode = 0
directory mask = 0775
directory security mask = 0777
force directory security mode = 0
dos filetimes = yes
 
In data repository I have one folder named /user.
In this I have put every user's folders named as username.
Using ACL I have set complete control for each users only, so they can
enter in /user folder and see only theirs personal folder, unix permission
similar to ACL permissions are setted as below:

Unix permissions:
drwxr-x---+ 3 mabritta root 27 Sep 15 15:54 mabritta.

ACL permissions:
# file: mabritta
# owner: mabritta
# group: root
user::rwx
group::r-x
other::---
default:user::rwx
default:user:mabritta:rwx
default:group::r-x
default:mask::rwx
default:other::---

So I expected that it works as I thought instead if I log with this username
(mabritta) and I reach the user repository I can't see any folder, I have
try also with smbclient tool and it seems works fine also if I connect with
Win9x workstation and also in the previous situation when I was connect to
NT4PDC it worked fine.
Previously I have installed samba on RH9 with krb5-1.2.27 while samba
documentation recommanded krb5-1.3.1 so I have decide to jump to FC3, but
the problem in my opinion related to kerberos persist.

Thanks.
Marco.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba ACL and '+' on a 'ls - l'

2005-07-28 Thread Arnold . O . Andrews 
 Dear Guys,

 I have noticed that one of our domain users folder in
 /var/lib/samba/profiles has a '+' on the end  of their username folder
 and all the files in their profile too.

 I know this is to do with ACL's and I know Samba can translate Windows
 ACL's to filesystem acls, but where can I find out where/how they are
 getting created and remove them.

 They should be know different then anyone else.

 Although, all the users are setup as Admins on their own computer, but
 noone else seems to be picking up or have a '+' sign on a 'ls -l'


I can only speak for what the commands to handle ACL's are for Solaris;
getfacl (to see what the current settings on a file or directory are, and
setfacl (to set ACL settings).

If those aren't the same commands used on your Samba server's OS to handle
ACL settings, try using apropos acl to see a list of man pages regarding
acl's.

Anyway, I recently found myself wanting to remove ACL settings acquired
from granting permissions through windows myself.  I found that I had to
use setfacl to replace the ACL entries and reset them to standard type
entries in order to lose the + sign (signifying that there are additional
ACL entries on a file).

Setting the permissions on a file or directory with chmod alone is not
enough to clear the ACLs.

Example:  I have a file that has ACL's set:

% ls -l acl_test
-rw-r--r--+  1 user1usergroup 0 Jul 28 08:31 acl_test

% getfacl acl_test

# file: acl_test
# owner: user1
# group: DGROUP
user::rw-
user:user2:rwx#effective:rwx
group::r--  #effective:r--
mask:rwx
other:r--

( In the example above, the ACL's shown grant user2 full access to the
file, even though user2 is not the owner.

Clearing the permissions from the file does not (completely) remove the ACL
setting.

% chmod 000 acl_test
% ls -l acl_test
--+  1 user1usergroup 0 Jul 28 08:31 acl_test

To get rid of the + sign altogether, use setfacl with the -s option to
reset the permission:

% setfacl -s u::rw-,g::r--,o:r-- acl_test
% ls -l acl_test
-rw-r--r--   1 user1usergroup 0 Jul 28 08:31 acl_test


As you can see, the ACL's have been replaced by default entries (as if
chmod was the only thing that ever touched it).

Hope that helps.

Regards,

Arnold Andrews
Sr. Systems Administrator
Seagate Technology










-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba ACL and '+' on a 'ls - l'

2005-07-27 Thread Paul Henry 
Dear Guys,

I have noticed that one of our domain users folder in
/var/lib/samba/profiles has a '+' on the end  of their username folder
and all the files in their profile too.

I know this is to do with ACL's and I know Samba can translate Windows
ACL's to filesystem acls, but where can I find out where/how they are
getting created and remove them.

They should be know different then anyone else.

