Re: [Samba] Samba + acl,user_xattr
At first, has your file system already enabled xattr? For example, are following commands successfull? # touch test.txt # setfattr -n user.test -v test test.txt # setfattr -n security.test -v test2 test.txt # getfattr -d test.txt # getfattr -n security.test -d test.txt And your Samba (smbd) is xattr-ready? For example the following commands show HAVE_*XATTR line? # smbd -b | grep SETXATTR HAVE_FSETXATTR HAVE_LSETXATTR HAVE_SETXATTR --- TAKAHASHI Motonobumo...@samba.gr.jp All commands successfull. #mount /dev/sda4 on /mnt/public type ext3 (rw,nosuid,nodev,acl,user_xattr) #cd /mnt/public #getfattr -d hello.txt # file: hello.txt user.test=test #getfattr -n security.test -d hello.txt # file: hello.txt security.test=test2 #smbd -b|grep SETXATTR HAVE_FSETXATTR HAVE_LSETXATTR HAVE_SETXATTR SAMBA ready, but don't change xattr. Very strange with my system. Also, I joined TT 8414 where is strange with file access rights. https://bugzilla.samba.org/show_bug.cgi?id=8414 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + acl,user_xattr
From: Dmitry Mordovin d.mordo...@dwide.com Date: Fri, 16 Dec 2011 10:39:44 +0400 Now, when I try to Apply hidden attribute, popup message - Error change file attributes. Access Denied. At first, has your file system already enabled xattr? For example, are following commands successfull? # touch test.txt # setfattr -n user.test -v test test.txt # setfattr -n security.test -v test2 test.txt # getfattr -d test.txt # getfattr -n security.test -d test.txt And your Samba (smbd) is xattr-ready? For example the following commands show HAVE_*XATTR line? # smbd -b | grep SETXATTR HAVE_FSETXATTR HAVE_LSETXATTR HAVE_SETXATTR --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + acl,user_xattr
Added to global section vfs objects = acl_xattr No changes. Still dont store DOS attr. You only need acl_xattr is you want to store Windows ACLs, not DOS attrs. Have you tried using setfattr on that filesystem ? Does it work ? Jeremy. Hello Jeremy! You are right! I don't want to store Windows ACLs, need only DOS attrs (hidden file attr). What Is enough to add to my smb.conf? 'store dos attributes (S) or 'map hidden (S)' or together or else? #cat /opt/samba/smb.conf [global] pid directory = /opt/samba/run lock directory = /opt/samba/cache private dir = /opt/samba/cache log file = /opt/samba/smbd.log log level = 10 workgroup = TEST security = share show add printer wizard = no max log size = 10240 bind interfaces only = true interfaces = eth1 [homes] browseable = no printable = no [public] path = /mnt/public comment = read only = no guest ok = yes follow symlinks = no writable = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + acl,user_xattr
On Thu, Dec 15, 2011 at 12:17:21PM +0400, Dmitry Mordovin wrote: Added to global section vfs objects = acl_xattr No changes. Still dont store DOS attr. You only need acl_xattr is you want to store Windows ACLs, not DOS attrs. Have you tried using setfattr on that filesystem ? Does it work ? Jeremy. Hello Jeremy! You are right! I don't want to store Windows ACLs, need only DOS attrs (hidden file attr). What Is enough to add to my smb.conf? 'store dos attributes (S) or 'map hidden (S)' or together or else? I use: store dos attributes = yes map readonly = no map system = no map hidden = no map archive = no Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + acl,user_xattr
Hello Jeremy! You are right! I don't want to store Windows ACLs, need only DOS attrs (hidden file attr). What Is enough to add to my smb.conf? 'store dos attributes (S) or 'map hidden (S)' or together or else? I use: store dos attributes = yes map readonly = no map system = no map hidden = no map archive = no Jeremy. Added to smb.conf Now, when I try to Apply hidden attribute, popup message - Error change file attributes. Access Denied. I suspect this due to Bug 8414 (https://bugzilla.samba.org/show_bug.cgi?id=8414) for me. Thank you. PS: With hacked version of smbd this error happens too. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + acl,user_xattr
On Fri, Dec 09, 2011 at 04:36:51PM +0400, Dmitry Mordovin wrote: On 12/09/2011 04:26 PM, Jonathan Buzzard wrote: On Fri, 2011-12-09 at 16:05 +0400, Dmitry Mordovin wrote: [SNIP] Samba config: [global] workgroup = HOME security = share max log size = 1024 store dos attributes = yes map archive = no map read only = no map hidden = no map system = no create mode = 777 directory mode = 777 [homes] browseable = no printable = no store dos attributes = yes [public] path = /mnt/public comment = read only = no guest ok = yes follow symlinks = no store dos attributes = yes writable = yes map archive = no map read only = no map hidden = no map system = no create mode = 777 directory mode = 777 I see no vfs objects = acl_xattr in your Samba config. Without that it won't work as there is nothing telling Samba where to store the ACL information. JAB. Added to global section vfs objects = acl_xattr No changes. Still dont store DOS attr. You only need acl_xattr is you want to store Windows ACLs, not DOS attrs. Have you tried using setfattr on that filesystem ? Does it work ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba + acl,user_xattr
Hello All! Can't make Samba use acl and extended user attributes to save DOS file attributes. Please, help me configure properly. My steps on Windows XP: 1 - Open share 2 - Open property of file 1122/22.bmp 3 - Check file attribute: hidden 4 - Click Apply 5 - Click Close 6 - Open property again 7 - Attribute Hidden not checked. Samba dont save attributes!!! getfattr -d /mnt/public/1122/22.bmp Show no any attributes for 22.bmp file *Environment* Server configuration: OS: Ubuntu 10.04.3 LTS 2.6.32-36-generic Samba: 3.6.1 Share: /mnt/public Mount: /dev/sda3 on /mnt/public type ext3 (rw,acl,user_xattr) Unix file permissions: ls -la /mnt/public/ total 18 drwxrwxrwx 2 nobody nogroup 1024 2011-12-09 14:45 1122 drwx-- 2 root root12288 2011-12-09 14:43 lost+found ls -la /mnt/public/1122 total 218 -rwxrwxrwx 1 nobody nogroup 220074 2011-12-09 14:45 22.bmp Samba config: [global] workgroup = HOME security = share max log size = 1024 store dos attributes = yes map archive = no map read only = no map hidden = no map system = no create mode = 777 directory mode = 777 [homes] browseable = no printable = no store dos attributes = yes [public] path = /mnt/public comment = read only = no guest ok = yes follow symlinks = no store dos attributes = yes writable = yes map archive = no map read only = no map hidden = no map system = no create mode = 777 directory mode = 777 Samba configure params: --prefix=/usr/local/samba ... checking whether to support ACLs... auto configure: checking whether ACL support is available: checking for acl_get_file in -lacl... yes checking for getxattr in -lattr... yes checking for POSIX ACL support... yes configure: Using posix ACLs checking for acl_get_perm_np... no ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + acl,user_xattr
On Fri, 2011-12-09 at 16:05 +0400, Dmitry Mordovin wrote: [SNIP] Samba config: [global] workgroup = HOME security = share max log size = 1024 store dos attributes = yes map archive = no map read only = no map hidden = no map system = no create mode = 777 directory mode = 777 [homes] browseable = no printable = no store dos attributes = yes [public] path = /mnt/public comment = read only = no guest ok = yes follow symlinks = no store dos attributes = yes writable = yes map archive = no map read only = no map hidden = no map system = no create mode = 777 directory mode = 777 I see no vfs objects = acl_xattr in your Samba config. Without that it won't work as there is nothing telling Samba where to store the ACL information. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + acl,user_xattr
On 12/09/2011 04:26 PM, Jonathan Buzzard wrote: On Fri, 2011-12-09 at 16:05 +0400, Dmitry Mordovin wrote: [SNIP] Samba config: [global] workgroup = HOME security = share max log size = 1024 store dos attributes = yes map archive = no map read only = no map hidden = no map system = no create mode = 777 directory mode = 777 [homes] browseable = no printable = no store dos attributes = yes [public] path = /mnt/public comment = read only = no guest ok = yes follow symlinks = no store dos attributes = yes writable = yes map archive = no map read only = no map hidden = no map system = no create mode = 777 directory mode = 777 I see no vfs objects = acl_xattr in your Samba config. Without that it won't work as there is nothing telling Samba where to store the ACL information. JAB. Added to global section vfs objects = acl_xattr No changes. Still dont store DOS attr. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + ACL + Linux Client
From: Oliver Guerino oguer...@gmail.com Date: Wed, 1 Jun 2011 13:29:44 -0300 What happened is the following: My network has windows and linux clients, the permissions described above operates normally with the windows client, but when I try to connect with the linux client does not operates. As far as I examined to connect from self-compiled Samba 3.5.6 and mount.cifs to ext3 filesystem on lenny, the same problem occurred. And from Windows, no problems occurred. It seems that mount.cifs (and your mount.smb perhaps) can not recognize ACLs set on files on the mounted-filesystems... --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba + ACL + Linux Client
Hello, I'm Oliver and I need help for a experiment. I have a sharing with Samba version 3.2.5, my distribution Linux is Debian(Lenny) and the acl version is 2.2.47. Below my configurations files: #/etc/fstab /dev/sda3 /shared reiserfs defaults,acl 0 1 #smb.conf [data] comment = files path = /shared inherit acls = yes inherit permissions = yes map acl inherit = Yes # users and groups user1 and user2 into group1 user3 and user4 into group2 #permission directory files and acl's drwxr-x---+ 4 root root 96 Mai 27 11:48 group1 getfacl group1/ # file: group1/ # owner: root # group: root user::rwx group::r-x group:group1:r-x mask::r-x other::--- default:user::rwx default:group::rwx default:other::--- drwxrwx---+ 4 root root 96 Mai 27 11:48 group2 getfacl group2/ # file: group2/ # owner: root # group: root user::rwx group::r-x group:group1:r-x group:group2:rwx mask::rwx other::--- The kernel version: 2.6.26 What happened is the following: My network has windows and linux clients, the permissions described above operates normally with the windows client, but when I try to connect with the linux client does not operates. The mount command in the machine client linux: mount -t smbfs -o acl,rw,username=user1,passwd=pass //172.25.0.193/data/mnt/files/ When I try to access the folder group1 with the user1 display the message: Permission denied cd /mnt/files/group1 Permission denied. Some suggestion? Thanks Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba + ACL + Linux Client
Hello, I'm Oliver and I need help for a experiment. I have a sharing with Samba version 3.2.5, my distribution Linux is Debian(Lenny) and the acl version is 2.2.47. Below my configurations files: #/etc/fstab /dev/sda3 /shared reiserfs defaults,acl 0 1 #smb.conf [data] comment = files path = /shared inherit acls = yes inherit permissions = yes map acl inherit = Yes # users and groups user1 and user2 into group1 user3 and user4 into group2 #permission directory files and acl's drwxr-x---+ 4 root root 96 Mai 27 11:48 group1 getfacl group1/ # file: group1/ # owner: root # group: root user::rwx group::r-x group:group1:r-x mask::r-x other::--- default:user::rwx default:group::rwx default:other::--- drwxrwx---+ 4 root root 96 Mai 27 11:48 group2 getfacl group2/ # file: group2/ # owner: root # group: root user::rwx group::r-x group:group1:r-x group:group2:rwx mask::rwx other::--- The kernel version: 2.6.26 What happened is the following: My network has windows and linux clients, the permissions described above operates normally with the windows client, but when I try to connect with the linux client does not operates. The mount command in the machine client linux: mount -t smbfs -o acl,rw,username=user1,passwd=pass //172.25.0.193/data/mnt/files/ When I try to access the folder group1 with the user1 display the message: Permission denied cd /mnt/files/group1 Permission denied. Some suggestion? Thanks Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba acl restore error
Dear Jeremy and samba team , This is suresh from EMC.I am having samba 3.4.8 on my NAS with posix acls support. When a backup software backs up files and folders, it typically backs up the security settings on the files/folders too. Then during restore, the software will try to restore the files/folders along with their security settings. The restore is now broken because security settings cannot be restored any more. I have enabled samba loglevel 10 . I see the problem is coming here. -- 2011/01/26 10:41:04, 10] smbd/open.c:2896(create_file_unixpath) create_file_unixpath: access_mask = 0x11e019f file_attributes = 0x80, share_access = 0x3, create_disposition = 0x1 create_options = 0x4004 oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname = Share2/file2.txt -- SEC_FLAG_SYSTEM_SECURITY is 0x0100 /* We need to support SeSecurityPrivilege for this. */ if (access_mask SEC_FLAG_SYSTEM_SECURITY) { status = NT_STATUS_PRIVILEGE_NOT_HELD; goto fail; } and I see the restore is working fine when I Restore all information except security for files and directories create_file_unixpath: access_mask = 0x11 file_attributes = 0x0, share_access = 0x7, create_disposition = 0x1 create_options = 0x4001 oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname = . [2011/01/26 10:41:04, 5] smbd/open.c:2391(open_directory) --- the if (access_mask SEC_FLAG_SYSTEM_SECURITY) condition is not passing here and error is not coming. Jeremy, what for we are checking this condition on SeSecurityPrivilege ( Manage auditing and security log ) in samba code ?. How tp restore files with ACL's. ? I am anticipating your reply. Thanks Suresh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba acl restore error
On Thu, Jan 27, 2011 at 04:26:10AM -0500, suresh.kanduk...@emc.com wrote: Dear Jeremy and samba team , This is suresh from EMC.I am having samba 3.4.8 on my NAS with posix acls support. When a backup software backs up files and folders, it typically backs up the security settings on the files/folders too. Then during restore, the software will try to restore the files/folders along with their security settings. The restore is now broken because security settings cannot be restored any more. I have enabled samba loglevel 10 . I see the problem is coming here. -- 2011/01/26 10:41:04, 10] smbd/open.c:2896(create_file_unixpath) create_file_unixpath: access_mask = 0x11e019f file_attributes = 0x80, share_access = 0x3, create_disposition = 0x1 create_options = 0x4004 oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname = Share2/file2.txt -- SEC_FLAG_SYSTEM_SECURITY is 0x0100 /* We need to support SeSecurityPrivilege for this. */ if (access_mask SEC_FLAG_SYSTEM_SECURITY) { status = NT_STATUS_PRIVILEGE_NOT_HELD; goto fail; } and I see the restore is working fine when I Restore all information except security for files and directories The SEC_FLAG_SYSTEM_SECURITY flag is for setting the audit ACE entries in an ACL - it isn't used for normal restoring of ACL ACE entries. We return this error here as it's required by MS-Office (Excel) which expects to get this error when changing ACLs on files (don't ask :-). This is fixed in 3.5.7 and above by adding it as a privilege that can be selected for a user who is doing restores. Ping me off-list if you need a back port of this code. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba acl support
On Thu, Jan 6, 2011 at 11:40 PM, Jeremy Allison j...@samba.org wrote: On Thu, Jan 06, 2011 at 10:58:27PM -0500, suresh.kanduk...@emc.com wrote: Hi jeremey , This is Suresh from EMC . what is minimum version of samba which got ACL ( posix) support?. it looks to me samba 3.0.32 also got that ACL support. Can you please confirm on this?. Oh yes, we've had POSIX ACL support for a *long* time. I can't remember exactly what the earliest version was (probably a 2.2.x version). However we've been slowly getting better over the years in doing the ACL mapping, culminating with the extra Windows ACL layer stored in EA's we now have that provides a 100% Windows compatible protocol response to the client, but then is mapped onto POSIX ACLs for filesystems that can't store native (or NFSv4) ACLs. Jeremy. Note that at least some of the more sophisticated ACL's, such as NFSv4, are. awkward to use. You can reference an old thread on it at http://lists.samba.org/archive/samba/2010-April/155243.html.. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba acl support
On Thu, Jan 06, 2011 at 11:52:46PM -0500, suresh.kanduk...@emc.com wrote: Thanks this helps. Let me know if you really need the first version with ACL support and I'll track it down. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba acl support
Hi jeremey , This is Suresh from EMC . what is minimum version of samba which got ACL ( posix) support?. it looks to me samba 3.0.32 also got that ACL support. Can you please confirm on this?. Thanks Suresh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba acl support
On Thu, Jan 06, 2011 at 10:58:27PM -0500, suresh.kanduk...@emc.com wrote: Hi jeremey , This is Suresh from EMC . what is minimum version of samba which got ACL ( posix) support?. it looks to me samba 3.0.32 also got that ACL support. Can you please confirm on this?. Oh yes, we've had POSIX ACL support for a *long* time. I can't remember exactly what the earliest version was (probably a 2.2.x version). However we've been slowly getting better over the years in doing the ACL mapping, culminating with the extra Windows ACL layer stored in EA's we now have that provides a 100% Windows compatible protocol response to the client, but then is mapped onto POSIX ACLs for filesystems that can't store native (or NFSv4) ACLs. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba acl support
Thanks this helps. -Suresh -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Jeremy Allison Sent: Friday, January 07, 2011 10:10 AM To: Kandukuru, Suresh Cc: samba@lists.samba.org; j...@samba.org Subject: Re: [Samba] samba acl support On Thu, Jan 06, 2011 at 10:58:27PM -0500, suresh.kanduk...@emc.com wrote: Hi jeremey , This is Suresh from EMC . what is minimum version of samba which got ACL ( posix) support?. it looks to me samba 3.0.32 also got that ACL support. Can you please confirm on this?. Oh yes, we've had POSIX ACL support for a *long* time. I can't remember exactly what the earliest version was (probably a 2.2.x version). However we've been slowly getting better over the years in doing the ACL mapping, culminating with the extra Windows ACL layer stored in EA's we now have that provides a 100% Windows compatible protocol response to the client, but then is mapped onto POSIX ACLs for filesystems that can't store native (or NFSv4) ACLs. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba acl - able to change permissions that contradict user security setting
Thanks Smith. This explains in detail. -Suresh -Original Message- From: Chris Smith [mailto:smb...@chrissmith.org] Sent: Thursday, September 09, 2010 8:19 AM To: Kandukuru, Suresh Cc: samba@lists.samba.org Subject: Re: [Samba] samba acl - able to change permissions that contradict user security setting On Wed, Sep 8, 2010 at 10:04 PM, suresh.kanduk...@emc.com wrote: it looks like code is not designed like this. if you don't mind , Can you please explain this , -- - although you would be asking it to restrict the admin's rights, which wouldn't be proper behavior. Plus it then wouldn't work like a Windows box, which is a primary goal. File level security and share level security are separate - you can limit what a user can do with either one, or both. Consider one box - with no remote file sharing, a system (file level security) is needed to prevent unauthorized access to files and directories for local users. Consider a box that has no idea of file level security, say pre Windows NT such as Windows 95 for instance, files are shared via the network but with an OS that has no concept of file level security something is needed to prevent unauthorized access - share level security. AFAIK, the systems are not integrated, work separately and provide some backward compatibility. As the admin has full share level RW access to the share, he/she can surely make changes to the file level security (that is, if it's allowed by the current file level security) but he's not changing share level security through this, only file level; so locally the non-admin user could (presumably) login locally and access those files, but still be blocked remotely by the share level permissions. It's the way Windows works (and why Samba does also), plus I'm sure other network sharing systems, NFS, etc. have similar attributes. Think of it like trying to gain access to an office in a building. I can keep you from gaining entry in two ways; one is that I prevent you from entering the building (share level), or two, I prevent you from entering the particular office by locking its door (file level). If I prevent you from entering the building it doesn't matter whether or not I lock the office door - you cannot get there. If I lock the office door it doesn't matter if I allow you to enter the building - either way you are effectively locked out. And just because you are prevented, in the one case, from entering the building, there is nothing, nor should there be, to prevent me (the admin) from unlocking the office door, which would give you access if, and only if, you had egress into the building - my access is not affected (I can still unlock the office door), only yours (you still have no access unless I allow you into the building as well). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba acl - able to change permissions that contradict user security setting
Allison, My Question was , 1) we have a share test and user admin has RW access and user1 has R only access. from the windows PC , I have connected test share with user admin. and created subfolder test_subfolder 2) and on that sub folder admin user has given RW access to user user1 . Why samba is not preventing this, since user1 has R only access on that share test.?? Smith explained this in last mail. Thanks for asking Suresh -Original Message- From: Jeremy Allison [mailto:j...@samba.org] Sent: Thursday, September 09, 2010 9:13 AM To: Kandukuru, Suresh Cc: smb...@chrissmith.org; samba@lists.samba.org Subject: Re: [Samba] samba acl - able to change permissions that contradict user security setting On Wed, Sep 08, 2010 at 11:14:40AM -0400, suresh.kanduk...@emc.com wrote: Thanks smith for the quick reply. what I want to know is ,can not samba source code prevent the changing setting rw access to test_subfolder user1 , since he has only read only access on the share test. The processing of security on shares and security in the underlying file system are completely separate. A user who is only granted read access on a share should not be able to change permissions on a directory inside the share, as this is a write operation on an underlying directory. An admin user should be able to change such permissions at will, as they have full root access to the exported share. Can you explain a little more clearly what you are trying to do (sorry, but I've been a little distracted by other things at the moment) so I can understand if you are describing a bug or not ? Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba acl - able to change permissions that contradict user security setting
Did not get the response . bumping it. friends , Please help me on the below issue. Thanks Suresh -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of suresh.kanduk...@emc.com Sent: Wednesday, September 08, 2010 11:13 AM To: samba@lists.samba.org Subject: [Samba] samba acl - able to change permissions that contradict user security setting Dear friends, I am having following issue on my samba device . Please help me on this. 1) created share test given read and write access to the user admin and read only access to user user1. 2) from my windows PC logged into the samba share test with admin user . created subfolder in that test_subfolder. 3) on that subfolder , from the windows security tab I could add user user1 and can give read and write access to that. How to prevent this ??. Actually on the share test user1 has read only access .How samba code is allowing to change permissions that contradict user security settings. 4) when I login to share test with user1 , I cannot write into subfolder test_subfolder This is smb.conf for test share part .. --- [test] path= /mnt/samba/shares/SP0/test/ max connections= 50 max connections= 250 directory mode= 0777 create mode= 0777 follow symlinks= yes wide links= no nt acl support= yes dos filemode= yes writeable= no valid users= admin user1 read list= user1 store dos attributes= yes write list= admin - I am anticipating your reply. Thanks Suresh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba acl - able to change permissions that contradict user security setting
On Wed, Sep 8, 2010 at 1:43 AM, suresh.kanduk...@emc.com wrote: 1) created share test given read and write access to the user admin and read only access to user user1. 2) from my windows PC logged into the samba share test with admin user . created subfolder in that test_subfolder. 3) on that subfolder , from the windows security tab I could add user user1 and can give read and write access to that. How to prevent this ??. Actually on the share test user1 has read only access .How samba code is allowing to change permissions that contradict user security settings. 4) when I login to share test with user1 , I cannot write into subfolder test_subfolder Seems perfectly normal. Share level security will take precedence over file level security when connected via the share. I'm sure you would find the same results working with an actual Windows share (always a good thing to test before you post). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba acl - able to change permissions that contradict user security setting
On Wed, Sep 8, 2010 at 10:55 AM, Chris Smith smb...@chrissmith.org wrote: Share level security will take precedence over file level security when connected via the share. Sorry about that: more accurate would be to state that the most restrictive security permissions will be active. If share level permissions allow RW access but the file level permissions only allow for R access then that is all the user will receive (and vice versa). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba acl - able to change permissions that contradict user security setting
Thanks smith for the quick reply. what I want to know is ,can not samba source code prevent the changing setting rw access to test_subfolder user1 , since he has only read only access on the share test. -Suresh -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Chris Smith Sent: Wednesday, September 08, 2010 8:25 PM To: Kandukuru, Suresh Cc: samba@lists.samba.org Subject: Re: [Samba] samba acl - able to change permissions that contradict user security setting On Wed, Sep 8, 2010 at 1:43 AM, suresh.kanduk...@emc.com wrote: 1) created share test given read and write access to the user admin and read only access to user user1. 2) from my windows PC logged into the samba share test with admin user . created subfolder in that test_subfolder. 3) on that subfolder , from the windows security tab I could add user user1 and can give read and write access to that. How to prevent this ??. Actually on the share test user1 has read only access .How samba code is allowing to change permissions that contradict user security settings. 4) when I login to share test with user1 , I cannot write into subfolder test_subfolder Seems perfectly normal. Share level security will take precedence over file level security when connected via the share. I'm sure you would find the same results working with an actual Windows share (always a good thing to test before you post). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba acl - able to change permissions that contradict user security setting
On Wed, Sep 8, 2010 at 11:14 AM, suresh.kanduk...@emc.com wrote: Thanks smith for the quick reply. what I want to know is ,can not samba source code prevent the changing setting rw access to test_subfolder user1 , since he has only read only access on the share test. I suppose you could patch it to do so - although you would be asking it to restrict the admin's rights, which wouldn't be proper behavior. Plus it then wouldn't work like a Windows box, which is a primary goal. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba acl - able to change permissions that contradict user security setting
Smith, Thanks again for answering. I have gone through samba source code , I have assumed that when the samba user admin gives read write access to test_subfolder for the user user1 from the windows security tab ( user1 has read only access to share test) samba code posix_acl.c look at the read list of the share test ( since the user1 in read list ) and denies assigning rw access to test_subfolder. it looks like code is not designed like this. if you don't mind , Can you please explain this , -- - although you would be asking it to restrict the admin's rights, which wouldn't be proper behavior. Plus it then wouldn't work like a Windows box, which is a primary goal. Thanks Suresh -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Chris Smith Sent: Wednesday, September 08, 2010 9:24 PM To: Kandukuru, Suresh Cc: samba@lists.samba.org Subject: Re: [Samba] samba acl - able to change permissions that contradict user security setting On Wed, Sep 8, 2010 at 11:14 AM, suresh.kanduk...@emc.com wrote: Thanks smith for the quick reply. what I want to know is ,can not samba source code prevent the changing setting rw access to test_subfolder user1 , since he has only read only access on the share test. I suppose you could patch it to do so - although you would be asking it to restrict the admin's rights, which wouldn't be proper behavior. Plus it then wouldn't work like a Windows box, which is a primary goal. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba acl - able to change permissions that contradict user security setting
On Wed, Sep 8, 2010 at 10:04 PM, suresh.kanduk...@emc.com wrote: it looks like code is not designed like this. if you don't mind , Can you please explain this , -- - although you would be asking it to restrict the admin's rights, which wouldn't be proper behavior. Plus it then wouldn't work like a Windows box, which is a primary goal. File level security and share level security are separate - you can limit what a user can do with either one, or both. Consider one box - with no remote file sharing, a system (file level security) is needed to prevent unauthorized access to files and directories for local users. Consider a box that has no idea of file level security, say pre Windows NT such as Windows 95 for instance, files are shared via the network but with an OS that has no concept of file level security something is needed to prevent unauthorized access - share level security. AFAIK, the systems are not integrated, work separately and provide some backward compatibility. As the admin has full share level RW access to the share, he/she can surely make changes to the file level security (that is, if it's allowed by the current file level security) but he's not changing share level security through this, only file level; so locally the non-admin user could (presumably) login locally and access those files, but still be blocked remotely by the share level permissions. It's the way Windows works (and why Samba does also), plus I'm sure other network sharing systems, NFS, etc. have similar attributes. Think of it like trying to gain access to an office in a building. I can keep you from gaining entry in two ways; one is that I prevent you from entering the building (share level), or two, I prevent you from entering the particular office by locking its door (file level). If I prevent you from entering the building it doesn't matter whether or not I lock the office door - you cannot get there. If I lock the office door it doesn't matter if I allow you to enter the building - either way you are effectively locked out. And just because you are prevented, in the one case, from entering the building, there is nothing, nor should there be, to prevent me (the admin) from unlocking the office door, which would give you access if, and only if, you had egress into the building - my access is not affected (I can still unlock the office door), only yours (you still have no access unless I allow you into the building as well). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba acl - able to change permissions that contradict user security setting
On Wed, Sep 08, 2010 at 11:14:40AM -0400, suresh.kanduk...@emc.com wrote: Thanks smith for the quick reply. what I want to know is ,can not samba source code prevent the changing setting rw access to test_subfolder user1 , since he has only read only access on the share test. The processing of security on shares and security in the underlying file system are completely separate. A user who is only granted read access on a share should not be able to change permissions on a directory inside the share, as this is a write operation on an underlying directory. An admin user should be able to change such permissions at will, as they have full root access to the exported share. Can you explain a little more clearly what you are trying to do (sorry, but I've been a little distracted by other things at the moment) so I can understand if you are describing a bug or not ? Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba acl - able to change permissions that contradict user security setting
Dear friends, I am having following issue on my samba device . Please help me on this. 1) created share test given read and write access to the user admin and read only access to user user1. 2) from my windows PC logged into the samba share test with admin user . created subfolder in that test_subfolder. 3) on that subfolder , from the windows security tab I could add user user1 and can give read and write access to that. How to prevent this ??. Actually on the share test user1 has read only access .How samba code is allowing to change permissions that contradict user security settings. 4) when I login to share test with user1 , I cannot write into subfolder test_subfolder This is smb.conf for test share part .. --- [test] path= /mnt/samba/shares/SP0/test/ max connections= 50 max connections= 250 directory mode= 0777 create mode= 0777 follow symlinks= yes wide links= no nt acl support= yes dos filemode= yes writeable= no valid users= admin user1 read list= user1 store dos attributes= yes write list= admin - I am anticipating your reply. Thanks Suresh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba ACL problems in some of the Wokgroup PC's
Dear friends, I am facing the problem while adding the ACL user into subfolder security permissions from some of the WORKGROUPS PCs . While adding the ACL user itself it is asking for samba login credentials ( I did not notice this behavior in other PC's ) and after entering it, it is displaying user object not found. Though user2 user exists in backend. it is giving this error. This is not giving any problem in some of the workgroup PC's and PC's which are some in domain. I have enabled samba log level 10 , while adding acl user task is going on , I did not find any comparable errors between workable PC's and non workable PC's. Can you please suggest why only some of Workgroup machines are giving this problem?.I found this is not specific to any OS . one pc which is having windows XP another having windows 7 exhibiting this issue. workgroup is common WORKGROUP. Please suggest me . I am anticipating your reply. Thanks Suresh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba ACL sub folder permission changes
Dear samba team, Please help me on the below issue. I have connected a samba share from my device to my windows XP machine . that samba share has ACL support enabled . 1) The shared folder names is user1 and the user name I logged into samba share is also user1. 2) I have created a text file , and sub folder in the samba share from my windows PC. 3) I can change write permission of the owner user1 and the group users , and Everyone from the security - advanced settings - 4) for the sub folder I cannot change the permissions for the owner user1 , I can change for the group users and Everyone also. whenever I tried to disable the Write attributes and Write extended attributes , it is simply ignoring the changes and again showing full control in advance security windows. Please suggest how to handle this?. here is my samba.conf -[Global] server string= storage Workgroup= WORKGROUP security= user domain master= yes preferred master= yes local master= yes os level= 20 invalid users= bin daemon adm sync shutdown halt mail news uucp gopher map to guest= Bad User host msdfs= yes null passwords= yes strict allocate= no encrypt passwords= yes passdb backend= smbpasswd printcap name= lpstat printing= cups printable= no load printers= yes max smbd processes= 500 max smbd processes= 2500 getwd cache= yes display charset= UTF-8 log level= 10 syslog= 0 max log size= 50 use sendfile= yes [Printers] path= /mnt/soho_storage/samba/spool printable= yes only guest= yes use client driver= yes comment= All Printers [Backups] path= /mnt/soho_storage/samba/shares/SP0/Backups/ max connections= 50 max connections= 250 directory mode= 0777 create mode= 0777 follow symlinks= yes wide links= no nt acl support= no dos filemode= no writeable= yes public= yes store dos attributes= yes write list= guest [Documents] path= /mnt/soho_storage/samba/shares/SP0/Documents/ max connections= 50 max connections= 250 directory mode= 0777 create mode= 0777 follow symlinks= yes wide links= no nt acl support= no dos filemode= no writeable= yes public= yes store dos attributes= yes write list= guest [Pictures] path= /mnt/soho_storage/samba/shares/SP0/Pictures/ max connections= 50 max connections= 250 directory mode= 0777 create mode= 0777 follow symlinks= yes wide links= no nt acl support= no dos filemode= no writeable= yes public= yes store dos attributes= yes write list= guest [user1] path= /mnt/soho_storage/samba/shares/SP0/user1/ max connections= 50 max connections= 250 directory mode= 0777 create mode= 0777 follow symlinks= yes wide links= no nt acl support= yes dos filemode= yes writeable= no valid users= admin user1 user2 store dos attributes= yes write list= admin user1 user2 [user2] path= /mnt/soho_storage/samba/shares/SP0/user2/ max connections= 50 max connections= 250 directory mode= 0777 create mode= 0777 follow symlinks= yes wide links= no nt acl support= yes dos filemode= yes writeable= no valid users= admin user1 user2 store dos attributes= yes write list= admin user1 user2 -- Thanks in advance Suresh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ACL open-for-delete problem
All my fault. I forget to execute make clean before compiling samba with ACL support. -- Shaochun Wang(王绍春) scw...@ios.ac.cn PH.D Candidate State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba ACL open-for-delete problem
Hi, all It seems that samba-3.4.1 still has something wrong with ACL for open-for-delete operation. I give a group of users full access, which means rwx permission, to a directory and make this as the default ACL for this directory. Then I found that I can do anthing as a member of that group but deleting files and this directory. After skiming through its source code, I did not find any ACL check at function can_delete_file_in_directory() in file file_access.c. Am I right? The following is my ACL setting: -bash-4.0$ getfacl Downloads/ # file: Downloads/ # owner: tsmn # group: bt user::rwx group::r-x group:smb_g0:rwx mask::rwx other::r-x default:user::rwx default:group::r-x default:group:smb_g0:rwx default:mask::rwx default:other::r-x -bash-4.0$ getfacl Downloads/aaa # file: Downloads/aaa # owner: tsmn # group: bt user::rw- group::r-x #effective:r-- group:smb_g0:rwx#effective:rw- mask::rw- other::r-- I can't delete file aaa when logining in as SAMBA user smb_u0 whose main group is smb_g0. -- Shaochun Wang scw...@ios.ac.cn Jabber: fung...@jabber.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba ACL and Office 2007
Harry Jede wrote: Am Montag, 27. April 2009 15:33 schrieb David Vaz: I am using samba 3.3.2-1 in a debian squeze installation, using ext3 with acl support. The problem I am experiencing is easy to replicate as I have tried it in different machines. In a given share, user A is the owner of the folder test, inside this folder there is a office file test.doc for example. User B has write privileges over file test.doc but not over test. When user B tries to save the office document (using office 2007) an error appears Access Denied. Contact your administrator. # file: test # owner: A # group: G user::rwx group::r-x other::--- # file: test.doc # owner: A # group: G user::rwx user:B:rwx group::r-x mask::rwx other::--- Notice that if the user copy the file to his desktop, modifies it and later overwrites the original there is no problem. That's normal with Office 2007. Thanks to M$. They create a NEW file, when the user saves the old one, delete the old one, then rename the new file to the old name. So, your users are able to update files with office 2007, only when they have write permissons on the directory. Search this list archive for a more detailed explanation. Is there any workaround to this? This error is similar in some ways to this https://bugzilla.samba.org/show_bug.cgi?id=6160, but i suppose now the lock over the folder. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba ACL and Office 2007
