Hello Steve,
On 30/11/2011 19:52, steve wrote:
On 30/11/11 19:20, Matthieu Patou wrote:
Hello,
Each subfolder of /home is username:users. A file which is 0755
steve:users can be deleted by anyone. Samba 4 does not prompt for a
username and password when entering any share. This is just a plain
install of:
Where is the /home ? on the Samba 4 AD server ? mounted on the client ?
How did you created the subfolders ?
Can you give a detailed list of action to reproduce your problem ?
Matthieu.
I've tried both. In this example hh3 is the Samba server 192.168.1.3
smb.conf has:
[home]
path = /home
read only = no
/home has 2 users /home folders. /home/steve and /home/lynn both owned
by their respective steve:users and lynn:users. Both users were
created before Samba 4 was installed. Linux does not allow file
creation nor deleting between the 2 folders.
Well this points me already something wrong in what you have done.
Because its not because you have user steve and lynn in on the
Linux/Unix side, your users created in the active directory will not be
the same at all.
Then I suspect konq to implicitly use your linux user as the default smb
user and if the password match then you won't be prompted for a password.
In order to be sure you'd better do the test with smbclient.
For me smbclient didn't give me access if I don't put a password:
smbclient -L //zeus
Enter mat's password:
Anonymous login successful
Domain=[MATWS] OS=[Unix] Server=[Samba 4.0.0alpha18-DEVELOPERBUILD]
Sharename Type Comment
--------- ---- -------
home Disk
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service
zeus is an IPv6 address -- no workgroup available
smbclient //zeus/home
Enter mat's password:
so, on hh3:
login as steve
on konq do
smb://hh3
click on the home folder
enter the lynn folder
create a file (it shouldn't allow you)
delete a different file (it shouldn't allow you)
Now go over to another client, 192.168.1.4
Login as someone different but not root.
repeat above.
The user on another physical box can also delete and create files in
either the lynn or steve home folders.
I suggest to make a trace with tcpdump in order to know which user konq
is using to authenticate you against the samba 4 server.
Apart from this you have to know the current file server for the Samba
AD (called samba4 so far) use full NT acls that are usually stored in
security.NTACL,
in the extended attributes, when this information is not present it uses
the the posix acls and posix rights and tries to translate them to their
NT acls equivalent.
It seems that here you have found a bug in the way the translation is done.
Matthieu.
--
Matthieu Patou
Samba Team
http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
