RE: [Samba] Request for ACL experiences

2003-10-31 Thread Ben Tullis 
Hello all
I have had some dubious experiences using the ACL features of Samba 3.0.0
At present I have rolled-back our production servers to 2.2.8a 
(--with-acl ) but I hope that they will be ironed-out by 3.0.1 and I can 
upgrade again.

The problems manifested themselves in two client applications, CVS and 
Quickbooks althouth there was only 24'ish hours of live use before the 
decision was made to roll-back.

The CVS problem went thus.

CVS repositories held on an ext3+acl partition, access by samba with 
force-user=someuser and valid [EMAIL PROTECTED]
CVS working directories held on [homes] share

When performing a cvs edit or cvs unedit the permissions of the 
files were not being set to read-only correctly. It was possible to set 
these permissions using the standard Windows file property dialogs.

Since much of our work uses CVS intensively, this would not do. This 
behaviour ocurred whether or not oplocks were employed.

The Quickbooks problem was nasty but I think I could have got around it 
with options.

The kernel is 2.4.21 +ea+acl The shares are exported via patched NFS for 
version 3 NFS clients only.

2.2.8a has plenty of quirks with ACL's enabled but I won't go into those 
now.

--

=
Ben Tullis
IT Manager


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Request for ACL experiences

2003-10-30 Thread John H Terpstra 
On Wed, 29 Oct 2003, Douglas Phillipson wrote:

 I'm having trouble with ACL's and wonder how many others are too.  I see
 conflicting answers and comments about different aspects of ACL's from
 many prople on the list.  I was wondering if ANYONE is successfully
 using ACL's with Samba 3.0 or above.

Yes. I am successfully setting ACLs with Samba-3.0.0.

I have the ACLs patch in my kernel so that I can set ACLs on Linux files.
Setting ACLs on Shares does NOT AT ALL use kernel ACLS.

 Were there any commands/configurations you had to use to make ACL's work
 that were not covered in the 3.0 HowTo?

 I think we could use some real world working examples here.  Please be
 VERY explicit and complete with concrete examples.  Assume those reading
 your answers are NOT experts!  If you see any missing questions that you
 think might be useful to using ACL's, please add them!

Please explain to me what part of the Samba-HOWTO-Collection.pdf, chapter
12 you can ont understand. Precisely what is the problem - I want to fix
it. I totally belive you that this chapter is not clear enough. What is
not working for you?

I do not understand what we are missing. I want to help you.

Please give us detailed, step-by-step instructions for how to reproduce
your problem.


- John T.
-- 
John H Terpstra
Email: [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Request for ACL experiences

2003-10-29 Thread Paul Eggleton 
Douglas Phillipson wrote on Thursday, 30 October 2003 9:14 a.m.:
 I'm having trouble with ACL's and wonder how many others are too.  I
 see conflicting answers and comments about different aspects of ACL's
 from many prople on the list.  I was wondering if ANYONE is
 successfully using ACL's with Samba 3.0 or above.

Yes, we are. Our Red Hat 9 based Samba server is acting as a general
purpose file server for a Windows 2000 Active Directory domain.

 Was your Samba server configured as the DC?

No, our DC is running Windows 2000 Server SP3.

 What client OS were you setting ACL's on the Samba Share with?
 (Win2000, XP) What service pack (SP4 on Win2000???)

Windows 2000 Server SP3.
 
 Did you have to have the ACL kernel patch?

Yes, if you wish to use ACLs on ext2/ext3. XFS is supposed to have
support already, though I have not tried it so I really don't know for
sure.

 Did you need nt acl support = yes in each share definition?

No. This option defaults to yes anyway, so you should not need to
specify it at all.

 How did you setup your shares? (Working share Examples are good)

Here's an example:

[media]
comment = Media files
path = /mnt/media
public = yes
writable = yes
create mask = 0774
directory mask = 0774
inherit acls = yes
admin users = Administrator

You need winbind use default domain = yes set in your smb.conf for the
admin users option to work as specified above.

Note that the exact options you use are highly dependent on what you
want to use the share for. I would strongly recommend you read the
relevant parts of the Samba 3 Howto collection, as well as the share
options documentation in the smb.conf manpage.
 
 Did you have to use the server Tools downloaded from microsoft or
 could you simply right click on a file/folder and change the security
 ACL's? 

You can just use the normal permission editing (right
click...Properties).

 How are you verifying the ACL's actually work?  Did you fully test any
 ACL you set through Windows by actually trying to make a user access a
 file to see that his access matched the ACL you set.

Yes, they do work.

 What didn't work with ACL's that you thought should?

Well, Samba can only provide to Windows what is available through POSIX
standard ACLs, which means read, write, execute access bits for the
owner, the group, and all others (the latter represented by Everyone
in Windows), plus the same for each ACE. The extended permission types
provided by Windows are not fully supported and this can't really be
fixed at this time, because there is no equivalent functionality in
Unix. In addition, Samba has to fit the normal DOS attributes into the
Unix permissions as well, so you may see odd things happening at the
Windows end. It does work, but the sooner you understand these two
limitations, the better you will understand what is going on when you
try to set permissions from Windows.

Nested groups do not work. If domain user X is a member of domain group
A, and A is a member of domain group B, X will not be seen as a member
of B by Samba even though they will be by Windows.
 
 Are you compareing the windows ACL's to the output of getfacl?

Yes, they are the same, once you understand how the mapping works.
 
 Could you use ACL's to add users to Samba printers?

 How did you add Samba printers as Domain resources so you could add
 ACL's to them?  Or did you need to do this?
 
No idea, I have not tried either.

 Did you have to do any setfacl commands in Linux?

No.

 Did you have to run winbind?

Yes.

 Did you have to do any net groupmap commands to make ACL's work?

No.

 Were there any commands/configurations you had to use to make ACL's
 work that were not covered in the 3.0 HowTo?

Not that I'm aware of, although it does not discuss enabling ACLs in the
file system last time I checked (I suspect because this is Linux
specific).

BTW I have written an unofficial Samba+ACL Howto of sorts which may make
things a little clearer. If you have any suggestions for that Howto
(which is a little out of date, I admit) please let me know.

http://www.bluelightning.org/linux/samba_acl_howto

Cheers,
Paul
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba