[Samba] ACL issue in samba 4.0.7

2013-08-28 Thread Kandukuru, Suresh SK 
Hi samba team,

, We have recently moved samba  to 4.0.7  since then acl are not working when 
we try to set any deny permission from windows hosts. The error is as shown 
below in log.smbd
>>
[2013/08/21 02:49:36.322907,  0] 
../source3/smbd/posix_acls.c:1814(add_current_ace_to_acl)
  add_current_ace_to_acl: malformed ACL in file ACL ! Deny entry after Allow 
entry. Failing to set on file Raghu.
>>

Share in smb.conf is  given below . and attached the smb.conf .

>>
[pubshar]
path= /mnt/pools/A/A0/pubshar/
max connections= 50
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= yes
dos filemode= yes
writeable= yes
public= yes
store dos attributes= yes
write list= guest

>>

I see the bug is similar to 
https://lists.samba.org/archive/samba/2012-October/169503.html
https://bugzilla.samba.org/show_bug.cgi?id=9275

There the problem solved once they move from posix acl to windows acl . But we 
would like to use posix acls only . we did not notice this in 3.x samba 
versions . can you tell me how to fix this problem?. Thanks

/Suresh
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL defaults and masks

2013-05-03 Thread Andrew Bartlett 
On Tue, 2013-04-30 at 15:56 +0400, Александр Свиридов wrote:
>  Hello!
> 
> In samba 3 we used create mask , force create..   to set file
> permisions. In samba 4 as I understand those options are  ignored and
> default acls are used instead. But, is it possible to set  by default
> different permisions on files and folders?  For example   on folders
> rwx, and on files rw-. Because I dont want to give x  permision to
> file as I think it can be dangerous. Thanks in advance.

These options are not ignored, but you can set an inheriting ACL if you
are using ACLs on that directory. 

Earlier Samba 4.0.x versions did incorrectly force these parameters, and
we made a security release and issued instructions on fixing the
permissions so incorrectly generated:

https://www.samba.org/samba/security/CVE-2013-1863

In terms of unix security, it is not a risk to have all files marked
execute, it may not look 'right', but any script can just be run with
it's interpreter, and any binary can be run with ld-*.so

Andrew Bartlett
-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL defaults and masks

2013-04-30 Thread Александр Свиридов 
 Hello!

In samba 3 we used create mask , force create..   to set file permisions. In 
samba 4 as I understand those options are  ignored and default acls are used 
instead. But, is it possible to set  by default different permisions on files 
and folders?  For example   on folders rwx, and on files rw-. Because I dont 
want to give x  permision to file as I think it can be dangerous. Thanks in 
advance.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL not working on g+s shares

2013-03-29 Thread steve 

Version 4.0.5-GIT-9ec44d4
Single DC and fileserver running the samba binary.

Hi
I have a share called shared:
[shared]
path = /home/shared
read only = No

I set the ACL:
setfacl -R -m g:staff:rw,d:g:staff:rw /home/shared

This is what it looks like:
getfacl shared
# file: shared
# owner: root
# group: staff
# flags: -s-
user::rwx
group::rwx
group:staff:rw-
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:staff:rw-
default:mask::rwx
default:other::---

The file listing looks OK:
drwxrws---+  3 root  staff  4096 Mar 29 10:05 shared

Problem:
Files created from Linux cifs mounted or W7 clients are group 'Domain 
users', the primary group of the user, not 'staff' as the g+s should 
give. Files created in the share on the DC are correctly assigned to 
group 'staff'.


Question:
How do I get files created in the share 'shared' to be group owned by 
group 'staff'?


Cheers,
Steve.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL problem with Samba > 3.4.x on GPFS

2013-02-21 Thread Jonathan Buzzard 
On Mon, 2013-02-18 at 13:52 +0100, Alexander Födisch wrote:
> When a file is created with samba 3.5.x or 3.6.x, it is created effective 
> read-only:
> 
> ~ # getfacl Microsoft\ Word-Dokument\ \(neu\).docx
> # file: Microsoft\040Word-Dokument\040(neu).docx
> # owner: root
> # group: 11816
> user::rwx
> user:11582:rwx#effective:r--
> group::rwx#effective:r--
> mask::r--
> other::---
> 
> 
> The ACL-settings for the parent directory are ok:
> 
> ~ # getfacl .
> # file: .
> # owner: root
> # group: 11816
> user::rwx
> user:11582:rwx
> group::rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:11582:rwx
> default:group::rwx
> default:mask::rwx
> default:other::---
> 

I strongly recommend that you stop using system ACL tools to look at
GPFS ACL's and use the vendor provided mmgetacl, mmputacl and mmeditacl
to manipulate them.

You don't mention whether you are using the vfs_gpfs module, or why you
are using Posix ACL's rather than NFSv4 ACL's. That latter makes much
more sense.

All that said are you running into the Office 2007 upwards feature where
if you modify a document created by user A by user B, then user B ends
up with read-only permissions on the document. The fix I deployed was to
use the following options so that vfs_gpfs was storing DOS attributes in
the file system itself.

ea support = yes
store dos attributes = yes
map readonly = no
map archive = no
map system = no
gpfs : winattr = yes

Note that this was with an NFSv4 only GPFS file system.

JAB.

-- 
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL problem with Samba > 3.4.x on GPFS

2013-02-18 Thread Alexander Födisch 

When a file is created with samba 3.5.x or 3.6.x, it is created effective 
read-only:

~ # getfacl Microsoft\ Word-Dokument\ \(neu\).docx
# file: Microsoft\040Word-Dokument\040(neu).docx
# owner: root
# group: 11816
user::rwx
user:11582:rwx#effective:r--
group::rwx#effective:r--
mask::r--
other::---


The ACL-settings for the parent directory are ok:

~ # getfacl .
# file: .
# owner: root
# group: 11816
user::rwx
user:11582:rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:11582:rwx
default:group::rwx
default:mask::rwx
default:other::---



The same Samba configuration on the same filesystem (GPFS) running with Samba 
3.4.x is working correctly:

[share]
read only   = no
inherit acls= yes
inherit owner   = yes
inherit permissions = yes
nt acl support  = yes



Is it a bug or do I need to change some configuration parameters?

Thanks a lot,
Alex
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL on GPO directory does not match expected value from GPO object. AGAIN.

2013-01-10 Thread Hleb Valoshka 
On 1/10/13, Alex Matthews  wrote:
> Comparing the two ACLs
>
> O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> The only difference I can see is the 'DAG' vs 'LAG' at the beginning
> (Directory ACL vs File ACL?)

Take a look here: https://bugzilla.samba.org/show_bug.cgi?id=9483
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL on GPO directory does not match expected value from GPO object. AGAIN.

2013-01-10 Thread Alex Matthews 

Hi all,

Some (then all) of our workstations were complaining about incorrect 
ACLs on GPOs and were unable to read the gpt.ini to apply the GPOs.
So I did a sysvolcheck and sure enough I'd lost the ACLs when I moved 
our sysvol share to a new location on the server (whoops, mea culpa).


I ran a sysvolreset which took a long time to return (some 5 minutes, 
please see my post on slow winbind lookups).


Just to make sure everything went as planned I re-ran the sysvolcheck 
and I get the following error:


ERROR(): uncaught exception - 
ProvisioningError: DB ACL on GPO directory 
/vol/samba/shares/sysvol/internal.stmaryscollege.co.uk/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} 
O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
does not match expected value 
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
from GPO object
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run

return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 
245, in run

lp)
  File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
1599, in checksysvolacl

direct_db_access)
  File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
1550, in check_gpos_acl

domainsid, direct_db_access)
  File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
1500, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
path, fsacl_sddl, acl))


Comparing the two ACLs

O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 



The only difference I can see is the 'DAG' vs 'LAG' at the beginning 
(Directory ACL vs File ACL?)


Thanks,

Alex

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + acl,user_xattr

2011-12-19 Thread Dmitry Mordovin 



At first, has your file system already enabled xattr?
For example, are following commands successfull?

  # touch test.txt
  # setfattr -n user.test -v test test.txt
  # setfattr -n security.test -v test2 test.txt
  # getfattr -d test.txt
  # getfattr -n security.test -d test.txt

And your Samba (smbd) is xattr-ready?
For example the following commands show HAVE_*XATTR line?