I am using samba 3.3.2-1 in a debian squeze installation, using ext3 with acl support. The problem I am experiencing is easy to replicate as I have tried it in different machines. In a given share, user A is the owner of the folder test, inside this folder there is a office file test.doc for example. User B has write privileges over file test.doc but not over test. When user B tries to save the office document (using office 2007) an error appears Access Denied. Contact your administrator. # file: test # owner: A # group: G user::rwx group::r-x other::--- # file: test.doc # owner: A # group: G user::rwx user:B:rwx group::r-x mask::rwx other::--- Notice that if the user copy the file to his desktop, modifies it and later overwrites the original there is no problem. This error is similar in some ways to this https://bugzilla.samba.org/show_bug.cgi?id=6160, but i suppose now the lock over the folder. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba ACL and Office 2007
Am Montag, 27. April 2009 15:33 schrieb David Vaz: I am using samba 3.3.2-1 in a debian squeze installation, using ext3 with acl support. The problem I am experiencing is easy to replicate as I have tried it in different machines. In a given share, user A is the owner of the folder test, inside this folder there is a office file test.doc for example. User B has write privileges over file test.doc but not over test. When user B tries to save the office document (using office 2007) an error appears Access Denied. Contact your administrator. # file: test # owner: A # group: G user::rwx group::r-x other::--- # file: test.doc # owner: A # group: G user::rwx user:B:rwx group::r-x mask::rwx other::--- Notice that if the user copy the file to his desktop, modifies it and later overwrites the original there is no problem. That's normal with Office 2007. Thanks to M$. They create a NEW file, when the user saves the old one, delete the old one, then rename the new file to the old name. So, your users are able to update files with office 2007, only when they have write permissons on the directory. Search this list archive for a more detailed explanation. This error is similar in some ways to this https://bugzilla.samba.org/show_bug.cgi?id=6160, but i suppose now the lock over the folder. -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+acl problem on OSX
Is that the only option? We've noticed the same behavior of osx clients recently, but we also have linux clients connecting and I don't wish to degrade the experience by disabling unix extensions. What is effect of disabling unix extensions? At least with it acls work on OSX too. -- Eero -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+acl problem on OSX
On Tuesday 17 February 2009 16:19:19 James Peach wrote: 2009/2/17 Eero Volotinen eero.voloti...@iki.fi: I have problem using samba+acl (ext3+acl) on OSX client. Access rights works fine on Linux and Windows series, but OSX Leopard says access denied to every directory that is using acl. Is OSX cifs client too stripped that it cannot use acl or is this OSX bug? Is there any solution on OSX that can access samba+acl directories? The Mac OS X client looks at the posix mode bits to preflight access checks. you can disable this on the server side by setting unix extensions = no Is that the only option? We've noticed the same behavior of osx clients recently, but we also have linux clients connecting and I don't wish to degrade the experience by disabling unix extensions. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba+acl problem on OSX
I have problem using samba+acl (ext3+acl) on OSX client. Access rights works fine on Linux and Windows series, but OSX Leopard says access denied to every directory that is using acl. Is OSX cifs client too stripped that it cannot use acl or is this OSX bug? Is there any solution on OSX that can access samba+acl directories? thanks, -- Eero -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+acl problem on OSX
2009/2/17 Eero Volotinen eero.voloti...@iki.fi: I have problem using samba+acl (ext3+acl) on OSX client. Access rights works fine on Linux and Windows series, but OSX Leopard says access denied to every directory that is using acl. Is OSX cifs client too stripped that it cannot use acl or is this OSX bug? Is there any solution on OSX that can access samba+acl directories? The Mac OS X client looks at the posix mode bits to preflight access checks. you can disable this on the server side by setting unix extensions = no -- James Peach | jor...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba + acl
Hello I am using samba 3.2.1 version on centos 5.2 with ldap. Everything is working fine as i expected. I have shared a share , say , NOA on samba server. Now i log into windows and access the share and tried to give rights on share by right click properties security . I want to give a group call noag only read , write and but no permission of delete on share NOA . I have a group who can full access to the share NOA. I right click on it , use security tab to give only read permission , it works fine, but when i select? all the options except delete and full control and click ok , it chages to full control , which is what i don't want. I am searched a lot but couldn't find the solution. Is there any solutiont for this or this is not possible in samba. Thanks in advance Bikrish -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba / ACL / File System Permissions Active Directory winbind
Hi Guys, I have a windows 2003 SBS handling domain logins, I also have an Ubuntu machine being used as a file server this is using winbind and is on the domain I can chown dirs etc with Active Directory users. However I have the following problem, I need to allow certain users to access some dirs and not others... for example. folder1 would need to be accessed by user1 user2 and user3 Now my understanding of this would be to add users 1,2 3 to a group say for example group1 then chown folder1 with that group? chown -R :DOMAIN\Domain Users folder1 Thats fine but then when user 1,2 or 3 access folder1 and write to the folder and there primary group is Domain Users for example it will make it unreadable for other users? I could force it to take permissions from the parent directory using sticky bit? but what if the users creates a dir and then another dir would it still take its permissions from its parent directory then? It must be fairly common to want to set a bunch of users that are not in the same primary group access to one dir that no other users can access? If any one has any ideas / feedback at all on how they have done this it would be great as im melting my brain thinking a way around this if im honest... Many Thanks Keith -- Keith Sudbury Netzen Solution Ltd Suite 5, Piccadilly House, London Rd, Bath, BA1 6PL, UK Mobile: +44 (0)7921464106 Tel: +44 (0)1225 588 588 Fax: +44 (0)1225 580 061 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba / ACL / File System Permissions Active Directory winbind
On Wed, Jul 30, 2008 at 11:17:10PM +0100, Keith Sudbury wrote: Hi Guys, I have a windows 2003 SBS handling domain logins, I also have an Ubuntu machine being used as a file server this is using winbind and is on the domain I can chown dirs etc with Active Directory users. However I have the following problem, I need to allow certain users to access some dirs and not others... for example. folder1 would need to be accessed by user1 user2 and user3 Now my understanding of this would be to add users 1,2 3 to a group say for example group1 then chown folder1 with that group? chown -R :DOMAIN\Domain Users folder1 Thats fine but then when user 1,2 or 3 access folder1 and write to the folder and there primary group is Domain Users for example it will make it unreadable for other users? I could force it to take permissions from the parent directory using sticky bit? but what if the users creates a dir and then another dir would it still take its permissions from its parent directory then? Use the setgid bit on the directory. This causes the group ownership of the created directory to be inherited from the owning directory, not the creating process (and also inherit the setgid bit). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba+ACL+w2k domain
I have set up samba as a member of w2k the domain, has made Share with ACL support. I distribute the rights through Windows ticks sucsessfully. But I can not be remove them - windows says that You can not remove the user because this object is inheriting permission from his parent After I remove inheritence on the share user still stays in the ACL withoue any permissions. Windows writes, that these rights are as though inherited. I do not know, that I do not so. FreeBSD 6.2 Samba Version 3.0.28 heimdal 1.0.1 Samba config: [global] workgroup = MYDOMAIN security = domain server string = ws01 Samba Server netbiosname = ws01 local master = no domain master = no preferred master = no dns proxy = no display charset = koi8-r unix charset = koi8-r dos charset = cp866 idmap uid = 1-2 idmap gid = 1-2 winbind cache time = 15 winbind enum users = Yes winbind enum groups = Yes hosts allow = 192.168.0. 192.168.1. 127. bind interfaces only = Yes interfaces = 192.168.0.125 log file = /var/log/samba/log.%m max log size = 50 load printers = no # Share Definitions == [store] comment = qwerty! path = /store read list = @MYDOMAIN\Domain Users write list = @MYDOMAIN\Domain Admins admin users = @MYDOMAIN\Domain Admins, [EMAIL PROTECTED] read only = No create mask = 700 directory mask = 700 inherit owner = yes inherit acls = yes inherit permissions = yes map acl inherit = yes locking = nophotoarch -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba+ACL+w2k domain
Hi, nix. I have set up samba as a member of w2k the domain, has made Share with ACL support. I distribute the rights through Windows ticks sucsessfully. But I can not be remove them - windows says that You can not remove the user because this object is inheriting permission from his parent After I remove inheritence on the share user still stays in the ACL withoue any permissions. Windows writes, that these rights are as though inherited. I do not know, that I do not so. FreeBSD 6.2 Samba Version 3.0.28 heimdal 1.0.1 Samba config: [global] workgroup = MYDOMAIN security = domain server string = ws01 Samba Server netbiosname = ws01 local master = no domain master = no preferred master = no dns proxy = no display charset = koi8-r unix charset = koi8-r dos charset = cp866 idmap uid = 1-2 idmap gid = 1-2 winbind cache time = 15 winbind enum users = Yes winbind enum groups = Yes hosts allow = 192.168.0. 192.168.1. 127. bind interfaces only = Yes interfaces = 192.168.0.125 log file = /var/log/samba/log.%m max log size = 50 load printers = no # Share Definitions == [store] comment = qwerty! path = /store read list = @MYDOMAIN\Domain Users write list = @MYDOMAIN\Domain Admins admin users = @MYDOMAIN\Domain Admins, [EMAIL PROTECTED] read only = No create mask = 700 directory mask = 700 inherit owner = yes inherit acls = yes inherit permissions = yes map acl inherit = yes locking = nophotoarch Anybody help me please! -- Best regards, nix_kot mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba+ACL+w2k domain
I have set up samba as a member of w2k the domain, has made Share with ACL support. I distribute the rights through Windows ticks sucsessfully. But I can not be remove them - windows says that You can not remove the user because this object is inheriting permission from his parent After I remove inheritence on the share user still stays in the ACL withoue any permissions. Windows writes, that these rights are as though inherited. I do not know, that I do not so. FreeBSD 6.2 Samba Version 3.0.28 heimdal 1.0.1 Samba config: [global] workgroup = MYDOMAIN security = domain server string = ws01 Samba Server netbiosname = ws01 local master = no domain master = no preferred master = no dns proxy = no display charset = koi8-r unix charset = koi8-r dos charset = cp866 idmap uid = 1-2 idmap gid = 1-2 winbind cache time = 15 winbind enum users = Yes winbind enum groups = Yes hosts allow = 192.168.0. 192.168.1. 127. bind interfaces only = Yes interfaces = 192.168.0.125 log file = /var/log/samba/log.%m max log size = 50 load printers = no # Share Definitions == [store] comment = qwerty! path = /store read list = @MYDOMAIN\Domain Users write list = @MYDOMAIN\Domain Admins admin users = @MYDOMAIN\Domain Admins, [EMAIL PROTECTED] read only = No create mask = 700 directory mask = 700 inherit owner = yes inherit acls = yes inherit permissions = yes map acl inherit = yes locking = nophotoarch -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba acl + winxp, win2000 server
Hi there. I need help. I installed samba + nt acl. I switched on acl on the filesystem, added users in the /etc/passwd and in the tdb database samba, using tdbedit. When I logged in the share, I created a test file, clicked on the right mouse button, chose properties-security. And When I clicked on add button into Win 2000 server, I saw all my samba account. But When I did it into WinXP I saw nobody from my samba account, a locals only. Have any idea?? p.s. sorry for my english. I'm not native. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba acl + winxp, win2000 server
Vadim Vatlin wrote: Hi there. I need help. I installed samba + nt acl. I switched on acl on the filesystem, added users in the /etc/passwd and in the tdb database samba, using tdbedit. When I logged in the share, I created a test file, clicked on the right mouse button, chose properties-security. And When I clicked on add button into Win 2000 server, I saw all my samba account. But When I did it into WinXP I saw nobody from my samba account, a locals only. Have any idea?? p.s. sorry for my english. I'm not native. http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id375713 Am I right? That this function doesn't work now? But Why this is work under 2000 server ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ACL bug?
Hi,jerry. How are you? Afterwards, I kept investigating. This problem doesn't occur in the ext3 filesystem. (This problem occurs by the vxfs filesystem. ) There are some questions. Q1.Does not Samba correspond to VxFS? Q2.Does the program that sets ACL have the difference by the filesystem? - Original Message - From: Gerald (Jerry) Carter [EMAIL PROTECTED] To: H.Kitagawa [EMAIL PROTECTED] Cc: samba@lists.samba.org Sent: Tuesday, January 30, 2007 2:05 PM Subject: Re: [Samba] Samba ACL bug? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hiro, [EMAIL PROTECTED] pub]# getfacl testfolder # file: testfolder # owner: [EMAIL PROTECTED] # group: [EMAIL PROTECTED] user::rwx mask::rwx mask::rwx other::--- Any idea why the mask listed twice here. What file system is this? default:user::rwx default:group::rwx default:group:[EMAIL PROTECTED]:rwx default:mask::rwx default:other::--- Then, the member of the Domain Users group became inaccessible the folder. The default aces are not used to determine access to a folder. Only for files and subfolders created within the directory. So that shouldn't make any difference. I would suggest looking at a level 10 debug log from smbd and seeing the root cause of the ACCESS_DENIED error. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFvtIrIR7qMdg1EfYRAk1HAJ4wN/V2dOtksgEDGoVKZhdCNHMyegCgrxFF gWbdDPOh+8JwxrxRBtPt3oA= =MRuR -END PGP SIGNATURE- * Hironori Kitagawa E-Mail: [EMAIL PROTECTED] * -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ACL bug?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hiro, [EMAIL PROTECTED] pub]# getfacl testfolder # file: testfolder # owner: [EMAIL PROTECTED] # group: [EMAIL PROTECTED] user::rwx mask::rwx mask::rwx other::--- Any idea why the mask listed twice here. What file system is this? default:user::rwx default:group::rwx default:group:[EMAIL PROTECTED]:rwx default:mask::rwx default:other::--- Then, the member of the Domain Users group became inaccessible the folder. The default aces are not used to determine access to a folder. Only for files and subfolders created within the directory. So that shouldn't make any difference. I would suggest looking at a level 10 debug log from smbd and seeing the root cause of the ACCESS_DENIED error. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFvtIrIR7qMdg1EfYRAk1HAJ4wN/V2dOtksgEDGoVKZhdCNHMyegCgrxFF gWbdDPOh+8JwxrxRBtPt3oA= =MRuR -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ACL bug?
Hi Jerrry - Original Message - From: Gerald (Jerry) Carter [EMAIL PROTECTED] To: H.Kitagawa [EMAIL PROTECTED] Cc: samba@lists.samba.org Sent: Tuesday, January 30, 2007 2:05 PM Subject: Re: [Samba] Samba ACL bug? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hiro, [EMAIL PROTECTED] pub]# getfacl testfolder # file: testfolder # owner: [EMAIL PROTECTED] # group: [EMAIL PROTECTED] user::rwx mask::rwx mask::rwx other::--- Any idea why the mask listed twice here. I do not understand the reason why the mask is listed two times. What file system is this? We are using vxfs(VERITAS). default:user::rwx default:group::rwx default:group:[EMAIL PROTECTED]:rwx default:mask::rwx default:other::--- Then, the member of the Domain Users group became inaccessible the folder. The default aces are not used to determine access to a folder. Only for files and subfolders created within the directory. So that shouldn't make any difference. I would suggest looking at a level 10 debug log from smbd and seeing the root cause of the ACCESS_DENIED error. I gathered the log with leve10. LOG1. It is a log when accessing it from the this server. [EMAIL PROTECTED] pub]# smbclient '//sambaSV/SMBpublic' -U fjsv003 Password: Domain=[KITA] OS=[Unix] Server=[Samba 3.0.21b-2] smb: \ cd testfolder smb: \testfolder\ ls NT_STATUS_ACCESS_DENIED listing \testfolder\* [2007/01/30 14:55:59, 5] smbd/uid.c:change_to_user(309) change_to_user uid=(10002,10002) gid=(0,1) [2007/01/30 14:55:59, 3] smbd/trans2.c:call_trans2findfirst(1632) call_trans2findfirst: dirtype = 16, maxentries = 1366, close_after_first=0, close_if_end = 2 requires_resume_key = 4 l evel = 0x104, max_data_bytes = 16644 [2007/01/30 14:55:59, 5] smbd/filename.c:unix_convert(108) unix_convert called on file testfolder/* [2007/01/30 14:55:59, 10] smbd/statcache.c:stat_cache_lookup(215) stat_cache_lookup: lookup failed for name [TESTFOLDER/*] [2007/01/30 14:55:59, 10] smbd/statcache.c:stat_cache_lookup(248) stat_cache_lookup: lookup succeeded for name [TESTFOLDER] - [testfolder] [2007/01/30 14:55:59, 5] smbd/filename.c:unix_convert(185) unix_convert begin: name = testfolder/*, dirpath = testfolder, start = * [2007/01/30 14:55:59, 10] smbd/mangle_hash2.c:is_mangled(276) is_mangled * ? [2007/01/30 14:55:59, 10] smbd/mangle_hash2.c:is_mangled_component(215) is_mangled_component * (len 1) ? [2007/01/30 14:55:59, 10] smbd/mangle_hash2.c:is_mangled(276) is_mangled * ? [2007/01/30 14:55:59, 10] smbd/mangle_hash2.c:is_mangled_component(215) is_mangled_component * (len 1) ? [2007/01/30 14:55:59, 5] smbd/filename.c:unix_convert(335) New file * [2007/01/30 14:55:59, 5] smbd/trans2.c:call_trans2findfirst(1688) dir=testfolder, mask = * [2007/01/30 14:55:59, 5] smbd/dir.c:dptr_create(391) dptr_create dir=testfolder [2007/01/30 14:55:59, 5] smbd/dir.c:OpenDir(1033) OpenDir: Can't open testfolder. Permission denied 2007/01/30 14:55:59, 3] smbd/error.c:unix_error_packet(90) unix_error_packet: error string = Permission denied [2007/01/30 14:55:59, 3] smbd/error.c:error_packet(146) error packet at smbd/trans2.c(1742) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED LOG2. This is a log when accessing it from the Windows client. [2007/01/30 15:03:33, 3] smbd/process.c:switch_message(993) switch message SMBntcreateX (pid 6872) conn 0xa06d258 [2007/01/30 15:03:33, 4] smbd/uid.c:change_to_user(222) change_to_user: Skipping user change - already user [2007/01/30 15:03:33, 10] smbd/nttrans.c:reply_ntcreate_and_X(506) reply_ntcreateX: flags = 0x16, access_mask = 0x20089 file_attributes = 0x80, share_access = 0x7, create_disposition = 0x1 create_options = 0x0 root_dir_fid = 0x0 [2007/01/30 15:03:33, 5] smbd/filename.c:unix_convert(108) unix_convert called on file testfolder [2007/01/30 15:03:33, 10] smbd/statcache.c:stat_cache_lookup(248) stat_cache_lookup: lookup succeeded for name [TESTFOLDER] - [testfolder] [2007/01/30 15:03:33, 2] smbd/dosmode.c:unix_mode(70) unix_mode(testfolder) inheriting from . [2007/01/30 15:03:33, 2] smbd/dosmode.c:unix_mode(78) unix_mode(testfolder) inherit mode 40770 [2007/01/30 15:03:33, 3] smbd/dosmode.c:unix_mode(121) unix_mode(testfolder) returning 0760 [2007/01/30 15:03:33, 10] smbd/open.c:open_file_ntcreate(1110) open_file_ntcreate: fname=testfolder, dos_attrs=0x80 access_mask=0x20089 share_access=0x7 create_disposition = 0x1 cre ate_options=0x0 unix mode=0760 oplock_request=3 [2007/01/30 15:03:33, 8] smbd/dosmode.c:dos_mode(300) dos_mode: testfolder [2007/01/30 15:03:33, 8] smbd/dosmode.c:dos_mode_from_sbuf(167) dos_mode_from_sbuf returning d [2007/01/30 15:03:33, 8] smbd/dosmode.c:dos_mode(334) dos_mode returning d [2007/01/30 15:03:33, 10] smbd/open.c:open_file_ntcreate(1278) open_file_ntcreate: fname=testfolder, after mapping access_mask=0x20089 [2007/01/30 15:03:33, 5] smbd/files.c:file_new(128) allocated file structure 537, fnum = 4633 (2 used
[Samba] Samba ACL bug?
Hello, My name is Hiro. I'm using samba 3.0.21b-2(acl) and RHEL4.1(kernel 2.6.9-11.ELsmp) + AD Server Following problem: When the attribute of the group of the folder was set to a full control twice, the member of the group became inaccessible. I want to know this problem is BUG or SPEC. One example [smb.conf] security = ADS acl check permissions = no acl group control = no acl map full control = yes inherit acls = yes [User] [EMAIL PROTECTED] [uid=1([EMAIL PROTECTED]) gid=1([EMAIL PROTECTED] users) groups=1([EMAIL PROTECTED] users)] [EMAIL PROTECTED] [uid=10002([EMAIL PROTECTED]) gid=1([EMAIL PROTECTED] users) groups=1([EMAIL PROTECTED] users)] STEP1.The folder was made by using the Explorer of Windows. ACL state is as follows. [EMAIL PROTECTED] pub]# getfacl testfolder # file: testfolder # owner: [EMAIL PROTECTED] # group: [EMAIL PROTECTED] user::rwx group::rwx other::--- STEP2.The folder attribute is changed from the security tab. Domain Users(KITA\Domain Users) →full control checked and execute. [EMAIL PROTECTED] pub]# getfacl testfolder # file: testfolder # owner: [EMAIL PROTECTED] # group: [EMAIL PROTECTED] user::rwx group::rwx mask::rwx other::--- default:user::rwx default:group::rwx default:other::--- At this point, the member of the Domain Users group can access the testfolder. STEP3.The folder attribute is changed again. Domain Users(KITA\Domain Users) →full control checked and execute. [EMAIL PROTECTED] pub]# getfacl testfolder # file: testfolder # owner: [EMAIL PROTECTED] # group: [EMAIL PROTECTED] user::rwx mask::rwx mask::rwx other::--- default:user::rwx default:group::rwx default:group:[EMAIL PROTECTED]:rwx default:mask::rwx default:other::--- Then, the member of the Domain Users group became inaccessible the folder. [EMAIL PROTECTED] pub]# smbclient '//sambaSV/SMBpublic' -U fjsv003 Password: Domain=[KITA] OS=[Unix] Server=[Samba 3.0.21b-2] smb: \ cd testfolder smb: \testfolder\ ls NT_STATUS_ACCESS_DENIED listing \testfolder\* 32768 blocks of size 131072. 30551 blocks available smb: \testfolder\ cd .. *** Hironori KITAGAWA Japan *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ACL bug?
Hello, My name is Hiro. I'm using samba 3.0.21b-2(acl) and RHEL4.1(kernel 2.6.9-11.ELsmp) + AD Server Following problem: When the attribute of the group of the folder was set to a full control twice, the member of the group became inaccessible. I want to know this problem is BUG or SPEC. One example [smb.conf] security = ADS acl check permissions = no acl group control = no acl map full control = yes inherit acls = yes [User] [EMAIL PROTECTED] [uid=1([EMAIL PROTECTED]) gid=1([EMAIL PROTECTED] users) groups=1([EMAIL PROTECTED] users)] [EMAIL PROTECTED] [uid=10002([EMAIL PROTECTED]) gid=1([EMAIL PROTECTED] users) groups=1([EMAIL PROTECTED] users)] STEP1.The folder was made by using the Explorer of Windows. ACL state is as follows. [EMAIL PROTECTED] pub]# getfacl testfolder # file: testfolder # owner: [EMAIL PROTECTED] # group: [EMAIL PROTECTED] user::rwx group::rwx other::--- STEP2.The folder attribute is changed from the security tab. Domain Users(KITA\Domain Users) →full control checked and execute. [EMAIL PROTECTED] pub]# getfacl testfolder # file: testfolder # owner: [EMAIL PROTECTED] # group: [EMAIL PROTECTED] user::rwx group::rwx mask::rwx other::--- default:user::rwx default:group::rwx default:other::--- At this point, the member of the Domain Users group can access the testfolder. STEP3.The folder attribute is changed again. Domain Users(KITA\Domain Users) →full control checked and execute. [EMAIL PROTECTED] pub]# getfacl testfolder # file: testfolder # owner: [EMAIL PROTECTED] # group: [EMAIL PROTECTED] user::rwx mask::rwx mask::rwx other::--- default:user::rwx default:group::rwx default:group:[EMAIL PROTECTED]:rwx default:mask::rwx default:other::--- Then, the member of the Domain Users group became inaccessible the folder. [EMAIL PROTECTED] pub]# smbclient '//sambaSV/SMBpublic' -U fjsv003 Password: Domain=[KITA] OS=[Unix] Server=[Samba 3.0.21b-2] smb: \ cd testfolder smb: \testfolder\ ls NT_STATUS_ACCESS_DENIED listing \testfolder\* 32768 blocks of size 131072. 30551 blocks available smb: \testfolder\ cd .. *** Hironori KITAGAWA Japan *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba ACL questions
Greetings, I seem to have Samba+AD+ACL's working on a RH ES4 server; however, I'm looking for clarification in regard to how the ACL's differ between windows and samba... or if they differ? With windows ACL's, I can give out user permission traverse directory, but not read its contents. Then I can give said user more permission to a sub folders contents. Meaning: I don't want a user to see what is in \\files1\IS file:///\\files1\IS but I want to give them permissions to the contents of \\files1\IS\meetingminutes file:///\\files1\mamba\meetingminutes I cant seem to get this to work with samba. I suppose one could always create another share, but it's really not the ideal solution when this has to be done in many scenarios. I am running RH ES4, and from my searching for the answer to this, I recall reading that the Linux POSIX specifications aren't as robust as NTFS's, would this be correct to assume this is why samba doesn't seem to be able to use the traverse security permission? Any insight is appreciated. -dg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba ACL questions
David, I think you'll find this document helpful. I do not know for certain if the permissions are the same on Linux, but it _should_ be. http://docs.hp.com/en/B8725-90101/ch03s04.html On 9/27/06, Graham, David [EMAIL PROTECTED] wrote: Greetings, I seem to have Samba+AD+ACL's working on a RH ES4 server; however, I'm looking for clarification in regard to how the ACL's differ between windows and samba... or if they differ? With windows ACL's, I can give out user permission traverse directory, but not read its contents. Then I can give said user more permission to a sub folders contents. Meaning: I don't want a user to see what is in \\files1\IS file:///\\files1\IS but I want to give them permissions to the contents of \\files1\IS\meetingminutes file:///\\files1\mamba\meetingminutes I cant seem to get this to work with samba. I suppose one could always create another share, but it's really not the ideal solution when this has to be done in many scenarios. I am running RH ES4, and from my searching for the answer to this, I recall reading that the Linux POSIX specifications aren't as robust as NTFS's, would this be correct to assume this is why samba doesn't seem to be able to use the traverse security permission? Any insight is appreciated. -dg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + (ACL=off)
Hello, Could you tell am I right in case: I am not able to add other users/groups than unix's user: owner,owner's group and others to folders/files localized on Samba server, despite doing that as root from XP client station. I also work without nt acl support = off. This is normal? I am asking because, when I try to change folder rights and I click add button I recive an error ...my domain.. couldn't be found. This happenes only with folder/files on Samba server, there is no problem with folders on clients XP stations. -- Pozdrawiam, Filip Zeniawski -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + (ACL=off)
Hello, Sorry, if you have recived this message already, but I have problem with my email service. Could you tell am I right in case: I am not able to add other users/groups than unix's user: owner,owner's group and others to folders/files localized on Samba server, despite doing that as root from XP client station. I also work without nt acl support = off. This is normal? I am asking because, when I try to change folder rights and I click add button I recive an error ...my domain.. couldn't be found. This happenes only with folder/files on Samba server, there is no problem with folders on clients XP stations. -- Pozdrawiam, Filip Zeniawski -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ACL and Krb5.
Hi, I have FC3 with samba-3.0.10-1.fc3, samba-common and samba-client joined to Windows 2003 AD with the followings library installed: ldd /usr/sbin/winbindd libcrypt.so.1 = /lib/libcrypt.so.1 (0xf6e14000) libresolv.so.2 = /lib/libresolv.so.2 (0xf6e0) libnsl.so.1 = /lib/libnsl.so.1 (0xf6de9000) libdl.so.2 = /lib/libdl.so.2 (0xf6de5000) libpopt.so.0 = /usr/lib/libpopt.so.0 (0xf6dde000) libgssapi_krb5.so.2 = /usr/lib/libgssapi_krb5.so.2 (0xf6dca000) libkrb5.so.3 = /usr/lib/libkrb5.so.3 (0xf6d65000) libk5crypto.so.3 = /usr/lib/libk5crypto.so.3 (0xf6d44000) libcom_err.so.2 = /lib/libcom_err.so.2 (0xf6d4) libldap-2.2.so.7 = /usr/lib/libldap-2.2.so.7 (0xf6d0f000) liblber-2.2.so.7 = /usr/lib/liblber-2.2.so.7 (0xf6d03000) libc.so.6 = /lib/tls/libc.so.6 (0xf6bdc000) /lib/ld-linux.so.2 (0xf6e4f000) libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0xf6bc8000) libssl.so.4 = /lib/libssl.so.4 (0xf6b93000) libcrypto.so.4 = /lib/libcrypto.so.4 (0xf6aab000) libz.so.1 = /usr/lib/libz.so.1 (0xf6a9b000) Kerberos 1.3.4-7 was already installed with the distribution and related file /etc/krb5.conf configured as following: [libdefaults] default_realm = SINTER.GKN.COM dns_lookup_realm = false dns_lookup_kdc = false [realms] SINTER.GKN.COM = { kdc = krb5srv.sinter.gkn.com:88 admin_server = krb5srv.sinter.domain.com:749 default_domain = sinter.gkn.com } [domain_realm] .sinter.gkn.com = SINTER.GKN.COM sinter.gkn.com = SINTER.GKN.COM I have set /etc/nsswitch: passwd: files winbind shadow: files winbind group: files winbind I have configured /etc/samba/smb.conf: [global] netbios name = MYNAME os level = 16 wins server = xxx.xxx.xxx.xxx socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE unix charset = LOCALE workgroup = GKNSMI realm = SINTER.GKN.COM security = ADS password server = krb5srv.sinter.gkn.com encrypt passwords = yes allow trusted domains = Yes winbind use default domain = Yes winbind separator = / winbind enum users = Yes winbind enum groups = Yes idmap uid = 1-10 idmap gid = 1-10 hide unreadable = Yes template shell = /bin/false use sendfile = Yes printer admin = admin users = log file = /var/log/samba/log.%m log level = 1 auth:10 sam:10 max log size = 50 nt acl support = Yes map acl inherit = Yes [data] comment = DATA repository path = /data read only = No create mask = 0775 security mask = 0777 force security mode = 0 directory mask = 0775 directory security mask = 0777 force directory security mode = 0 dos filetimes = yes In data repository I have one folder named /user. In this I have put every user's folders named as username. Using ACL I have set complete control for each users only, so they can enter in /user folder and see only theirs personal folder, unix permission similar to ACL permissions are setted as below: Unix permissions: drwxr-x---+ 3 mabritta root 27 Sep 15 15:54 mabritta. ACL permissions: # file: mabritta # owner: mabritta # group: root user::rwx group::r-x other::--- default:user::rwx default:user:mabritta:rwx default:group::r-x default:mask::rwx default:other::--- So I expected that it works as I thought instead if I log with this username (mabritta) and I reach the user repository I can't see any folder, I have try also with smbclient tool and it seems works fine also if I connect with Win9x workstation and also in the previous situation when I was connect to NT4PDC it worked fine. Previously I have installed samba on RH9 with krb5-1.2.27 while samba documentation recommanded krb5-1.3.1 so I have decide to jump to FC3, but the problem in my opinion related to kerberos persist. Thanks. Marco. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ACL and '+' on a 'ls - l'
Dear Guys, I have noticed that one of our domain users folder in /var/lib/samba/profiles has a '+' on the end of their username folder and all the files in their profile too. I know this is to do with ACL's and I know Samba can translate Windows ACL's to filesystem acls, but where can I find out where/how they are getting created and remove them. They should be know different then anyone else. Although, all the users are setup as Admins on their own computer, but noone else seems to be picking up or have a '+' sign on a 'ls -l' I can only speak for what the commands to handle ACL's are for Solaris; getfacl (to see what the current settings on a file or directory are, and setfacl (to set ACL settings). If those aren't the same commands used on your Samba server's OS to handle ACL settings, try using apropos acl to see a list of man pages regarding acl's. Anyway, I recently found myself wanting to remove ACL settings acquired from granting permissions through windows myself. I found that I had to use setfacl to replace the ACL entries and reset them to standard type entries in order to lose the + sign (signifying that there are additional ACL entries on a file). Setting the permissions on a file or directory with chmod alone is not enough to clear the ACLs. Example: I have a file that has ACL's set: % ls -l acl_test -rw-r--r--+ 1 user1usergroup 0 Jul 28 08:31 acl_test % getfacl acl_test # file: acl_test # owner: user1 # group: DGROUP user::rw- user:user2:rwx#effective:rwx group::r-- #effective:r-- mask:rwx other:r-- ( In the example above, the ACL's shown grant user2 full access to the file, even though user2 is not the owner. Clearing the permissions from the file does not (completely) remove the ACL setting. % chmod 000 acl_test % ls -l acl_test --+ 1 user1usergroup 0 Jul 28 08:31 acl_test To get rid of the + sign altogether, use setfacl with the -s option to reset the permission: % setfacl -s u::rw-,g::r--,o:r-- acl_test % ls -l acl_test -rw-r--r-- 1 user1usergroup 0 Jul 28 08:31 acl_test As you can see, the ACL's have been replaced by default entries (as if chmod was the only thing that ever touched it). Hope that helps. Regards, Arnold Andrews Sr. Systems Administrator Seagate Technology -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ACL and '+' on a 'ls - l'
Dear Guys, I have noticed that one of our domain users folder in /var/lib/samba/profiles has a '+' on the end of their username folder and all the files in their profile too. I know this is to do with ACL's and I know Samba can translate Windows ACL's to filesystem acls, but where can I find out where/how they are getting created and remove them. They should be know different then anyone else. Although, all the users are setup as Admins on their own computer, but noone else seems to be picking up or have a '+' sign on a 'ls -l' Thanks, Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + ACL, rights are disappearing ?
