Chris Osicki wrote:
On Wed, 16 Sep 2009 18:03:48 -0400
Gary Dale <garyd...@rogers.com> wrote:
Chris Osicki wrote:
Hi
I'm using Samba 3.0.33 on Solaris10 and have the following problem.
In the smb.conf I have
workgroup = CORPROOT
security = domain
and users authenticated to CORPROOT domain can connect shares
w/o problems, [homes] for example.
Now I would like to create a share and restrict access to it just
to a dozen of users or so.
I tried
valid users = +docs
force user = usodocs
where docs is a group in /etc/group and it didn't work.
Looks like Samba is trying to look up the group docs on the domain
controller in the CORPROOT domain.
So, I tried this
valid users = CORPROOT\user
force user = usodocs
it works.
According to man page
valid users = +docs
should work.
I must be missing something, but what?
Is there any better/nicer way to achieve what I'm looking for?
That is, to give a group of users full control over content of
a share.
I have several Linux Samba servers where I use POSIX ACLs to control
read/write rights on the OS level and it works fine.
I tried the same on the Solaris10 box with ZFS and its ACLs and it
didn't work as expected (posted about it few weeks ago, no answers though)
I would be very thankful for any help.
BTW, anyone any idea how to attract attention to a post on this list?
Virtual beer as attachment? ;-)
My success rate is by now close to nothing.
Thanks for your time.
Regards,
Chris
Further to my earlier response, you need to ensure that the group has
access to the share since Samba permissions cannot override Linux
permissions. You may want to set the Linux permissions to 777 while
testing. Leave off the force user and just try the "valid users". Also,
since you are using the + group prefix, this is strictly the Linux group
that you are granting permission to.
Thanks Gary for your reply.
I followed your suggestions but it didn't work.
Samba tries to resolve +group on the Domain Controller and not localy on Unix.
If I put
valid users = +CORPROOT\OG_ITS-SDL-SO-DXS-USO-BE
where OG_ITS-SDL-SO-DXS-USO-BE is a group my NT account belongs to, it works.
What could be causing Samba not checking +group localy on Unix?
Thanks for your time.
Regards,
Chris
I'm not sure that Samba checks the Linux groups but Linux does. In a
Windows domain, all the accounts reside in the Domain. It may be
checking the Linux accounts for shares on the DC, but wouldn't be able
to on a member server. Perhaps one of the Linux gurus could answer your
question. However, for operations in the domain, you're best to stick
with domain entities, such as a domain group or domain user accounts. So
long as Samba has sufficient privileges to access the local Linux share,
it should be OK.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