# smbd -b | grep SETXATTR
HAVE_FSETXATTR
HAVE_LSETXATTR
HAVE_SETXATTR

---
TAKAHASHI Motonobu

All commands successfull.

#mount
/dev/sda4 on /mnt/public type ext3 (rw,nosuid,nodev,acl,user_xattr)

#cd /mnt/public


#getfattr -d hello.txt
# file: hello.txt
user.test="test"

#getfattr -n security.test -d hello.txt
# file: hello.txt
security.test="test2"


#smbd -b|grep SETXATTR
   HAVE_FSETXATTR
   HAVE_LSETXATTR
   HAVE_SETXATTR

SAMBA ready, but don't change xattr. Very strange with my system.
Also, I joined TT 8414 where is strange with file access rights.

https://bugzilla.samba.org/show_bug.cgi?id=8414

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + acl,user_xattr

2011-12-18 Thread TAKAHASHI Motonobu 
From: Dmitry Mordovin 
Date: Fri, 16 Dec 2011 10:39:44 +0400

> Now, when I try to Apply hidden attribute, popup message - Error change 
> file attributes. Access Denied.

At first, has your file system already enabled xattr?
For example, are following commands successfull?

 # touch test.txt
 # setfattr -n user.test -v test test.txt
 # setfattr -n security.test -v test2 test.txt
 # getfattr -d test.txt
 # getfattr -n security.test -d test.txt

And your Samba (smbd) is xattr-ready?
For example the following commands show HAVE_*XATTR line?

# smbd -b | grep SETXATTR
   HAVE_FSETXATTR
   HAVE_LSETXATTR
   HAVE_SETXATTR

---
TAKAHASHI Motonobu 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + acl,user_xattr

2011-12-15 Thread Dmitry Mordovin 



Hello Jeremy!

You are right!

I don't want to store Windows ACLs, need only DOS attrs (hidden file attr).

What Is enough to add to my smb.conf?
'store dos attributes (S)  or 'map hidden (S)' or together or else?

I use:

store dos attributes = yes
map readonly = no
map system = no
map hidden = no
map archive = no

Jeremy.


Added to smb.conf

Now, when I try to Apply hidden attribute, popup message - Error change 
file attributes. Access Denied.


I suspect this due to Bug 8414 
(https://bugzilla.samba.org/show_bug.cgi?id=8414) for me.


Thank you.

PS: With hacked version of smbd this error happens too.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + acl,user_xattr

2011-12-15 Thread Jeremy Allison 
On Thu, Dec 15, 2011 at 12:17:21PM +0400, Dmitry Mordovin wrote:
> 
> >>Added to global section
> >>
> >>vfs objects = acl_xattr
> >>
> >>
> >>No changes. Still dont store DOS attr.
> >You only need acl_xattr is you want to store Windows ACLs, not DOS attrs.
> >
> >Have you tried using setfattr on that filesystem ? Does it work ?
> >
> >Jeremy.
> 
> Hello Jeremy!
> 
> You are right!
> 
> I don't want to store Windows ACLs, need only DOS attrs (hidden file attr).
> 
> What Is enough to add to my smb.conf?
> 'store dos attributes (S)  or 'map hidden (S)' or together or else?

I use:

   store dos attributes = yes
   map readonly = no
   map system = no
   map hidden = no
   map archive = no

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + acl,user_xattr

2011-12-15 Thread Dmitry Mordovin 



Added to global section

vfs objects = acl_xattr


No changes. Still dont store DOS attr.

You only need acl_xattr is you want to store Windows ACLs, not DOS attrs.

Have you tried using setfattr on that filesystem ? Does it work ?

Jeremy.


Hello Jeremy!

You are right!

I don't want to store Windows ACLs, need only DOS attrs (hidden file attr).

What Is enough to add to my smb.conf?
'store dos attributes (S)  or 'map hidden (S)' or together or else?

#cat /opt/samba/smb.conf
[global]
pid directory = /opt/samba/run
lock directory = /opt/samba/cache
private dir = /opt/samba/cache
log file = /opt/samba/smbd.log
log level = 10
workgroup = TEST
security = share
show add printer wizard = no
max log size = 10240
bind interfaces only = true
interfaces = eth1

[homes]
browseable = no
printable = no

[public]
path = /mnt/public
comment = ""
read only = no
guest ok = yes
follow symlinks = no
writable = yes

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + acl,user_xattr

2011-12-14 Thread Jeremy Allison 
On Fri, Dec 09, 2011 at 04:36:51PM +0400, Dmitry Mordovin wrote:
> On 12/09/2011 04:26 PM, Jonathan Buzzard wrote:
> >On Fri, 2011-12-09 at 16:05 +0400, Dmitry Mordovin wrote:
> >
> >[SNIP]
> >
> >>Samba config:
> >>
> >>[global]
> >>workgroup = HOME
> >>security = share
> >>max log size = 1024
> >>store dos attributes = yes
> >>map archive = no
> >>map read only = no
> >>map hidden = no
> >>map system = no
> >>create mode = 777
> >>directory mode = 777
> >>
> >>[homes]
> >>browseable = no
> >>printable = no
> >>store dos attributes = yes
> >>
> >>[public]
> >>path = /mnt/public
> >>comment = ""
> >>read only = no
> >>guest ok = yes
> >>follow symlinks = no
> >>store dos attributes = yes
> >>writable = yes
> >>map archive = no
> >>map read only = no
> >>map hidden = no
> >>map system = no
> >>create mode = 777
> >>directory mode = 777
> >I see no vfs objects = acl_xattr in your Samba config. Without that it
> >won't work as there is nothing telling Samba where to store the ACL
> >information.
> >
> >JAB.
> >
> 
> Added to global section
> 
> vfs objects = acl_xattr
> 
> 
> No changes. Still dont store DOS attr.

You only need acl_xattr is you want to store Windows ACLs, not DOS attrs.

Have you tried using setfattr on that filesystem ? Does it work ?

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + acl,user_xattr

2011-12-09 Thread Dmitry Mordovin 

On 12/09/2011 04:26 PM, Jonathan Buzzard wrote:

On Fri, 2011-12-09 at 16:05 +0400, Dmitry Mordovin wrote:

[SNIP]


Samba config:

[global]
workgroup = HOME
security = share
max log size = 1024
store dos attributes = yes
map archive = no
map read only = no
map hidden = no
map system = no
create mode = 777
directory mode = 777

[homes]
browseable = no
printable = no
store dos attributes = yes

[public]
path = /mnt/public
comment = ""
read only = no
guest ok = yes
follow symlinks = no
store dos attributes = yes
writable = yes
map archive = no
map read only = no
map hidden = no
map system = no
create mode = 777
directory mode = 777

I see no vfs objects = acl_xattr in your Samba config. Without that it
won't work as there is nothing telling Samba where to store the ACL
information.

JAB.



Added to global section

vfs objects = acl_xattr


No changes. Still dont store DOS attr.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + acl,user_xattr

2011-12-09 Thread Jonathan Buzzard 
On Fri, 2011-12-09 at 16:05 +0400, Dmitry Mordovin wrote:

[SNIP]

> Samba config:
> 
> [global]
> workgroup = HOME
> security = share
> max log size = 1024
> store dos attributes = yes
> map archive = no
> map read only = no
> map hidden = no
> map system = no
> create mode = 777
> directory mode = 777
> 
> [homes]
> browseable = no
> printable = no
> store dos attributes = yes
> 
> [public]
> path = /mnt/public
> comment = ""
> read only = no
> guest ok = yes
> follow symlinks = no
> store dos attributes = yes
> writable = yes
> map archive = no
> map read only = no
> map hidden = no
> map system = no
> create mode = 777
> directory mode = 777

I see no vfs objects = acl_xattr in your Samba config. Without that it
won't work as there is nothing telling Samba where to store the ACL
information.

JAB.

-- 
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba + acl,user_xattr

2011-12-09 Thread Dmitry Mordovin 

Hello All!

Can't make Samba use acl and extended user attributes to save DOS file 
attributes.


Please, help me configure properly.

My steps on Windows XP:
1 - Open share
2 - Open property of file 1122/22.bmp
3 - Check file attribute: hidden
4 - Click Apply
5 - Click Close

6 - Open property again
7 - Attribute Hidden not checked.