Although, all the users are setup as Admins on their own computer, but
noone else seems to be picking up or have a '+' sign on a 'ls -l'

Thanks,

Paul
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba + ACL, rights are disappearing ?

2005-06-16 Thread brennion 
Hi,

I'm running  Samba 3.0.14a on Debian Sarge,
The Samba server is member of a windows2000 Domain, named NT1

Problem that I have is that, when setting up the rights on a directory, and
checking the option to change the rights on the subdirectories and files,
after a while the rights are no more here, and I have to set them new...

Hope somebody can help me...

[global]

unix charset = LOCALE
workgroup = NT1
realm = NT1.LOCAL
server string = Linux Datei Server

security = ADS
#winbind use default domain = yes
#username map = /etc/samba/smbusers

acl compatibility = win2k
nt acl support = Yes

#Log
log level = 1
syslog = 0

ldap ssl = no
idmap uid = 1-2
idmap gid = 1-2
template primary group = Benutzer
template shell = /bin/bash
winbind separator = +
#password server = nt5 bdc
encrypt passwords = true

printcap name = CUPS
printing = cups

[User]
path=/home/samba/users/%U
create mask = 0755
browseable=yes
writeable=yes
   # valid users = @Domnen-Benutzer
admin users = NT1+Administrator

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + ACL, rights are disappearing ?

2005-06-16 Thread Holger Wesser 
Maybe this helps:

http://lists.samba.org/archive/samba/2005-May/105227.html

Greets,
Holger

Am Donnerstag, 16. Juni 2005 16:10 schrieb [EMAIL PROTECTED]:
 Hi,

 I'm running  Samba 3.0.14a on Debian Sarge,
 The Samba server is member of a windows2000 Domain, named NT1

 Problem that I have is that, when setting up the rights on a directory, and
 checking the option to change the rights on the subdirectories and files,
 after a while the rights are no more here, and I have to set them new...

 Hope somebody can help me...

 [global]

 unix charset = LOCALE
 workgroup = NT1
 realm = NT1.LOCAL
 server string = Linux Datei Server

 security = ADS
 #winbind use default domain = yes
 #username map = /etc/samba/smbusers

 acl compatibility = win2k
 nt acl support = Yes

 #Log
 log level = 1
 syslog = 0

 ldap ssl = no
 idmap uid = 1-2
 idmap gid = 1-2
 template primary group = Benutzer
 template shell = /bin/bash
 winbind separator = +
 #password server = nt5 bdc
 encrypt passwords = true

 printcap name = CUPS
 printing = cups

 [User]
 path=/home/samba/users/%U
 create mask = 0755
 browseable=yes
 writeable=yes
# valid users = @Domnen-Benutzer
 admin users = NT1+Administrator
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + ACL cosmetic improvement?

2004-07-15 Thread Tom Dickson 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hmmm. Silly SNAP systems do what I want (squash everyone if it is
- ---). Anyone know what modifications they make to Samba?
I'm using GuardianOS 3.0.099, and it seems to have some extended ACLs
that I don't recognize.
user::rwxdpo
user:admin:rwxdpo
group::--
group:admin:rwxdpo
mask::rwxdpo
other::r-x---
default:user::rwxdpo
default:user:admin:rwxdpo
default:group::--
default:group:admin:rwxdpo
default:mask::rwxdpo
default:other::r-x---
rruegner wrote:
| Hi,
| you got the same problem, many win admins have,
| removing group everyone happens everywhere( in this group is everyone g
| )in big windows hosting active dir companies, this makes their helpdesks
| crazy *g.
| Also deny permissions functions are simply a hoax by ms
| I know windows book writers which have no real answer and say simply
| dont use it, maybe you are able to make cosmetic debuging with samba
| about that but you will see another kind of problem will come up *g
| So i wouldnt invest to much time in debugging a feature which is simply
| rubbish from the creators of win and makes trouble in purly win networks
| too
| Best Regards
|
|
| Tom Dickson schrieb:
|
| My users are complaining that to remove Everyone permissions from a
| folder's ACL they have to Deny all permissions. This causes a Windows
| warning to appear: You have denied everyone access to New Folder. No
| one will be able to access New Folder and only the owner will be bale to
| change the permissions. Do you wish to continue?
|
| This is confusing, because world permissions of --- will NOT prevent
| other groups assigned either as the default group or in the POSIX ACL
|
| from working.
|
|
|
| What I'd like to see is the following improvements. If the Everyone
| group is removed by the Windows security editor, Samba sets world
| permissions to ---. If the Everyone group is added, then Samba
| modifies world permissions accordingly. And if the world or default
| group permissions are ---, Samba does not display them in the Windows
| ~   ACL dialog.
|
| Are there any objections why this wouldn't work? I'm tired of explaining
| that the deny button really isn't denying everybody, and why the Domain
| Users group cannot be removed, etc.
|
| (using 2.4.26 bestbits XFS+ACL, Samba 3.0.2a)
|
| -Tom
| .
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFA9ukb2dxAfYNwANIRAprbAJ915mMGR9CpCq+kdGxYhkdnXpMRggCfZaz2
wJBFfPQU6Nn724kenwcE+2U=
=jVw1
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + ACL cosmetic improvement?