Hi, I'm running Samba 3.0.14a on Debian Sarge, The Samba server is member of a windows2000 Domain, named NT1 Problem that I have is that, when setting up the rights on a directory, and checking the option to change the rights on the subdirectories and files, after a while the rights are no more here, and I have to set them new... Hope somebody can help me... [global] unix charset = LOCALE workgroup = NT1 realm = NT1.LOCAL server string = Linux Datei Server security = ADS #winbind use default domain = yes #username map = /etc/samba/smbusers acl compatibility = win2k nt acl support = Yes #Log log level = 1 syslog = 0 ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 template primary group = Benutzer template shell = /bin/bash winbind separator = + #password server = nt5 bdc encrypt passwords = true printcap name = CUPS printing = cups [User] path=/home/samba/users/%U create mask = 0755 browseable=yes writeable=yes # valid users = @Domnen-Benutzer admin users = NT1+Administrator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + ACL, rights are disappearing ?
Maybe this helps: http://lists.samba.org/archive/samba/2005-May/105227.html Greets, Holger Am Donnerstag, 16. Juni 2005 16:10 schrieb [EMAIL PROTECTED]: Hi, I'm running Samba 3.0.14a on Debian Sarge, The Samba server is member of a windows2000 Domain, named NT1 Problem that I have is that, when setting up the rights on a directory, and checking the option to change the rights on the subdirectories and files, after a while the rights are no more here, and I have to set them new... Hope somebody can help me... [global] unix charset = LOCALE workgroup = NT1 realm = NT1.LOCAL server string = Linux Datei Server security = ADS #winbind use default domain = yes #username map = /etc/samba/smbusers acl compatibility = win2k nt acl support = Yes #Log log level = 1 syslog = 0 ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 template primary group = Benutzer template shell = /bin/bash winbind separator = + #password server = nt5 bdc encrypt passwords = true printcap name = CUPS printing = cups [User] path=/home/samba/users/%U create mask = 0755 browseable=yes writeable=yes # valid users = @Domnen-Benutzer admin users = NT1+Administrator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + ACL cosmetic improvement?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hmmm. Silly SNAP systems do what I want (squash everyone if it is - ---). Anyone know what modifications they make to Samba? I'm using GuardianOS 3.0.099, and it seems to have some extended ACLs that I don't recognize. user::rwxdpo user:admin:rwxdpo group::-- group:admin:rwxdpo mask::rwxdpo other::r-x--- default:user::rwxdpo default:user:admin:rwxdpo default:group::-- default:group:admin:rwxdpo default:mask::rwxdpo default:other::r-x--- rruegner wrote: | Hi, | you got the same problem, many win admins have, | removing group everyone happens everywhere( in this group is everyone g | )in big windows hosting active dir companies, this makes their helpdesks | crazy *g. | Also deny permissions functions are simply a hoax by ms | I know windows book writers which have no real answer and say simply | dont use it, maybe you are able to make cosmetic debuging with samba | about that but you will see another kind of problem will come up *g | So i wouldnt invest to much time in debugging a feature which is simply | rubbish from the creators of win and makes trouble in purly win networks | too | Best Regards | | | Tom Dickson schrieb: | | My users are complaining that to remove Everyone permissions from a | folder's ACL they have to Deny all permissions. This causes a Windows | warning to appear: You have denied everyone access to New Folder. No | one will be able to access New Folder and only the owner will be bale to | change the permissions. Do you wish to continue? | | This is confusing, because world permissions of --- will NOT prevent | other groups assigned either as the default group or in the POSIX ACL | | from working. | | | | What I'd like to see is the following improvements. If the Everyone | group is removed by the Windows security editor, Samba sets world | permissions to ---. If the Everyone group is added, then Samba | modifies world permissions accordingly. And if the world or default | group permissions are ---, Samba does not display them in the Windows | ~ ACL dialog. | | Are there any objections why this wouldn't work? I'm tired of explaining | that the deny button really isn't denying everybody, and why the Domain | Users group cannot be removed, etc. | | (using 2.4.26 bestbits XFS+ACL, Samba 3.0.2a) | | -Tom | . -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFA9ukb2dxAfYNwANIRAprbAJ915mMGR9CpCq+kdGxYhkdnXpMRggCfZaz2 wJBFfPQU6Nn724kenwcE+2U= =jVw1 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + ACL cosmetic improvement?
Hi, you got the same problem, many win admins have, removing group everyone happens everywhere( in this group is everyone g )in big windows hosting active dir companies, this makes their helpdesks crazy *g. Also deny permissions functions are simply a hoax by ms I know windows book writers which have no real answer and say simply dont use it, maybe you are able to make cosmetic debuging with samba about that but you will see another kind of problem will come up *g So i wouldnt invest to much time in debugging a feature which is simply rubbish from the creators of win and makes trouble in purly win networks too Best Regards Tom Dickson schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My users are complaining that to remove Everyone permissions from a folder's ACL they have to Deny all permissions. This causes a Windows warning to appear: You have denied everyone access to New Folder. No one will be able to access New Folder and only the owner will be bale to change the permissions. Do you wish to continue? This is confusing, because world permissions of --- will NOT prevent other groups assigned either as the default group or in the POSIX ACL from working. What I'd like to see is the following improvements. If the Everyone group is removed by the Windows security editor, Samba sets world permissions to ---. If the Everyone group is added, then Samba modifies world permissions accordingly. And if the world or default group permissions are ---, Samba does not display them in the Windows ~ ACL dialog. Are there any objections why this wouldn't work? I'm tired of explaining that the deny button really isn't denying everybody, and why the Domain Users group cannot be removed, etc. (using 2.4.26 bestbits XFS+ACL, Samba 3.0.2a) - -Tom -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFA8vIN2dxAfYNwANIRAjfoAJ9MtA9WfArfNTbvIZxEKY3OilQbvQCfTBA4 4ey0vJSnA7MF6DBFr5zwU4A= =NayI -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + ACL cosmetic improvement?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My users are complaining that to remove Everyone permissions from a folder's ACL they have to Deny all permissions. This causes a Windows warning to appear: You have denied everyone access to New Folder. No one will be able to access New Folder and only the owner will be bale to change the permissions. Do you wish to continue? This is confusing, because world permissions of --- will NOT prevent other groups assigned either as the default group or in the POSIX ACL from working. What I'd like to see is the following improvements. If the Everyone group is removed by the Windows security editor, Samba sets world permissions to ---. If the Everyone group is added, then Samba modifies world permissions accordingly. And if the world or default group permissions are ---, Samba does not display them in the Windows ~ ACL dialog. Are there any objections why this wouldn't work? I'm tired of explaining that the deny button really isn't denying everybody, and why the Domain Users group cannot be removed, etc. (using 2.4.26 bestbits XFS+ACL, Samba 3.0.2a) - -Tom -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFA8vIN2dxAfYNwANIRAjfoAJ9MtA9WfArfNTbvIZxEKY3OilQbvQCfTBA4 4ey0vJSnA7MF6DBFr5zwU4A= =NayI -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + ACL
Could you explai how should I use the NT Server Manager Tool ?(I don't know it) Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + ACL
I wish to realize a file-server with SAMBA integrated in my network domain (Windows NT4 PDC). To manage the user access for each share in the Samba file-server, I would use Active Control Lists. Anyone can tell me - what type and version of Linux is best for my purpose ? - what Samba version is best to use ? Thanks. Marco -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + ACL
Marco Gavaldo schrieb: I wish to realize a file-server with SAMBA integrated in my network domain (Windows NT4 PDC). To manage the user access for each share in the Samba file-server, I would use Active Control Lists. ACCESS Control Lists Anyone can tell me - what type and version of Linux is best for my purpose ? - what Samba version is best to use ? Samba supports the standard POSIX Linux ACL's. You have to use Samba 304, because it is the productivity release. matze -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba + ACL
Hi Marco, Here's what I've learned over the past few days setting something similar up: 1) The 2.6 series kernel supports ACLs on ext3, xfs and other filing systems. 2.4 can support them if you install the bestbits patches. 2) Samba 3 seems to work pretty well with ACLs, but that's the only version I've used. If you're interested, my setup is Samba 3.0.4 on Fedora Core 2 using yum to update the kernel and it works fine. I hope this helps, Mark Lidstone IT and Network Support Administrator BMT SeaTech Ltd Grove House, Meridians Cross, 7 Ocean Way Ocean Village, Southampton. SO14 3TJ. UK Tel: +44 (0)23 8063 5122 Fax: +44 (0)23 8063 5144 E-Mail: mailto:[EMAIL PROTECTED] Website: www.bmtseatech.co.uk == Confidentiality Notice and Disclaimer: The contents of this e-mail and any attachments are intended only for the use of the e-mail addressee(s) shown. If you are not that person, or one of those persons, you are not allowed to take any action based upon it or to copy it, forward, distribute or disclose the contents of it and you should please delete it from your system. BMT SeaTech Limited does not accept liability for any errors or omissions in the context of this e-mail or its attachments which arise as a result of Internet transmission, nor accept liability for statements which are those of the author and not clearly made on behalf of BMT SeaTech Limited. == -Original Message- From: Marco Gavaldo [mailto:[EMAIL PROTECTED] Sent: 02 July 2004 10:11 To: [EMAIL PROTECTED] Subject: [Samba] Samba + ACL I wish to realize a file-server with SAMBA integrated in my network domain (Windows NT4 PDC). To manage the user access for each share in the Samba file-server, I would use Active Control Lists. Anyone can tell me - what type and version of Linux is best for my purpose ? - what Samba version is best to use ? Thanks. Marco -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba + ACL
If you're interested, my setup is Samba 3.0.4 on Fedora Core 2 using yum to update the kernel and it works fine. yum? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba + ACL - Heading OT
Automated update system supplied with Fedora. Kinda like the RHN, but free and more up to date version-wise, but without the package checking done by Redhat. If you're running Fedora and it's installed, typing yum update package name will update a package to the latest version on your downloads site (it defaults to download.fedora.redhat.com), yum install package name installs a package you haven't currently got installed, yum remove package name removes it and yum update will attempt to update all the packages on your machine. The last time I looked a couple of days ago, the latest version that Redhat were giving of Samba was 3.0.3, but that might have changed now. I know it's a lazy way of doing things, but it saves me a lot of time. I'm a little worried that this is going a bit OT for the list, so if anyone wants any more information, just email me directly. Finally a quick google search finds you plenty of information on it. I hope this helps, Mark Lidstone IT and Network Support Administrator BMT SeaTech Ltd Grove House, Meridians Cross, 7 Ocean Way Ocean Village, Southampton. SO14 3TJ. UK Tel: +44 (0)23 8063 5122 Fax: +44 (0)23 8063 5144 E-Mail: mailto:[EMAIL PROTECTED] Website: www.bmtseatech.co.uk == Confidentiality Notice and Disclaimer: The contents of this e-mail and any attachments are intended only for the use of the e-mail addressee(s) shown. If you are not that person, or one of those persons, you are not allowed to take any action based upon it or to copy it, forward, distribute or disclose the contents of it and you should please delete it from your system. BMT SeaTech Limited does not accept liability for any errors or omissions in the context of this e-mail or its attachments which arise as a result of Internet transmission, nor accept liability for statements which are those of the author and not clearly made on behalf of BMT SeaTech Limited. == -Original Message- From: Simon Oliver [mailto:[EMAIL PROTECTED] Sent: 02 July 2004 14:09 To: Mark Lidstone Cc: [EMAIL PROTECTED] Subject: RE: [Samba] Samba + ACL If you're interested, my setup is Samba 3.0.4 on Fedora Core 2 using yum to update the kernel and it works fine. yum? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + ACL - OT