Samba dont save attributes!!!

getfattr -d /mnt/public/1122/22.bmp
Show no any attributes for 22.bmp file

*Environment*

Server configuration:

OS: Ubuntu 10.04.3 LTS 2.6.32-36-generic
Samba: 3.6.1
Share: /mnt/public
Mount: /dev/sda3 on /mnt/public type ext3 (rw,acl,user_xattr)

Unix file permissions:

ls -la /mnt/public/
total 18
drwxrwxrwx 2 nobody nogroup  1024 2011-12-09 14:45 1122
drwx-- 2 root   root12288 2011-12-09 14:43 lost+found

ls -la /mnt/public/1122
total 218
-rwxrwxrwx 1 nobody nogroup 220074 2011-12-09 14:45 22.bmp

Samba config:

[global]
workgroup = HOME
security = share
max log size = 1024
store dos attributes = yes
map archive = no
map read only = no
map hidden = no
map system = no
create mode = 777
directory mode = 777

[homes]
browseable = no
printable = no
store dos attributes = yes

[public]
path = /mnt/public
comment = ""
read only = no
guest ok = yes
follow symlinks = no
store dos attributes = yes
writable = yes
map archive = no
map read only = no
map hidden = no
map system = no
create mode = 777
directory mode = 777



Samba configure params: --prefix=/usr/local/samba
...
checking whether to support ACLs... auto
configure: checking whether ACL support is available:
checking for acl_get_file in -lacl... yes
checking for getxattr in -lattr... yes
checking for POSIX ACL support... yes
configure: Using posix ACLs
checking for acl_get_perm_np... no
...

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL with ActiveDirectory@Groups **UP**

2011-10-25 Thread darkyz 

I added :

acl check permissions = False
veto oplock files = /*.doc/*.docx/*.xls/*.xlsx/*.pptx/*.ppsx/*.ppt/*.pps

but still doesn't work.

*


> Dear All,
>
> I have problem with this smb.conf share section
> (I'm not samba admin, but I know this configuration)
>
> smb.conf 3.5.8
>
> ###
> [AD-test-acl]
>   comment = AD-test-acl
>   path = /fs-e/AD/group/AD-test-acl
>read only = No
>create mask = 0770
>directory mask = 0770
>
*acl check permissions = False
veto oplock files = /*.doc/*.docx/*.xls/*.xlsx/*.**pptx/*.ppsx/*.ppt/*.pps*

>inherit permissions = Yes
>inherit acls = Yes
>browseable = No
>blocking locks = No
>delete readonly = Yes
>dos filetime resolution = Yes
>vfs objects = zfsacl
>nfs4:acedup = merge
>nfs4:chown = yes
>nfs4:mode = special
> #
>
> the issue are:
>
> users network 1
>
>when trying to edit a file the user cannot save the file due to
> incorrect permissions, however it seems that even though an error is
> given the file is still saved.
>the file however then has readonly permission set and can no longer
> be used. Removing the readonly permission (properties) sometimes results
> in either the file being no longer visible (not always) or the file
> being no longer readable (again not always) - seems to depend on the user?
>
> users network 2
>
>when trying to edit a file the user cannot save the file due to
> incorrect permissions, however a copy of the file is saved
>again the copy of the file is set to readonly and removing the
> readonly property may result in the file becoming unusable (can no
> longer open from net2) or no longer visible from net2.
>
> do you have an idea to solve these problems?
> thanks, darkyz
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL with ActiveDirectory@Groups

2011-10-14 Thread darkyz 
yes

On Fri, Oct 14, 2011 at 1:10 PM, Daniel Müller wrote:

> Greetings,
>
>
> MSOffice-file?
>
> ---
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
>
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: muel...@tropenklinik.de
> Internet: www.tropenklinik.de
> ---
> -Ursprüngliche Nachricht-
> Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
> Im
> Auftrag von alberto.atz...@ext.jrc.ec.europa.eu
> Gesendet: Freitag, 14. Oktober 2011 10:37
> An: samba@lists.samba.org
> Betreff: [Samba] ACL with ActiveDirectory@Groups
>
>
>
> Dear All,
>
> I'm new on this group.Greetings to all.
> I have problem with this smb.conf share section
> (I'm not samba admin, but I know this configuration)
>
> smb.conf 3.5.8
>
> ###
> [AD-test-acl]
>comment = AD-test-acl
>path = /fs-e/AD/group/AD-test-acl
> read only = No
> create mask = 0770
> directory mask = 0770
> inherit permissions = Yes
> inherit acls = Yes
> browseable = No
> blocking locks = No
> delete readonly = Yes
> dos filetime resolution = Yes
> vfs objects = zfsacl
> nfs4:acedup = merge
> nfs4:chown = yes
> nfs4:mode = special
> #
>
> the issue are:
>
> users network 1
>
> when trying to edit a file the user cannot save the file due to
> incorrect permissions, however it seems that even though an error is
> given the file is still saved.
> the file however then has readonly permission set and can no longer
> be used. Removing the readonly permission (properties) sometimes results
> in either the file being no longer visible (not always) or the file
> being no longer readable (again not always) - seems to depend on the user?
>
> users network 2
>
> when trying to edit a file the user cannot save the file due to
> incorrect permissions, however a copy of the file is saved
> again the copy of the file is set to readonly and removing the
> readonly property may result in the file becoming unusable (can no
> longer open from net2) or no longer visible from net2.
>
> do you have an idea to solve these problems?
> thanks, darkyz
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL with ActiveDirectory@Groups

2011-10-14 Thread Daniel Müller 
Greetings,


MSOffice-file?

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von alberto.atz...@ext.jrc.ec.europa.eu
Gesendet: Freitag, 14. Oktober 2011 10:37
An: samba@lists.samba.org
Betreff: [Samba] ACL with ActiveDirectory@Groups



Dear All,

I'm new on this group.Greetings to all.
I have problem with this smb.conf share section
(I'm not samba admin, but I know this configuration)

smb.conf 3.5.8

###
[AD-test-acl]
comment = AD-test-acl
path = /fs-e/AD/group/AD-test-acl
 read only = No
 create mask = 0770
 directory mask = 0770
 inherit permissions = Yes
 inherit acls = Yes
 browseable = No
 blocking locks = No
 delete readonly = Yes
 dos filetime resolution = Yes
 vfs objects = zfsacl
 nfs4:acedup = merge
 nfs4:chown = yes
 nfs4:mode = special
#

the issue are:

users network 1

 when trying to edit a file the user cannot save the file due to
incorrect permissions, however it seems that even though an error is
given the file is still saved.
 the file however then has readonly permission set and can no longer
be used. Removing the readonly permission (properties) sometimes results
in either the file being no longer visible (not always) or the file
being no longer readable (again not always) - seems to depend on the user?

users network 2

 when trying to edit a file the user cannot save the file due to
incorrect permissions, however a copy of the file is saved
 again the copy of the file is set to readonly and removing the
readonly property may result in the file becoming unusable (can no
longer open from net2) or no longer visible from net2.

do you have an idea to solve these problems?
thanks, darkyz

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL with ActiveDirectory@Groups

2011-10-14 Thread alberto . atzori 



Dear All,

I'm new on this group.Greetings to all.
I have problem with this smb.conf share section
(I'm not samba admin, but I know this configuration)

smb.conf 3.5.8

###
[AD-test-acl]
   comment = AD-test-acl
   path = /fs-e/AD/group/AD-test-acl
read only = No
create mask = 0770
directory mask = 0770
inherit permissions = Yes
inherit acls = Yes
browseable = No
blocking locks = No
delete readonly = Yes
dos filetime resolution = Yes
vfs objects = zfsacl
nfs4:acedup = merge
nfs4:chown = yes
nfs4:mode = special
#

the issue are:

users network 1

when trying to edit a file the user cannot save the file due to
incorrect permissions, however it seems that even though an error is
given the file is still saved.
the file however then has readonly permission set and can no longer
be used. Removing the readonly permission (properties) sometimes results
in either the file being no longer visible (not always) or the file
being no longer readable (again not always) - seems to depend on the user?

users network 2

when trying to edit a file the user cannot save the file due to
incorrect permissions, however a copy of the file is saved
again the copy of the file is set to readonly and removing the
readonly property may result in the file becoming unusable (can no
longer open from net2) or no longer visible from net2.

do you have an idea to solve these problems?
thanks, darkyz

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + ACL + Linux Client

2011-06-04 Thread TAKAHASHI Motonobu 
From: Oliver Guerino 
Date: Wed, 1 Jun 2011 13:29:44 -0300

> What happened is the following:
> My network has windows and linux clients, the permissions described above
> operates normally with the windows client, but when I try to connect
> with the linux client does not operates.