2004-07-13 Thread rruegner 
Hi,
you got the same problem, many win admins have,
removing group everyone happens everywhere( in this group is everyone g 
)in big windows hosting active dir companies, this makes their helpdesks 
crazy *g.
Also deny permissions functions are simply a hoax by ms
I know windows book writers which have no real answer and say simply
dont use it, maybe you are able to make cosmetic debuging with samba
about that but you will see another kind of problem will come up *g
So i wouldnt invest to much time in debugging a feature which is simply 
rubbish from the creators of win and makes trouble in purly win networks too
Best Regards

Tom Dickson schrieb:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
My users are complaining that to remove Everyone permissions from a
folder's ACL they have to Deny all permissions. This causes a Windows
warning to appear: You have denied everyone access to New Folder. No
one will be able to access New Folder and only the owner will be bale to
change the permissions. Do you wish to continue?
This is confusing, because world permissions of --- will NOT prevent
other groups assigned either as the default group or in the POSIX ACL
from working.

What I'd like to see is the following improvements. If the Everyone
group is removed by the Windows security editor, Samba sets world
permissions to ---. If the Everyone group is added, then Samba
modifies world permissions accordingly. And if the world or default
group permissions are ---, Samba does not display them in the Windows
~   ACL dialog.
Are there any objections why this wouldn't work? I'm tired of explaining
that the deny button really isn't denying everybody, and why the Domain
Users group cannot be removed, etc.
(using 2.4.26 bestbits XFS+ACL, Samba 3.0.2a)
- -Tom
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFA8vIN2dxAfYNwANIRAjfoAJ9MtA9WfArfNTbvIZxEKY3OilQbvQCfTBA4
4ey0vJSnA7MF6DBFr5zwU4A=
=NayI
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba + ACL cosmetic improvement?

2004-07-12 Thread Tom Dickson 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
My users are complaining that to remove Everyone permissions from a
folder's ACL they have to Deny all permissions. This causes a Windows
warning to appear: You have denied everyone access to New Folder. No
one will be able to access New Folder and only the owner will be bale to
change the permissions. Do you wish to continue?
This is confusing, because world permissions of --- will NOT prevent
other groups assigned either as the default group or in the POSIX ACL
from working.
What I'd like to see is the following improvements. If the Everyone
group is removed by the Windows security editor, Samba sets world
permissions to ---. If the Everyone group is added, then Samba
modifies world permissions accordingly. And if the world or default
group permissions are ---, Samba does not display them in the Windows
~   ACL dialog.
Are there any objections why this wouldn't work? I'm tired of explaining
that the deny button really isn't denying everybody, and why the Domain
Users group cannot be removed, etc.
(using 2.4.26 bestbits XFS+ACL, Samba 3.0.2a)
- -Tom
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFA8vIN2dxAfYNwANIRAjfoAJ9MtA9WfArfNTbvIZxEKY3OilQbvQCfTBA4
4ey0vJSnA7MF6DBFr5zwU4A=
=NayI
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba + ACL

2004-07-05 Thread Marco Gavaldo 
Could you explai how should I use the NT Server Manager Tool ?(I don't know
it)

Thanks.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba + ACL

2004-07-02 Thread Marco Gavaldo 
I wish to realize a file-server with SAMBA integrated in my network domain
(Windows NT4 PDC).
To manage the user access for each share in the Samba file-server, I would
use Active Control Lists.

Anyone can tell me
- what type and version of Linux is best for my purpose ?
- what Samba version is best to use ?

Thanks. Marco

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + ACL

2004-07-02 Thread Matthias Spork 
Marco Gavaldo schrieb:
I wish to realize a file-server with SAMBA integrated in my network domain
(Windows NT4 PDC).
To manage the user access for each share in the Samba file-server, I would
use Active Control Lists.
 

ACCESS Control Lists
Anyone can tell me
- what type and version of Linux is best for my purpose ?
- what Samba version is best to use ?
 

Samba supports the standard POSIX Linux  ACL's.
You have to use Samba 304, because it is the productivity release.
matze
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Samba + ACL

2004-07-02 Thread Mark Lidstone 
Hi Marco,

Here's what I've learned over the past few days setting something
similar up:

1) The 2.6 series kernel supports ACLs on ext3, xfs and other
filing systems.  2.4 can support them if you install the bestbits
patches.
2) Samba 3 seems to work pretty well with ACLs, but that's the
only version I've used.

If you're interested, my setup is Samba 3.0.4 on Fedora Core 2 using yum
to update the kernel and it works fine.

I hope this helps,

Mark Lidstone
IT and Network Support Administrator

BMT SeaTech Ltd
Grove House, Meridians Cross, 7 Ocean Way
Ocean Village, Southampton.  SO14 3TJ. UK
Tel: +44 (0)23 8063 5122 
Fax: +44 (0)23 8063 5144

E-Mail:  mailto:[EMAIL PROTECTED]
Website: www.bmtseatech.co.uk

==
Confidentiality Notice and Disclaimer: 
The contents of this e-mail and any attachments are intended only for
the
use of the e-mail addressee(s) shown. If you are not that person, or one
of those persons, you are not allowed to take any action based upon it
or
to copy it, forward, distribute or disclose the contents of it and you
should please delete it from your system. BMT SeaTech Limited does not
accept liability for any errors or omissions in the context of this
e-mail
or its attachments which arise as a result of Internet transmission, nor
accept liability for statements which are those of the author and not
clearly made on behalf of BMT SeaTech Limited.

==
  

-Original Message-
From: Marco Gavaldo [mailto:[EMAIL PROTECTED] 
Sent: 02 July 2004 10:11
To: [EMAIL PROTECTED]
Subject: [Samba] Samba + ACL


I wish to realize a file-server with SAMBA integrated in my network
domain (Windows NT4 PDC). To manage the user access for each share in
the Samba file-server, I would use Active Control Lists.

Anyone can tell me
- what type and version of Linux is best for my purpose ?
- what Samba version is best to use ?

Thanks. Marco

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Samba + ACL

2004-07-02 Thread Simon Oliver 
 If you're interested, my setup is Samba 3.0.4 on Fedora Core 
 2 using yum to update the kernel and it works fine.

yum?


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Samba + ACL - Heading OT

2004-07-02 Thread Mark Lidstone 
Automated update system supplied with Fedora.  Kinda like the RHN, but
free and more up to date version-wise, but without the package checking
done by Redhat.

If you're running Fedora and it's installed, typing yum update package
name will update a package to the latest version on your downloads
site (it defaults to download.fedora.redhat.com), yum install package
name installs a package you haven't currently got installed, yum
remove package name removes it and yum update will attempt to
update all the packages on your machine.

