On 18/08/12 23:00, Gémes Géza wrote:
2012-08-18 08:48 keltezéssel, steve írta:
On 17/08/12 13:17, Gémes Géza wrote:
2012-08-17 11:44 keltezéssel, steve írta:
Hi
S4 DC with S3 fileserver.
smb.conf on the fileserver:
[global]
workgroup = ALTEA
realm = HH3.SITE
security = ADS
kerberos method = secrets and keytab
winbind enum users = Yes
winbind enum groups = Yes
idmap config *:backend = tdb
idmap config *:range = 3000-4000
idmap config ALTEA:backend = ad
idmap config ALTEA:range = 20000-40000000
idmap config ALTEA:schema_mode = rfc2307
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
usershare allow guests = No
winbind refresh tickets = yes
[home]
path = /home2/home
read only = No
[staff]
path = /home2/staff
read only = No
[profiles]
path = /home2/profiles
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[dropbox]
path = /home2/dropbox
force create mode = 0660
force directory mode = 0770
read only = No
wbinfo -u lists Administrator but getent passwd lists only those users
with a uidNumber and gidNumber. The latter users can login to xp and
enter the shares fine. Administrator can login but gets a password
prompt each time he hits a share. Giving the correct password results
in XP stating the he has no permission to access the share.
How do I get Administrator to enter and manipulate the shares. I
thought that that was his purpose.
Cheers,
Steve
First: the Windows in the security model Administrator=root from the
Unix world it is just a predefined account memeber of the Administrators
or in a domain of the Domain Admins group and that gives access , so you
could do all the management operation from any other user account member
of the Domain Admins group.
Second: samba3 smbd and thus s3fs (I think ntvfs not, but I could be
wrong) needs that the connected user have a valid uid/gidnumber in order
to be able to check the posix acl permissions, so if you want to connect
to a Samba3 box with Administrator, first give it all the posix
attributes you've give to the other user accounts (however it doesn't
need a unixHomedirectory or loginshell if you won't login e.g. via ssh
as Administrator)
Regards
Geza Gemes
Hi Geza
OK. Domain Admins and Domain Users have posixGroup and gidNumber. They
show on getent passwd <name of group>
I login to XP as Administrator. I can do stuff like unjoin the domain
and change the DNS address but I cannot access the shares.
Is there a user in m$ that is like the root user in Linux?
Should domain admins have a gidNumber of 0 (zero)? Should domain
admins also have a posixAccount with a uidNumber of 0 (zero)?
What am I missing?
Cheers,
Steve
Hi Steve,
First check if the user has permissions on the box running samba3
Second check if you have in the share definition any of valid user,
write list, read list, readable, writable paramaters
Regards
Geza Gemes
Hi Géza
Thanks for your patience.
Lets take this share:
[home]
path = /home2/home
read only = No
1. Could you tell me what I need to add to enable Administrator to have
full control over it?
2. is there a user in the Domain (like root in Linux) who has control
over everything? Shares, users, network, the lot?
3. Is there a global way of enabling Administrator to be allowed write
acess and be able to change permisiions and acl's from the scurity tab?
Or must this be done on a per share basis.
I made one change to the [global] section:
winbind use default domain = Yes
This drops the ALTEA\ part of the name. Otherwise users cannot
authenticate via Kerberos because PAM passes the name as ALTEAuser
rather than ALTEA\user to the KDC. with the default domain line it
passes the name correctly as just name and krb5 auth works again.
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