As far as I examined to connect from self-compiled Samba 3.5.6 and
mount.cifs to ext3 filesystem on lenny, the same problem occurred. And
from Windows, no problems occurred.

It seems that mount.cifs (and your mount.smb perhaps) can not
recognize ACLs set on files on the mounted-filesystems...

---
TAKAHASHI Motonobu 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba + ACL + Linux Client

2011-06-02 Thread Oliver Guerino 
Hello,

I'm Oliver and I need help for a experiment.
I have a sharing with Samba version 3.2.5, my distribution Linux is
Debian(Lenny) and the acl version is 2.2.47.
Below my configurations files:

#/etc/fstab
/dev/sda3   /shared   reiserfs defaults,acl 0   1

#smb.conf
[data]
 comment = files
 path = /shared
 inherit acls = yes
 inherit permissions = yes
 map acl inherit = Yes

# users and groups
user1 and user2 into group1
user3 and user4 into  group2

#permission directory files and acl's
drwxr-x---+ 4 root root 96 Mai 27 11:48 group1

getfacl group1/
# file: group1/
# owner: root
# group: root
user::rwx
group::r-x
group:group1:r-x
mask::r-x
other::---
default:user::rwx
default:group::rwx
default:other::---

drwxrwx---+ 4 root root 96 Mai 27 11:48 group2

getfacl group2/
# file: group2/
# owner: root
# group: root
user::rwx
group::r-x
group:group1:r-x
group:group2:rwx
mask::rwx
other::---

The kernel version: 2.6.26

What happened is the following:
My network has windows and linux clients, the permissions described above
operates normally with the windows client, but when I try to connect
with the linux client does not operates.

The mount command in the machine client linux:
 mount  -t smbfs  -o acl,rw,username=user1,passwd=pass
//172.25.0.193/data/mnt/files/

When I try to access the folder group1 with the user1 display the message:
Permission denied
cd /mnt/files/group1 Permission denied.

Some suggestion?

Thanks
Oliver
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba + ACL + Linux Client

2011-06-02 Thread Oliver Guerino 
Hello,

I'm Oliver and I need help for a experiment.
I have a sharing with Samba version 3.2.5, my distribution Linux is
Debian(Lenny) and the acl version is 2.2.47.
Below my configurations files:

#/etc/fstab
/dev/sda3   /shared   reiserfs defaults,acl 0   1

#smb.conf
[data]
 comment = files
 path = /shared
 inherit acls = yes
 inherit permissions = yes
 map acl inherit = Yes

# users and groups
user1 and user2 into group1
user3 and user4 into  group2

#permission directory files and acl's
drwxr-x---+ 4 root root 96 Mai 27 11:48 group1

getfacl group1/
# file: group1/
# owner: root
# group: root
user::rwx
group::r-x
group:group1:r-x
mask::r-x
other::---
default:user::rwx
default:group::rwx
default:other::---

drwxrwx---+ 4 root root 96 Mai 27 11:48 group2

getfacl group2/
# file: group2/
# owner: root
# group: root
user::rwx
group::r-x
group:group1:r-x
group:group2:rwx
mask::rwx
other::---

The kernel version: 2.6.26

What happened is the following:
My network has windows and linux clients, the permissions described above
operates normally with the windows client, but when I try to connect
with the linux client does not operates.

The mount command in the machine client linux:
 mount  -t smbfs  -o acl,rw,username=user1,passwd=pass
//172.25.0.193/data/mnt/files/

When I try to access the folder group1 with the user1 display the message:
Permission denied
cd /mnt/files/group1 Permission denied.

Some suggestion?

Thanks
Oliver
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL Lost and unable to set rights from explorer (xp)

2011-03-31 Thread L . P . H . van Belle 
Hi all, 

I have 2 problems :-( 

Im running debian kernel 2.6.32 samba 3.5.6.
i upgraded my samba from 3.2.4 to 3.5.6 
now i have the following problems. 

When i want to set my rights on a folder i get "access denied" 
this was working ok with the 3.2.4 version. 

fstab has acl,user_xattr on the partition i use for samba. 
what did i forget in this, or what is changed between these versions of
samba.
i didnt change my smb.conf

second.

i have a nfs mounted share. users are able to access the folders and files
on this share.
i symlinked for every user the user folder to the home/nfsmounted folder of
the users.
this also worked on 3.2.4 but now 1 get access denied. 
when i ssh to my server then im able to access the symlinked folder, but not
from xp. 

Setup.
samba PDC with ldap.

anyone idee's, i googled a lot already but couldnt find a fix. 


im also seening these messages in the following logs:
log.smb
[2011/03/31 14:00:37.657069,  1] smbd/server.c:240(cleanup_timeout_fn)
  Cleaning up brl and lock database after unclean shutdown


my log of my pc.
[2011/03/31 12:24:56.757172,  0]
modules/vfs_posixacl.c:349(smb_acl_to_posix)
  smb_acl_to_posix: ACL is invalid for set (Invalid argument)

011/03/31 08:30:22.227927,  1] smbd/service.c:678(make_connection_snum)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED

011/03/30 23:52:11.037062,  0] smbd/nttrans.c:2204(call_nt_transact_ioctl)
  call_nt_transact_ioctl(0x900eb): Currently not implemented.

i hoop someone can help me.

best regards, 

Louis


smime.p7s
Description: S/MIME cryptographic signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL not working

2011-03-22 Thread slan buas 
Using Samba+winbind 3.3.8 as a fileserver on a Win2008 domain. getent
and wbinfo is reporting correct informations about users. However, my
groups directories are allowing people who shouldn't .. From the shell
everything is working as expected, but not from samba.. What did I
miss !?

Exported share:  /export/users
drwxr-x---+ 7 root root 4096 Mar 18 14:57 group# (teams directories)
   \ tech
\--- prod

- Working from shell
# su prod-user
$ ls tech/
ls: tech/: Permission denied

- Not working from smbclient
# smbclient -U prod-user //fileserver/share
Domain=[FOO] OS=[Unix] Server=[Samba 3.3.8-0.52.el5_5.2]
smb: \> cd group/tech/
smb: \group\tech\>

--
Group
--
# getent group | grep prod-user
prod:*:10004:prod-user,(...)

--
Acls
--
# file: group
# owner: root
# group: root
user::rwx
group::r-x
group:domain\040users:r-x
mask::r-x
other::---


# file: group/tech
# owner: root
# group: root
user::---
group::---
group:tech:rwx
mask::rwx
other::---
default:user::---
default:group::---
default:group:tech:rwx
default:mask::rwx
default:other::---

--
Build options
--
# smbd -b | grep -i acl
   HAVE_SYS_ACL_H
   HAVE_ACL_LIBACL_H
   HAVE_POSIX_ACLS
   vfs_acl_tdb_init
   vfs_acl_xattr_init
pdb_ldap pdb_smbpasswd pdb_tdbsam rpc_lsarpc rpc_winreg
rpc_initshutdown rpc_dssetup rpc_wkssvc rpc_svcctl2 rpc_ntsvcs2
rpc_netlogon rpc_netdfs rpc_srvsvc rpc_spoolss rpc_eventlog2 rpc_samr
idmap_ldap idmap_tdb idmap_passdb idmap_nss nss_info_template auth_sam
auth_unix auth_winbind auth_server auth_domain auth_builtin
vfs_default vfs_posixacl

--
smb.conf
--

[global]
   workgroup = FOO
   realm = FOO.BAR
   local master = no
   domain master = no
   preferred master = no
   server string = SOVO File Server
   security = ads
   encrypt passwords = yes
   password server  = dc1.foo.bar, dc2.foo.bar
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   load printers = no
   printcap name = /dev/null
   disable spoolss = yes
   show add printer wizard = no
   client ntlmv2 auth = yes
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   winbind nested groups = Yes
   winbind refresh tickets = yes
   winbind reconnect delay = 15
   winbind separator = +
   winbind cache time = 120
   winbind nss info = rfc2307
   winbind offline logon = true
   passdb backend = tdbsam
   idmap negative cache time = 120
   idmap cache time = 900
   idmap config FOO : backend = ad
   idmap config FOO : readonly = yes
   idmap config FOO : schema_mode = rfc2307
   idmap config FOO : range = 1-40
   idmap uid = 1-2
   idmap gid = 1-2
   nt acl support = no
   acl check permissions = true
   acl compatibility = auto
   acl group control = no
   acl map full control = false