Malte Woelky wrote: Hallo, Friday, July 2, 2004, 3:09:26 PM, you wrote: If you're interested, my setup is Samba 3.0.4 on Fedora Core 2 using yum to update the kernel and it works fine. SO yum? Yellowdog Update Manager - Fedora update tool Actually, that's 'Yellow dog Updater, Modified', and not distro specific. From the home page at http://linux.duke.edu/projects/yum/ : Yum is an automatic updater and package installer/remover for rpm systems. It automatically computes dependencies and figures out what things should occur to install packages. It makes it easier to maintain groups of machines without having to manually update each one using rpm. -- Paul Gienger Office:701-281-1884 Applied Engineering Inc. Cell: 701-306-6254 Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.commailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + ACL backup solution
On Tue, 2004-06-15 at 21:42, Hamish wrote: Hello all I am looking for a good backup solution for samba shares, I do not mean to start a jihad between rival backup religions, but I would appreciate any suggestions. I have tried star and love it, unfortunately there does not seem to be a gui or any frontend that can be used with it (it needs to be available to a couple of GUI-only (read as windows admin) people). Thanks again, Hamish Er, Hamish - what about using Webmin - which can be accessed from any machine, any browser, any OS on the network...eh? stephen kuhn - proprietor == illawarra computer services a kuhn media australia company http://kma.0catch.com mobile: 0410.728.389 -- 21:46:59 up 2 days, 2:10, 4 users, load average: 0.27, 0.20, 0.13 -- * This message was composed on a 100% Microsoft free computer * We expressly refuse to utilise Microsoft DRM encoded documents -- This email is virus-free because we don't use Microsoft products It is the business of the future to be dangerous. -- Hawkwind -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + ACL backup solution
I did not know that webmin had a module to backup files as well as ACLs (all i could find was a dump module), could you give me a url to get the module from pls? Stephen Kuhn wrote: On Tue, 2004-06-15 at 21:42, Hamish wrote: Hello all I am looking for a good backup solution for samba shares, I do not mean to start a jihad between rival backup religions, but I would appreciate any suggestions. I have tried star and love it, unfortunately there does not seem to be a gui or any frontend that can be used with it (it needs to be available to a couple of GUI-only (read as windows admin) people). Thanks again, Hamish Er, Hamish - what about using Webmin - which can be accessed from any machine, any browser, any OS on the network...eh? stephen kuhn - proprietor == illawarra computer services a kuhn media australia company http://kma.0catch.com mobile: 0410.728.389 -- 21:46:59 up 2 days, 2:10, 4 users, load average: 0.27, 0.20, 0.13 -- * This message was composed on a 100% Microsoft free computer * We expressly refuse to utilise Microsoft DRM encoded documents -- This email is virus-free because we don't use Microsoft products It is the business of the future to be dangerous. -- Hawkwind -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + ACL
hi, I'm using samba with acl on AIX and FreeBSD systems. But, when I copy or move files from a Windows 2000 Share to the Samba Share I lost the privileges of that files/folders. Are there a solution for it? Thanks, mAnEh ... Ps.: Sorry, but I dont speak English :) ... -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + acl + Domain Admins
Hi! I am running samba-2.2.7a with winbind and acl. I've setup share with default owner 'administrator' and group owner 'Domain Admins' and let access to others throw acl. Trouble is, when some user from 'Domain Admins' group changes some file, he also changes user and group owner to 'his_username' and 'Domain Users'. I've checked smb.conf and there is: domain admin group = admin users = which means that no one has rights to change file ownerships. What is wrong then? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ACL support
Dear All, I am running samba 2.2.7-5 on a RH 8.0 box with 2.4.20-18 kernel and I am trying to migrate a Win2K Server to Samba. The samba RPM has --with-acl-support activated. I manually add all the net users into the samba box using the command useradd -s /bin/false -d /dev/null -m username and then I transfer then into samba. Having specified: workgroup = our_workgroup netbios name = Server Name security = user encrypt passwords = yes nt acl support = yes etc. [share_name_1] path = .. valid users = etc. in the smb.conf and creating the appropriate top level shares with the corresponding users everything works very well. Users can have where they suppossed to. The old Win2K server has a very different structure looking something like: However, I can not change share permisions from a Win2K client (or WinXP client). -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ACL
Waider, Would you mind commenting further on what you had to do to get RedHat 8.0 support ACLs. Thanks K.C. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ACL
On December 11, [EMAIL PROTECTED] said: Waider, Would you mind commenting further on what you had to do to get RedHat 8.0 support ACLs. Thanks K.C. Sure: * Download kernel SRPM * Modify patches[1] * Spend several hours rebuilding kernel packages [1] is obviously the tricky bit. I'm testing out the modified patches at the moment, plus I've offered them to the bestbits guy but not yet received a reply. I'll stick 'em on my website tomorrow at some point and post the URL here for interested parties. Note, I've done this for Red Hat 7.3 but since the kernel versions are the same (2.4.18-18) I think the patches will apply easily enough to the Red Hat 8.0 SRPM. Cheers, Waider. -- [EMAIL PROTECTED] / Yes, it /is/ very personal of me. Life sucks. Get a helmet. - Denis Leary, as quoted by Susan Witterick on It never rains, it POURS. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ACL
On December 7, [EMAIL PROTECTED] said: No, the option/s/ are all enabled in the kernel. What's missing, I think, is all the rest of the support: libacl, libattr, patched fileutils, etc. I'm currently rebuilding various bits and pieces to see if I can make it work without too much grief. Okay, clarifying my clarification. The ACL defs are in the main configuration section, but none of the patches in the rest of the kernel tree appear to be present. Drat. Cheers, Waider. -- [EMAIL PROTECTED] / Yes, it /is/ very personal of me. That's something tas mentioned in passing once or twice...DSP, so what is it? If it's anything to do with the glorious Limerick era then David's probably better off out of it. - Dalton Moloney 29/03/1996 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ACL
On December 3, [EMAIL PROTECTED] said: So it looks like the option is turned on in the kernel config, but the patch is not actually in the kernel. No, the option/s/ are all enabled in the kernel. What's missing, I think, is all the rest of the support: libacl, libattr, patched fileutils, etc. I'm currently rebuilding various bits and pieces to see if I can make it work without too much grief. Cheers, Waider. -- [EMAIL PROTECTED] / Yes, it /is/ very personal of me. Turtles. Big, green turtles. - Orla -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ACL
On Tue, 3 Dec 2002 19:14:01 + Ronan Waide [EMAIL PROTECTED] wrote: On December 3, [EMAIL PROTECTED] said: acls can work with ext2/ext3 but you have to apply the patches from bestbits. xfs is a better choice and has the acl stuff built in. Actually, RedHat's recent precompiled kernels appear to have acls enabled by default. I installed RedHat 8.0 and acl on ext2/3 didn't work, with the precompiled Kernel from SGI and xfs acl work fine. -- regards, Stefan Klein -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ACL
On December 4, [EMAIL PROTECTED] said: Actually, RedHat's recent precompiled kernels appear to have acls enabled by default. I installed RedHat 8.0 and acl on ext2/3 didn't work, with the precompiled Kernel from SGI and xfs acl work fine. Yup, this is why I said appear to have rather than have. Cheers, Waider. -- [EMAIL PROTECTED] / Yes, it /is/ very personal of me. AjD feels frustrated in his attempts to establish the delinitations of horror in puppy-burying. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ACL
Hello, short and maybe stupid question - can samba work with ACL when fs is etx2(ext3)?(i think no, but not sure) If NO what file system I need to make use of ACLs? Thanks, -- Saulius -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ACL
On December 3, [EMAIL PROTECTED] said: acls can work with ext2/ext3 but you have to apply the patches from bestbits. xfs is a better choice and has the acl stuff built in. Actually, RedHat's recent precompiled kernels appear to have acls enabled by default. Cheers, Waider. -- [EMAIL PROTECTED] / Yes, it /is/ very personal of me. The majority were fairly uncategorizable freaks, but you could tell that even the most normal-looking people there were still the weirdest people at their day job. - Jamie Zawinski -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ACL
I'm not so sure about this... but looking at the changelog for Red Hat's 2.4.18-18.7.x kernel says (for RH 7.2) : grep -B 2 -i acl kernel-2.4.spec * Mon Aug 12 2002 Arjan van de Ven [EMAIL PROTECTED] - ACLs removed for now because of stability and correctness problem If you grep the config file the kernel was built with you get: grep -i acl kernel-2.4.18-i686-smp.config CONFIG_FS_POSIX_ACL=y CONFIG_EXT3_FS_POSIX_ACL=y grep -i xatt kernel-2.4.18-i686-smp.config CONFIG_EXT3_FS_XATTR=y CONFIG_EXT3_FS_XATTR_SHARING=y CONFIG_EXT3_FS_XATTR_USER=y But if you boot with that kernel and try to mount a partition with acl,user_xattr options you get: mount: wrong fs type, bad option, bad superblock on /dev/ida/c0d0p7, or too many mounted file systems So it looks like the option is turned on in the kernel config, but the patch is not actually in the kernel. James Ronan Waide wrote: On December 3, [EMAIL PROTECTED] said: acls can work with ext2/ext3 but you have to apply the patches from bestbits. xfs is a better choice and has the acl stuff built in. Actually, RedHat's recent precompiled kernels appear to have acls enabled by default. Cheers, Waider. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ACL and EA problems
Hello, I'm currently experiencing a problem concerning Samba 2.2.3a which is running on RedHat 7.3 kernel 2.4.18 configured with ACLS. While trying to upgrade the kernel to support LFS 2GB files, a reboot was performed after the successful recompilation and installation of new filesystem tools. The system halted at mounting the /samba partition reporting errors on the filesystem. The problem is e2fsck was run on ext3 partition while upgrading ACLs/EAs, and now it seems the inodes holding the ext_attr info inodes were cleared and have now screwed up the base dirs on the samba partition. When typing 'ls' under the Samba dir the following error messages appear: ls: .Bad Address ls: homes: Bad Address etc. The problem is not letting us rm, rmdir, mv, etc.. these dirs as well as /homes/username dirs. Our current work around for creating new users is to create an alternate /home dir which is /samba/home instead of /samba/homes. Other than that, the users have not reported any problems. If anybody has any ideas or input it would be greatly appreciated. We are stuck in a bit of a pickle. We don't know exactly how this occurred and if it will get any worse. If this is unclear, please let me know. Regards, Matthew Shaw Network Administrator MarkIV Industries/IVHS Division Phone: 905.624.7910 Fax: 905.625.6197 E-mail: [EMAIL PROTECTED]¢éì¹»®Þ~º¶¬+-h¶¢YhÂ)àQÚÚÞiÛaz)춻¶*'²m§ÿåËl±©jàþf¢f§þX¬¶)ߣû¶
[Samba] Samba ACL strange problem
HI all, I had install samba 2.2.3a-6 on Linux RedHat 7.3. I had recompile the kernel support ACL. I know that with samba = 2.2 support ACL too but it's seem there something wrong here when i got this mess. It's look like samba does not support ACL Are there anyone could help me get out of this problem Thank You Trong Ho PS: attach file is my smb.conf [root@file /]# getfacl /home/current/common getfacl: Removing leading '/' from absolute path names # file: home/current/common # owner: hung # group: users user::rwx user:hung:rw- user:tin:rw- group::--- mask::rw- other::--- [root@file /]# smbcacls file://file/current common -U tin%tin REVISION:1 OWNER:FILE\hung GROUP:FILE\users ACL:Everyone:ALLOWED/0/O ACL:FILE\hung:ALLOWED/0/FULL ACL:FILE\users:ALLOWED/0/RW ACL:FILE\hung:ALLOWED/11/FULL ACL:FILE\users:ALLOWED/11/R ACL:Everyone:ALLOWED/11/R smb.conf Description: Binary data