The last time I looked a couple of days ago, the latest version that
Redhat were giving of Samba was 3.0.3, but that might have changed now.

I know it's a lazy way of doing things, but it saves me a lot of time.

I'm a little worried that this is going a bit OT for the list, so if
anyone wants any more information, just email me directly.

Finally a quick google search finds you plenty of information on it.

I hope this helps,

Mark Lidstone
IT and Network Support Administrator

BMT SeaTech Ltd
Grove House, Meridians Cross, 7 Ocean Way
Ocean Village, Southampton.  SO14 3TJ. UK
Tel: +44 (0)23 8063 5122 
Fax: +44 (0)23 8063 5144

E-Mail:  mailto:[EMAIL PROTECTED]
Website: www.bmtseatech.co.uk

==
Confidentiality Notice and Disclaimer: 
The contents of this e-mail and any attachments are intended only for
the
use of the e-mail addressee(s) shown. If you are not that person, or one
of those persons, you are not allowed to take any action based upon it
or
to copy it, forward, distribute or disclose the contents of it and you
should please delete it from your system. BMT SeaTech Limited does not
accept liability for any errors or omissions in the context of this
e-mail
or its attachments which arise as a result of Internet transmission, nor
accept liability for statements which are those of the author and not
clearly made on behalf of BMT SeaTech Limited.

==
  

-Original Message-
From: Simon Oliver [mailto:[EMAIL PROTECTED] 
Sent: 02 July 2004 14:09
To: Mark Lidstone
Cc: [EMAIL PROTECTED]
Subject: RE: [Samba] Samba + ACL


 If you're interested, my setup is Samba 3.0.4 on Fedora Core
 2 using yum to update the kernel and it works fine.

yum?


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + ACL - OT

2004-07-02 Thread Paul Gienger 

Malte Woelky wrote:
Hallo,
Friday, July 2, 2004, 3:09:26 PM, you wrote:
 

If you're interested, my setup is Samba 3.0.4 on Fedora Core 
2 using yum to update the kernel and it works fine.
 

SO yum?
Yellowdog Update Manager - Fedora update tool
 

Actually, that's  'Yellow dog Updater, Modified', and not distro 
specific.  From the home page at http://linux.duke.edu/projects/yum/ :

Yum is an automatic updater and package installer/remover for rpm 
systems. It automatically computes dependencies and figures out what 
things should occur to install packages. It makes it easier to maintain 
groups of machines without having to manually update each one using rpm.

--
Paul Gienger Office:701-281-1884
Applied Engineering Inc. Cell:  701-306-6254
Information Systems Consultant   Fax:   701-281-1322
URL: www.ae-solutions.commailto:[EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + ACL backup solution

2004-06-15 Thread Stephen Kuhn 
On Tue, 2004-06-15 at 21:42, Hamish wrote:
 Hello all
 I am looking for a good backup solution for samba shares, I do not mean 
 to start a jihad between rival backup religions, but I would appreciate 
 any suggestions.
 I have tried star and love it, unfortunately there does not seem to be a 
 gui or any frontend that can be used with it (it needs to be available 
 to a couple of GUI-only (read as windows admin) people).
 Thanks again,
 Hamish

Er, Hamish - what about using Webmin - which can be accessed from any
machine, any browser, any OS on the network...eh?

stephen kuhn - proprietor
==
illawarra computer services
a kuhn media australia company
http://kma.0catch.com
mobile: 0410.728.389
--
21:46:59 up 2 days, 2:10, 4 users, load average: 0.27, 0.20, 0.13
--
  * This message was composed on a 100% Microsoft free computer *
  We expressly refuse to utilise Microsoft DRM encoded documents
--
This email is virus-free because we don't use Microsoft products

It is the business of the future to be dangerous. -- Hawkwind

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + ACL backup solution

2004-06-15 Thread Hamish 
I did not know that webmin had a module to backup files as well as ACLs 
(all i could find was a dump module), could you give me a url to get the 
module from pls?

Stephen Kuhn wrote:
On Tue, 2004-06-15 at 21:42, Hamish wrote:
 

Hello all
I am looking for a good backup solution for samba shares, I do not mean 
to start a jihad between rival backup religions, but I would appreciate 
any suggestions.
I have tried star and love it, unfortunately there does not seem to be a 
gui or any frontend that can be used with it (it needs to be available 
to a couple of GUI-only (read as windows admin) people).
Thanks again,
Hamish
   

Er, Hamish - what about using Webmin - which can be accessed from any
machine, any browser, any OS on the network...eh?
stephen kuhn - proprietor
==
illawarra computer services
a kuhn media australia company
http://kma.0catch.com
mobile: 0410.728.389
--
21:46:59 up 2 days, 2:10, 4 users, load average: 0.27, 0.20, 0.13
--
 * This message was composed on a 100% Microsoft free computer *
 We expressly refuse to utilise Microsoft DRM encoded documents
--
This email is virus-free because we don't use Microsoft products
It is the business of the future to be dangerous. -- Hawkwind
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba + ACL

2003-08-28 Thread Luciano Andre Baramarchi 
hi,

I'm using samba with acl on AIX and FreeBSD systems. But, when I copy or
move files from a Windows 2000 Share to the Samba Share I lost the
privileges of that files/folders. Are there a solution for it?

Thanks,

mAnEh ...

Ps.: Sorry, but I dont speak English  :) ...

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba + acl + Domain Admins

2003-07-17 Thread Vladimir Nikolic 
Hi!

I am running samba-2.2.7a with winbind and acl. I've setup share with 
default owner 'administrator' and group owner 'Domain Admins' and let 
access to others throw acl. Trouble is, when some user from 'Domain 
Admins' group changes some file, he also changes user and group owner to 
'his_username' and 'Domain Users'. I've checked smb.conf and there is:

domain admin group =
admin users =
which means that no one has rights to change file ownerships.
What is wrong then?
Thanks

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba ACL support

2003-07-15 Thread Christos E. Chrisostomidis 
Dear All,

I am running samba 2.2.7-5  on a RH 8.0 box with 2.4.20-18 kernel and
I am trying to migrate a Win2K Server to Samba.
The samba RPM has --with-acl-support activated.
I manually add all the net users into the samba box using the command

useradd -s /bin/false -d /dev/null -m username

and then I transfer then into samba. Having specified:

workgroup = our_workgroup
netbios name = Server Name
security = user
encrypt passwords = yes
nt acl support = yes
etc.
[share_name_1]
path = ..
valid users = 
etc.

in the smb.conf and creating the appropriate top level shares with the
corresponding users
everything works very well. Users can have where they suppossed to.
The old Win2K server has a very different structure looking something
like:


However, I can not change share permisions from a Win2K client (or WinXP
client).



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba ACL

2002-12-11 Thread Kip Cartwright 
Waider,
Would you mind commenting further on what you had to do to get RedHat 8.0
support ACLs.

Thanks
K.C.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba ACL

2002-12-11 Thread Ronan Waide 
On December 11, [EMAIL PROTECTED] said:
 Waider,
 Would you mind commenting further on what you had to do to get RedHat 8.0
 support ACLs.
 
 Thanks
 K.C.

Sure:
* Download kernel SRPM
* Modify patches[1]
* Spend several hours rebuilding kernel packages

[1] is obviously the tricky bit. I'm testing out the modified patches
at the moment, plus I've offered them to the bestbits guy but not yet
received a reply. I'll stick 'em on my website tomorrow at some point
and post the URL here for interested parties.

Note, I've done this for Red Hat 7.3 but since the kernel versions are
the same (2.4.18-18) I think the patches will apply easily enough to
the Red Hat 8.0 SRPM.

Cheers,
Waider.
-- 
[EMAIL PROTECTED] / Yes, it /is/ very personal of me.

Life sucks. Get a helmet.
 - Denis Leary, as quoted by Susan Witterick on It never rains, it POURS.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba ACL

2002-12-08 Thread Ronan Waide 
On December 7, [EMAIL PROTECTED] said:
 No, the option/s/ are all enabled in the kernel. What's missing, I
 think, is all the rest of the support: libacl, libattr, patched
 fileutils, etc. I'm currently rebuilding various bits and pieces to
 see if I can make it work without too much grief.

Okay, clarifying my clarification. The ACL defs are in the main
configuration section, but none of the patches in the rest of the
kernel tree appear to be present. Drat.

Cheers,
Waider.
-- 
[EMAIL PROTECTED] / Yes, it /is/ very personal of me.
That's something tas mentioned in passing once or twice...DSP, so
 what is it? If it's anything to do with the glorious Limerick era
 then David's probably better off out of it. - Dalton Moloney 29/03/1996
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba ACL

2002-12-07 Thread Ronan Waide 
On December 3, [EMAIL PROTECTED] said:
 
 So it looks like the option is turned on in the kernel config, but the 
 patch is not actually in the kernel.

No, the option/s/ are all enabled in the kernel. What's missing, I
think, is all the rest of the support: libacl, libattr, patched
fileutils, etc. I'm currently rebuilding various bits and pieces to
see if I can make it work without too much grief.

Cheers,
Waider.
-- 
[EMAIL PROTECTED] / Yes, it /is/ very personal of me.

Turtles. Big, green turtles. - Orla
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba ACL

2002-12-04 Thread Klein, Stefan 
On Tue, 3 Dec 2002 19:14:01 +
Ronan Waide [EMAIL PROTECTED] wrote:

 On December 3, [EMAIL PROTECTED] said:
  acls can work with ext2/ext3 but you have to apply the patches from
  bestbits.
  
  xfs is a better choice and has the acl stuff built in.
 
 Actually, RedHat's recent precompiled kernels appear to have acls
 enabled by default.

I installed RedHat 8.0 and acl on ext2/3 didn't work, with the precompiled
Kernel from SGI and xfs acl work fine.

-- 
regards,
Stefan Klein
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba ACL

2002-12-04 Thread Ronan Waide 
On December 4, [EMAIL PROTECTED] said:
 
  Actually, RedHat's recent precompiled kernels appear to have acls
  enabled by default.
 
 I installed RedHat 8.0 and acl on ext2/3 didn't work, with the precompiled
 Kernel from SGI and xfs acl work fine.

Yup, this is why I said appear to have rather than have.

Cheers,
Waider.
-- 
[EMAIL PROTECTED] / Yes, it /is/ very personal of me.

AjD feels frustrated in his attempts to establish the delinitations of
  horror in puppy-burying.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba ACL

2002-12-03 Thread Saulius Gurklys 
Hello,
 short and maybe stupid question - can samba work with ACL when
fs is etx2(ext3)?(i think no, but not sure) If NO what file system I need
to make use of ACLs?

Thanks,
--
Saulius

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba ACL

2002-12-03 Thread Ronan Waide 
On December 3, [EMAIL PROTECTED] said:
 acls can work with ext2/ext3 but you have to apply the patches from
 bestbits.
 
 xfs is a better choice and has the acl stuff built in.

Actually, RedHat's recent precompiled kernels appear to have acls
enabled by default.

Cheers,
Waider.
-- 
[EMAIL PROTECTED] / Yes, it /is/ very personal of me.
The majority were fairly uncategorizable freaks, but you could tell that even
 the most normal-looking people there were still the weirdest people at their
 day job. - Jamie Zawinski
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba ACL

2002-12-03 Thread James S. Martin 
I'm not so sure about this... but looking at the changelog for Red Hat's
2.4.18-18.7.x kernel says (for RH 7.2) :


grep -B 2 -i acl kernel-2.4.spec

* Mon Aug 12 2002 Arjan van de Ven [EMAIL PROTECTED]
- ACLs removed for now because of stability and correctness problem