[share]
   path = /export/users
   writable = yes
   browseable = yes
   hide unreadable = yes
   hide dot files=yes
   hide files=/lost+found/
   valid users = @tech @man @prod
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL and Replace all Child object permissions

2011-02-03 Thread TAKAHASHI Motonobu 
2011/2/4 Zorg :
> I have an issue with samba+acl and Windows checkbox "Replace all Child
> object permissions"  .
>
> I have a folder with defaults ACLs :
>
> /default:user:user1:rwx,
> default:user:user2:rwx
> owned by user1/
>
> On Windows if I'm checking "Replace all Child object permissions with
> inheritable permissions from this object" on this folder, it losts the
> default ACL default:user:user1:rwx, others ACLs stays right
> (default:user:user2:rwx).
>
> /default:user:user2:rwx
> owned by user1/
>
> Is it a normal behavior to delete an user from Default ACL if he is already
> owner of a folder?
> How can i avoid this?

As far as I examined at Samba 3.5.6, an error occured.
At older version of Samba, I have met the similar behavior:
default ACL is vanished when the user granted permissions by the default ACL
is also an owner.

Anyway "map acl inherit" does not fully work:
  https://bugzilla.samba.org/show_bug.cgi?id=6841

---
TAKAHASHI Motonobu 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL and Replace all Child object permissions

2011-02-03 Thread Zorg 
I have an issue with samba+acl and Windows checkbox "Replace all Child 
object permissions"  .


I have a folder with defaults ACLs :

/default:user:user1:rwx,
default:user:user2:rwx
owned by user1/

On Windows if I'm checking "Replace all Child object permissions with 
inheritable permissions from this object" on this folder, it losts the 
default ACL default:user:user1:rwx, others ACLs stays right 
(default:user:user2:rwx).


/default:user:user2:rwx
owned by user1/

Is it a normal behavior to delete an user from Default ACL if he is 
already owner of a folder?

How can i avoid this?


Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl restore error

2011-01-27 Thread Jeremy Allison 
On Thu, Jan 27, 2011 at 04:26:10AM -0500, suresh.kanduk...@emc.com wrote:
> Dear Jeremy and samba team ,
> 
>  This is suresh from EMC.I am  having samba 3.4.8 on my NAS  with posix acls 
> support.
> 
>  
> 
>  When a backup software backs up files and folders, it typically backs up the 
> security settings on the files/folders
> 
> too. Then during restore, the software will try to restore the files/folders
> 
> along with their security settings. The restore is now broken because security
> 
> settings cannot be restored any more.
> 
>  
> 
> I have enabled samba loglevel 10 . I  see the problem is coming here.
> 
> --
> 
> 2011/01/26 10:41:04, 10] smbd/open.c:2896(create_file_unixpath)
> 
>   create_file_unixpath: access_mask = 0x11e019f file_attributes = 0x80,
> share_access = 0x3, create_disposition = 0x1 create_options = 0x4004
> oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname = Share2/file2.txt
> 
> --
> 
> SEC_FLAG_SYSTEM_SECURITY is 0x0100
> 
> /* We need to support SeSecurityPrivilege for this. */
> 
>  
> 
> if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
> 
>  
> 
> status = NT_STATUS_PRIVILEGE_NOT_HELD;
> 
>  
> 
> goto fail;
> 
>  
> 
> }
> 
>  
> 
> and I see the restore is working fine when I Restore all information except 
> security for files and directories

The SEC_FLAG_SYSTEM_SECURITY flag is for setting the audit ACE entries
in an ACL - it isn't used for normal restoring of ACL ACE entries.

We return this error here as it's required by MS-Office (Excel) which
expects to get this error when changing ACLs on files (don't ask :-).

This is fixed in 3.5.7 and above by adding it as a privilege that
can be selected for a user who is doing restores.

Ping me off-list if you need a back port of this code.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba acl restore error

2011-01-27 Thread suresh.kandukuru 
Dear Jeremy and samba team ,

 This is suresh from EMC.I am  having samba 3.4.8 on my NAS  with posix acls 
support.



 When a backup software backs up files and folders, it typically backs up the 
security settings on the files/folders
too. Then during restore, the software will try to restore the files/folders
along with their security settings. The restore is now broken because security
settings cannot be restored any more.

I have enabled samba loglevel 10 . I  see the problem is coming here.
--
2011/01/26 10:41:04, 10] smbd/open.c:2896(create_file_unixpath)
  create_file_unixpath: access_mask = 0x11e019f file_attributes = 0x80, 
share_access = 0x3, create_disposition = 0x1 create_options = 0x4004 
oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname = Share2/file2.txt
--
SEC_FLAG_SYSTEM_SECURITY is 0x0100

/* We need to support SeSecurityPrivilege for this. */



if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {



status = NT_STATUS_PRIVILEGE_NOT_HELD;



goto fail;



}


and I see the restore is working fine when I Restore all information except 
security for files and directories


  create_file_unixpath: access_mask = 0x11 file_attributes = 0x0, 
share_access = 0x7, create_disposition = 0x1 create_options = 0x4001 
oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname = .
[2011/01/26 10:41:04,  5] smbd/open.c:2391(open_directory)
---


the if (access_mask & SEC_FLAG_SYSTEM_SECURITY)  condition is not passing here 
and error is not coming.



Jeremy, what for we are checking this condition   on SeSecurityPrivilege ( 
Manage auditing and security log ) in samba code ?.

How tp restore files with ACL's. ?



I am anticipating your reply.





Thanks

Suresh















-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl support

2011-01-08 Thread Nico Kadel-Garcia 
On Thu, Jan 6, 2011 at 11:40 PM, Jeremy Allison  wrote:
> On Thu, Jan 06, 2011 at 10:58:27PM -0500, suresh.kanduk...@emc.com wrote:
>> Hi jeremey , This is Suresh from EMC . what is minimum version of samba 
>> which got ACL ( posix) support?. it looks to me samba 3.0.32 also got that 
>> ACL support.
>>
>> Can you please confirm on this?.
>
> Oh yes, we've had POSIX ACL support for a *long*
> time. I can't remember exactly what the earliest
> version was (probably a 2.2.x version).
>
> However we've been slowly getting better over
> the years in doing the ACL mapping, culminating
> with the extra Windows ACL layer stored in EA's
> we now have that provides a 100% Windows compatible
> protocol response to the client, but then is mapped
> onto POSIX ACLs for filesystems that can't store
> native (or NFSv4) ACLs.
>
> Jeremy.

Note that at least some of the more sophisticated ACL's, such as
NFSv4, are. awkward to use. You can reference an old thread on it
at http://lists.samba.org/archive/samba/2010-April/155243.html..
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl support

2011-01-07 Thread Jeremy Allison 
On Thu, Jan 06, 2011 at 11:52:46PM -0500, suresh.kanduk...@emc.com wrote:
> Thanks this helps.

Let me know if you really need the "first version with ACL
support" and I'll track it down.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl support

2011-01-06 Thread suresh.kandukuru 
Thanks this helps.


-Suresh

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Jeremy Allison
Sent: Friday, January 07, 2011 10:10 AM
To: Kandukuru, Suresh
Cc: samba@lists.samba.org; j...@samba.org
Subject: Re: [Samba] samba acl support

On Thu, Jan 06, 2011 at 10:58:27PM -0500, suresh.kanduk...@emc.com wrote:
> Hi jeremey , This is Suresh from EMC . what is minimum version of samba which 
> got ACL ( posix) support?. it looks to me samba 3.0.32 also got that ACL 
> support.
> 
> Can you please confirm on this?.

Oh yes, we've had POSIX ACL support for a *long*
time. I can't remember exactly what the earliest
version was (probably a 2.2.x version).

However we've been slowly getting better over
the years in doing the ACL mapping, culminating
with the extra Windows ACL layer stored in EA's
we now have that provides a 100% Windows compatible
protocol response to the client, but then is mapped
onto POSIX ACLs for filesystems that can't store
native (or NFSv4) ACLs.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl support

2011-01-06 Thread Jeremy Allison 
On Thu, Jan 06, 2011 at 10:58:27PM -0500, suresh.kanduk...@emc.com wrote:
> Hi jeremey , This is Suresh from EMC . what is minimum version of samba which 
> got ACL ( posix) support?. it looks to me samba 3.0.32 also got that ACL 
> support.
> 
> Can you please confirm on this?.

Oh yes, we've had POSIX ACL support for a *long*
time. I can't remember exactly what the earliest
version was (probably a 2.2.x version).

However we've been slowly getting better over
the years in doing the ACL mapping, culminating
with the extra Windows ACL layer stored in EA's
we now have that provides a 100% Windows compatible
protocol response to the client, but then is mapped
onto POSIX ACLs for filesystems that can't store
native (or NFSv4) ACLs.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba acl support

2011-01-06 Thread suresh.kandukuru 
Hi jeremey , This is Suresh from EMC . what is minimum version of samba which 
got ACL ( posix) support?. it looks to me samba 3.0.32 also got that ACL 
support.

Can you please confirm on this?.

Thanks
Suresh
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL Problems with Samba and ADS Integration

2010-11-26 Thread Mike Theory 
I am running a Samba Box as a Domain Member in a Windows ADS Domain (Windows 
Server 2003). The Box has joined the ADS domain and the kerberos authentication 
works, I can see "smbd" processes running with AD user accounts.
But I can not set ACLs on the directories or the files located on the share. If 
I change them using Windows Explorer, they either will be ignored by samba, or 
I get the Message:
Unable to save Permission Changes on [Directory]
The parameter is incorrect
This message comes if I want to grant "Full Control" permissions on files or 
directories.
I am not the in depth pro configuring samba, so maybe I did some configuration 
mistakes. I read about an ACL patch for samba. I did not build samba from the 
sources, I installed the packages and updates supplied by the OpenSUSE 11.3 
distro.

My smb.conf file looks like this:

[global]
    workgroup = [MyDomain]
    security = ADS
    realm = [My.Kerberos.Realm]
    password server = pdc.emulator.at.my.domain
    server string = %L server (OpenSUSE, Samba)
    dns proxy = No
    disable spoolss = Yes
    show add printer wizard = No
    map to guest = Bad User
    domain logons = No
    domain master = No
    local master = No
    netbios name = [ThisServersName]
    wins support = No
    client use spnego = Yes
    idmap uid = 15000 - 25000
    idmap gid = 15000 - 25000
    template homedir = /home/%D/%U
    template shell = /bin/bash
    usershare allow guests = No
    winbind use default domain = Yes
    winbind refresh tickets = Yes
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind nested groups = Yes
    acl group control = Yes
    acl map full control = True
    ntlm auth = No
    lanman auth = No
    interfaces = bond0
    log level = 3 acls:5 winbind:5

[groups]
    comment = All groups
    path = /raid
    read only = No
    inherit acls = Yes
    force directory security mode = 0770
    admin users = [MyDomain]\[DelegatedAdminUser]
    hide dot files = Yes
    hide unreadable = Yes


Can anyone figure out where the problem is. Do I need to compile from source 
and include some patches, or is the configuration the problem.
I did no group or user bindings with the "net" command.

Best Regards, Mike



  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL from win2k doesn't work

2010-10-03 Thread Rashkae 

On 10-10-01 05:56 AM, Mauro Destro - Impel Systems Srl wrote:
 I'm trying to setup a simple standalone Samba server in a win2k 
network without domain.


I've followed some basic howto on the net, users can see shares and 
can save, modify and delete files and folders.


My big problem is the security tab: i can't add any user because the 
screen where i can see users list ask me for a password.


With an admin user and password (the same that i use to log into 
share) it tells something like "credentials supplied conflict with an 
existing set of credentials"


If I don't insert user and password it tells "access denied".

Also I can't modify existing acl.

Logs are with debug level = 3 but no error is present.

Thanks


I'm not an expert, so someone may have to correct me.  I'm fairly 
certain that if you expect a client to modify the acl of files on the 
server, said client will need access to the users on that server, and 
the only way a client can get a list of users from a server is to be a 
member of that server's domain.  If you want to keep your network domain 
free, you will have to modify permissions on the server, not from the 
Windows client.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL from win2k doesn't work

2010-10-03 Thread Gaiseric Vandal 
Are you logged into your workstation as a Administrator?  Is the local
Administrator password on your workstation same as on the server?  Even if
this is the case, the samba may still complain that you initially connected
as one user ("PC\Administrator") and now want to connect as another use
"Server\Adminstrator."

You could try the following:
From the command prompt on the PC type  "net use" to see how you are
currently connect to the server.
Type "net use /delete ..." to delete existing connection
Type "net use \\server /user: server\administrator" to reconnect
with the correct credentials.

Not sure if the syntax is correct or if it will work anyway.

Otherwise I think your two options are 
1. to use unix command line to set permissions (e.g. setfacl if you
want more than one user or group assigned)
2. join your PC to the domain.




-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of Mauro Destro - Impel Systems Srl
Sent: Friday, October 01, 2010 5:57 AM
To: samba@lists.samba.org
Subject: [Samba] ACL from win2k doesn't work

  I'm trying to setup a simple standalone Samba server in a win2k network
without domain.

I've followed some basic howto on the net, users can see shares and can
save, modify and delete files and folders.

My big problem is the security tab: i can't add any user because the screen
where i can see users list ask me for a password.

With an admin user and password (the same that i use to log into share) it
tells something like "credentials supplied conflict with an existing set of
credentials"

If I don't insert user and password it tells "access denied".

Also I can't modify existing acl.

Logs are with debug level = 3 but no error is present.

Thanks

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL from win2k doesn't work

2010-10-03 Thread Mauro Destro - Impel Systems Srl 
 I'm trying to setup a simple standalone Samba server in a win2k 
network without domain.


I've followed some basic howto on the net, users can see shares and can 
save, modify and delete files and folders.


My big problem is the security tab: i can't add any user because the 
screen where i can see users list ask me for a password.


With an admin user and password (the same that i use to log into share) 
it tells something like "credentials supplied conflict with an existing 
set of credentials"


If I don't insert user and password it tells "access denied".

Also I can't modify existing acl.

Logs are with debug level = 3 but no error is present.

Thanks
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-09 Thread suresh.kandukuru 
Allison,
  My Question was ,
1) we have a share "test" and user admin has RW access and user1 has R only 
access. from the windows PC , I have connected "test" share with user admin. 
and created subfolder "test_subfolder"
2) and on that sub folder admin user has given RW access to user user1 . Why 
samba is not preventing this, since user1 has R only access on that share  
"test".??

Smith explained  this in last mail.

Thanks for asking

Suresh

-Original Message-
From: Jeremy Allison [mailto:j...@samba.org] 
Sent: Thursday, September 09, 2010 9:13 AM
To: Kandukuru, Suresh
Cc: smb...@chrissmith.org; samba@lists.samba.org
Subject: Re: [Samba] samba acl - able to change permissions that contradict 
user security setting

On Wed, Sep 08, 2010 at 11:14:40AM -0400, suresh.kanduk...@emc.com wrote:
> Thanks smith for the quick reply. what I want to know is ,can not samba 
> source code  prevent the changing setting rw access to "test_subfolder" user1 
> , since he has only read only access on  the share "test".

The processing of security on shares and security
in the underlying file system are completely separate.

A user who is only granted "read" access on a share
should not be able to change permissions on a directory
inside the share, as this is a write operation on an
underlying directory.

An "admin" user should be able to change such permissions
at will, as they have full root access to the exported
share.

Can you explain a little more clearly what you are trying
to do (sorry, but I've been a little distracted by other
things at the moment) so I can understand if you are describing
a bug or not ?

Thanks,

Jeremy.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-09 Thread suresh.kandukuru 
Thanks Smith. This explains in detail.

-Suresh

-Original Message-
From: Chris Smith [mailto:smb...@chrissmith.org] 
Sent: Thursday, September 09, 2010 8:19 AM
To: Kandukuru, Suresh
Cc: samba@lists.samba.org
Subject: Re: [Samba] samba acl - able to change permissions that contradict 
user security setting

On Wed, Sep 8, 2010 at 10:04 PM,   wrote:
> it looks like code is not designed like this.
>
> if you don't mind , Can you please explain this ,
>
> --
> - although you would be asking
> it to restrict the admin's rights, which wouldn't be proper behavior.
> Plus it then wouldn't work like a Windows box, which is a primary
> goal.
> 

File level security and share level security are separate - you can
limit what a user can do with either one, or both. Consider one box -
with no remote file sharing, a system (file level security) is needed
to prevent unauthorized access to files and directories for local
users. Consider a box that has no idea of file level security, say pre
Windows NT such as Windows 95 for instance, files are shared via the
network but with an OS that has no concept of file level security
something is needed to prevent unauthorized access - share level
security. AFAIK, the systems are not integrated, work separately and
provide some backward compatibility.

As the admin has full share level RW access to the share, he/she can
surely make changes to the file level security (that is, if it's
allowed by the current file level security) but he's not changing
share level security through this, only file level; so locally the
non-admin user could (presumably) login locally and access those
files, but still be blocked remotely by the share level permissions.
It's the way Windows works (and why Samba does also), plus I'm sure
other network sharing systems, NFS, etc. have similar attributes.

Think of it like trying to gain access to an office in a building. I
can keep you from gaining entry in two ways; one is that I prevent you
from entering the building (share level), or two, I prevent you from
entering the particular office by locking its door (file level). If I
prevent you from entering the building it doesn't matter whether or
not I lock the office door - you cannot get there. If I lock the
office door it doesn't matter if I allow you to enter the building -
either way you are effectively locked out. And just because you are
prevented, in the one case, from entering the building, there is
nothing, nor should there be, to prevent me (the admin) from unlocking
the office door, which would give you access if, and only if, you had
egress into the building - my access is not affected (I can still
unlock the office door), only yours (you still have no access unless I
allow you into the building as well).

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-08 Thread Jeremy Allison 
On Wed, Sep 08, 2010 at 11:14:40AM -0400, suresh.kanduk...@emc.com wrote:
> Thanks smith for the quick reply. what I want to know is ,can not samba 
> source code  prevent the changing setting rw access to "test_subfolder" user1 
> , since he has only read only access on  the share "test".

The processing of security on shares and security
in the underlying file system are completely separate.

A user who is only granted "read" access on a share
should not be able to change permissions on a directory
inside the share, as this is a write operation on an
underlying directory.

An "admin" user should be able to change such permissions
at will, as they have full root access to the exported
share.

Can you explain a little more clearly what you are trying
to do (sorry, but I've been a little distracted by other
things at the moment) so I can understand if you are describing
a bug or not ?

Thanks,

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-08 Thread Chris Smith 
On Wed, Sep 8, 2010 at 10:04 PM,   wrote:
> it looks like code is not designed like this.
>
> if you don't mind , Can you please explain this ,
>
> --
> - although you would be asking
> it to restrict the admin's rights, which wouldn't be proper behavior.
> Plus it then wouldn't work like a Windows box, which is a primary
> goal.
> 

File level security and share level security are separate - you can
limit what a user can do with either one, or both. Consider one box -
with no remote file sharing, a system (file level security) is needed
to prevent unauthorized access to files and directories for local
users. Consider a box that has no idea of file level security, say pre
Windows NT such as Windows 95 for instance, files are shared via the
network but with an OS that has no concept of file level security
something is needed to prevent unauthorized access - share level
security. AFAIK, the systems are not integrated, work separately and
provide some backward compatibility.

As the admin has full share level RW access to the share, he/she can
surely make changes to the file level security (that is, if it's
allowed by the current file level security) but he's not changing
share level security through this, only file level; so locally the
non-admin user could (presumably) login locally and access those
files, but still be blocked remotely by the share level permissions.
It's the way Windows works (and why Samba does also), plus I'm sure
other network sharing systems, NFS, etc. have similar attributes.

Think of it like trying to gain access to an office in a building. I
can keep you from gaining entry in two ways; one is that I prevent you
from entering the building (share level), or two, I prevent you from
entering the particular office by locking its door (file level). If I
prevent you from entering the building it doesn't matter whether or
not I lock the office door - you cannot get there. If I lock the
office door it doesn't matter if I allow you to enter the building -
either way you are effectively locked out. And just because you are
prevented, in the one case, from entering the building, there is
nothing, nor should there be, to prevent me (the admin) from unlocking
the office door, which would give you access if, and only if, you had
egress into the building - my access is not affected (I can still
unlock the office door), only yours (you still have no access unless I
allow you into the building as well).
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-08 Thread suresh.kandukuru 
Smith, Thanks again  for answering. I have gone through samba source code , I 
have assumed that when the samba user "admin"  gives read write access to 
"test_subfolder" for the user "user1" from the windows security tab  ( user1 
has read only access to share "test")  samba code posix_acl.c look at the read 
list of the share "test" ( since the user1 in read list ) and denies  assigning 
rw access to test_subfolder. it looks like code is not designed like this.

if you don't mind , Can you please explain this ,

--
- although you would be asking
it to restrict the admin's rights, which wouldn't be proper behavior.
Plus it then wouldn't work like a Windows box, which is a primary
goal.



Thanks
Suresh

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Chris Smith
Sent: Wednesday, September 08, 2010 9:24 PM
To: Kandukuru, Suresh
Cc: samba@lists.samba.org
Subject: Re: [Samba] samba acl - able to change permissions that contradict 
user security setting

On Wed, Sep 8, 2010 at 11:14 AM,   wrote:
> Thanks smith for the quick reply. what I want to know is ,can not samba 
> source code  prevent the changing setting rw access to "test_subfolder" user1 
> , since he has only read only access on  the share "test".

I suppose you could patch it to do so - although you would be asking
it to restrict the admin's rights, which wouldn't be proper behavior.
Plus it then wouldn't work like a Windows box, which is a primary
goal.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-08 Thread Chris Smith 
On Wed, Sep 8, 2010 at 11:14 AM,   wrote:
> Thanks smith for the quick reply. what I want to know is ,can not samba 
> source code  prevent the changing setting rw access to "test_subfolder" user1 
> , since he has only read only access on  the share "test".

I suppose you could patch it to do so - although you would be asking
it to restrict the admin's rights, which wouldn't be proper behavior.
Plus it then wouldn't work like a Windows box, which is a primary
goal.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-08 Thread suresh.kandukuru 
Thanks smith for the quick reply. what I want to know is ,can not samba source 
code  prevent the changing setting rw access to "test_subfolder" user1 , since 
he has only read only access on  the share "test".


-Suresh

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Chris Smith
Sent: Wednesday, September 08, 2010 8:25 PM
To: Kandukuru, Suresh
Cc: samba@lists.samba.org
Subject: Re: [Samba] samba acl - able to change permissions that contradict 
user security setting

On Wed, Sep 8, 2010 at 1:43 AM,   wrote:
> 1) created share "test" given read and write access to the user "admin" and 
> read only access to user "user1".
>
> 2) from my windows PC logged into the samba share  "test " with "admin"  user 
> . created subfolder in that "test_subfolder".
>
> 3) on that subfolder  , from the windows security tab I could add user 
> "user1" and can give read and write access to  that.
> How to prevent this ??. Actually on the share "test" user1 has read only 
> access .How samba code is allowing to change permissions that contradict user 
> security settings.
>
> 4) when I login to share "test" with "user1" , I cannot write into subfolder 
> "test_subfolder"

Seems perfectly normal. Share level security will take precedence over
file level security when connected via the share. I'm sure you would
find the same results working with an actual Windows share (always a
good thing to test before you post).
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-08 Thread Chris Smith 
On Wed, Sep 8, 2010 at 10:55 AM, Chris Smith  wrote:
> Share level security will take precedence over
> file level security when connected via the share.