If you grep the config file the kernel was built with you get:

grep -i acl kernel-2.4.18-i686-smp.config
CONFIG_FS_POSIX_ACL=y
CONFIG_EXT3_FS_POSIX_ACL=y

 grep -i xatt kernel-2.4.18-i686-smp.config
CONFIG_EXT3_FS_XATTR=y
CONFIG_EXT3_FS_XATTR_SHARING=y
CONFIG_EXT3_FS_XATTR_USER=y

But if you boot with that kernel and try to mount a partition with 
acl,user_xattr options you get:

mount: wrong fs type, bad option, bad superblock on /dev/ida/c0d0p7,
   or too many mounted file systems

So it looks like the option is turned on in the kernel config, but the 
patch is not actually in the kernel.


James

Ronan Waide wrote:
On December 3, [EMAIL PROTECTED] said:


acls can work with ext2/ext3 but you have to apply the patches from
bestbits.

xfs is a better choice and has the acl stuff built in.



Actually, RedHat's recent precompiled kernels appear to have acls
enabled by default.

Cheers,
Waider.


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba ACL and EA problems

2002-11-06 Thread mshaw 
Hello,


I'm currently experiencing a problem concerning Samba 2.2.3a which is 
running on RedHat 7.3 kernel 2.4.18 configured with ACLS.
While trying to upgrade the kernel to support LFS 2GB files, a reboot was performed 
after the successful recompilation and installation of new filesystem tools.  The 
system halted at mounting the /samba partition reporting errors on the filesystem.
The problem is e2fsck was run on ext3 partition while upgrading ACLs/EAs, and now it 
seems the inodes holding the ext_attr info inodes were cleared and have now screwed up 
the base dirs on the samba partition.
When typing 'ls' under the Samba dir the following error messages appear:

ls: .Bad Address
ls: homes: Bad Address
etc.

The problem is not letting us rm, rmdir, mv, etc.. these dirs as well as 
/homes/username dirs.

Our current work around for creating new users is to create an alternate /home dir 
which is /samba/home instead of /samba/homes.
Other than that, the users have not reported any problems.

If anybody has any ideas or input it would be greatly appreciated.
We are stuck in a bit of a pickle.  We don't know exactly how this occurred and if it 
will get any worse.

If this is unclear, please let me know.

Regards,

Matthew Shaw
Network Administrator
MarkIV Industries/IVHS Division
Phone: 905.624.7910
Fax: 905.625.6197
E-mail: 
[EMAIL PROTECTED]¢éì¹»®Þ~º¶¬–+-‚‹h¶Ÿ¢YhÂ)àQڝÚÞiÛaz)춻œ¶*'²m§ÿåŠËl±©›jŠàþf¢–f§þX¬¶)ߣû™¶

[Samba] Samba ACL strange problem

2002-05-21 Thread Trong Ho 

HI all,
I had install samba 2.2.3a-6 on Linux RedHat 7.3. I had recompile the kernel
support ACL.
I know that with samba = 2.2 support ACL too
but it's seem there something wrong here when i got this mess.
It's look like samba does not support ACL
Are there anyone could help me get out of this problem
Thank You
Trong Ho
PS: attach file is my smb.conf
[root@file /]# getfacl /home/current/common
getfacl: Removing leading '/' from absolute path names
# file: home/current/common
# owner: hung
# group: users
user::rwx
user:hung:rw-
user:tin:rw-
group::---
mask::rw-
other::---

[root@file /]# smbcacls file://file/current common -U tin%tin
REVISION:1
OWNER:FILE\hung
GROUP:FILE\users
ACL:Everyone:ALLOWED/0/O
ACL:FILE\hung:ALLOWED/0/FULL
ACL:FILE\users:ALLOWED/0/RW
ACL:FILE\hung:ALLOWED/11/FULL
ACL:FILE\users:ALLOWED/11/R
ACL:Everyone:ALLOWED/11/R





smb.conf
Description: Binary data