Sorry about that: more accurate would be to state that the most
restrictive security permissions will be active. If share level
permissions allow RW access but the file level permissions only allow
for R access then that is all the user will receive (and vice versa).
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-08 Thread Chris Smith 
On Wed, Sep 8, 2010 at 1:43 AM,   wrote:
> 1) created share "test" given read and write access to the user "admin" and 
> read only access to user "user1".
>
> 2) from my windows PC logged into the samba share  "test " with "admin"  user 
> . created subfolder in that "test_subfolder".
>
> 3) on that subfolder  , from the windows security tab I could add user 
> "user1" and can give read and write access to  that.
> How to prevent this ??. Actually on the share "test" user1 has read only 
> access .How samba code is allowing to change permissions that contradict user 
> security settings.
>
> 4) when I login to share "test" with "user1" , I cannot write into subfolder 
> "test_subfolder"

Seems perfectly normal. Share level security will take precedence over
file level security when connected via the share. I'm sure you would
find the same results working with an actual Windows share (always a
good thing to test before you post).
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba acl - able to change permissions that contradict user security setting

2010-09-08 Thread suresh.kandukuru 
Did not get the response . bumping it. friends , Please help me on the below 
issue.

Thanks
Suresh

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of suresh.kanduk...@emc.com
Sent: Wednesday, September 08, 2010 11:13 AM
To: samba@lists.samba.org
Subject: [Samba] samba acl - able to change permissions that contradict user 
security setting

Dear friends, I am having following issue on my samba device . Please help me 
on this.

1) created share "test" given read and write access to the user "admin" and 
read only access to user "user1".

2) from my windows PC logged into the samba share  "test " with "admin"  user . 
created subfolder in that "test_subfolder".

3) on that subfolder  , from the windows security tab I could add user "user1" 
and can give read and write access to  that.
How to prevent this ??. Actually on the share "test" user1 has read only access 
.How samba code is allowing to change permissions that contradict user security 
settings.

4) when I login to share "test" with "user1" , I cannot write into subfolder 
"test_subfolder"

This is smb.conf for "test" share part ..
---
[test]
path= /mnt/samba/shares/SP0/test/
max connections= 50
max connections= 250
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= yes
dos filemode= yes
writeable= no
valid users= "admin" "user1"
read list= "user1"
store dos attributes= yes
write list= "admin"
-


I am anticipating your reply.

Thanks
Suresh



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba acl - able to change permissions that contradict user security setting

2010-09-07 Thread suresh.kandukuru 
Dear friends, I am having following issue on my samba device . Please help me 
on this.

1) created share "test" given read and write access to the user "admin" and 
read only access to user "user1".

2) from my windows PC logged into the samba share  "test " with "admin"  user . 
created subfolder in that "test_subfolder".

3) on that subfolder  , from the windows security tab I could add user "user1" 
and can give read and write access to  that.
How to prevent this ??. Actually on the share "test" user1 has read only access 
.How samba code is allowing to change permissions that contradict user security 
settings.

4) when I login to share "test" with "user1" , I cannot write into subfolder 
"test_subfolder"

This is smb.conf for "test" share part ..
---
[test]
path= /mnt/samba/shares/SP0/test/
max connections= 50
max connections= 250
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= yes
dos filemode= yes
writeable= no
valid users= "admin" "user1"
read list= "user1"
store dos attributes= yes
write list= "admin"
-


I am anticipating your reply.

Thanks
Suresh



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba ACL problems in some of the Wokgroup PC's

2010-09-05 Thread suresh.kandukuru 
Dear friends,
  I am facing the problem while adding the  ACL user into subfolder security 
permissions from some of the WORKGROUPS PCs . While adding  the ACL user itself 
it is asking for samba login  credentials ( I did not notice this behavior in 
other PC's ) and after entering it, it is displaying  user object not found. 
Though "user2" user exists in backend. it is giving this error.

This is not giving any problem in some of the workgroup PC's and PC's which are 
some in domain.

I have enabled samba log level 10 , while adding acl user task is going on , I 
did not find any comparable errors between workable PC's and non workable PC's.

Can you please suggest why only some of Workgroup machines are giving this 
problem?.I found this is not specific to any OS . one pc which is having 
windows XP another having windows 7 exhibiting this issue. workgroup is common 
WORKGROUP.

Please suggest me . I am anticipating your reply.

Thanks
Suresh


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba ACL sub folder permission changes

2010-08-18 Thread suresh.kandukuru 
Dear samba team,
Please help me on the below issue.

I have connected a samba share from my device to my  windows XP
machine . that samba share has ACL support enabled . 
1) The shared folder names is "user1" and the user  name I logged into
samba share is also user1.

2) I have created a text file , and sub folder in the samba share from
my windows PC.

3) I can change write permission of the owner "user1" and the group
"users"  , and Everyone from the security -> advanced settings ->

4) for the sub folder I cannot change the permissions for the owner
"user1" , I can change for the group "users" and Everyone also.

whenever I tried to disable the "Write attributes" and "Write extended
attributes" , it is simply ignoring the changes and again showing "full
control" in advance security windows.


Please suggest how to handle this?.
here is my samba.conf

-[Global]
server string= storage
Workgroup= WORKGROUP
security= user
domain master= yes
preferred master= yes
local master= yes
os level= 20
invalid users= bin daemon adm sync shutdown halt mail news uucp gopher
map to guest= Bad User
host msdfs= yes
null passwords= yes
strict allocate= no
encrypt passwords= yes
passdb backend= smbpasswd
printcap name= lpstat
printing= cups
printable= no
load printers= yes
max smbd processes= 500
max smbd processes= 2500
getwd cache= yes
display charset= UTF-8
log level= 10
syslog= 0
max log size= 50
use sendfile= yes

[Printers]
path= /mnt/soho_storage/samba/spool
printable= yes
only guest= yes
use client driver= yes
comment= All Printers

[Backups]
path= /mnt/soho_storage/samba/shares/SP0/Backups/
max connections= 50
max connections= 250
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= no
dos filemode= no
writeable= yes
public= yes
store dos attributes= yes
write list= guest

[Documents]
path= /mnt/soho_storage/samba/shares/SP0/Documents/
max connections= 50
max connections= 250
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= no
dos filemode= no
writeable= yes
public= yes
store dos attributes= yes
write list= guest

[Pictures]
path= /mnt/soho_storage/samba/shares/SP0/Pictures/
max connections= 50
max connections= 250
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= no
dos filemode= no
writeable= yes
public= yes
store dos attributes= yes
write list= guest

[user1]
path= /mnt/soho_storage/samba/shares/SP0/user1/
max connections= 50
max connections= 250
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= yes
dos filemode= yes
writeable= no
valid users= "admin" "user1" "user2"
store dos attributes= yes
write list= "admin" "user1" "user2"

[user2]
path= /mnt/soho_storage/samba/shares/SP0/user2/
max connections= 50
max connections= 250
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= yes
dos filemode= yes
writeable= no
valid users= "admin" "user1" "user2"
store dos attributes= yes
write list= "admin" "user1" "user2"
--

Thanks in advance
Suresh


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL is invalid for set

2010-08-16 Thread Andreas Moroder 

Hello,

when I try to add a group to the list of groups that can access a 
director I get a message in windows and my samba log file contains this 
lines


[2010/08/16 12:15:13.495938,  0] 
modules/vfs_posixacl.c:349(smb_acl_to_posix)

  smb_acl_to_posix: ACL is invalid for set (Das Argument ist ungültig)

where "Das Argument ist ungültig" translates to "The arguments are invalid".

ACLs are activated and I have only set
inherit acls = Yes
in smb.conf

We have Version 3.5.3


Can anyone plesa tell me what is wrong in my configuration

Thanks
Andreas



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL inheritance issue on homes directory

2010-05-10 Thread Andrew Masterson 
> > I have recently commissioned a box running RHEL5.4 and samba sernet
> > 3.5.2 that is AD integrated. 
> > 
> > The other shares on the box seem to obey the "inherit acls" and
"inherit
> > permissions" flags as well as "force create mode" and "force
directory
> > mode", but not on the _homes_ directory.
> > 
> > Has anyone experienced similar problems, and where should I start
> > looking to troubleshoot this problem?

> Are the homes directories mounted via NFS, or have some other
> difference in their mount options ?

All of the shares are on the same logical volume disk, an etx4 local
partition
/dev/mapper/VolGroup00-LogVol01 on /data type ext4 (rw,user_xattr,acl)

-=Andrew
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL inheritance issue on homes directory

2010-05-10 Thread Jeremy Allison 
On Mon, May 10, 2010 at 10:37:37AM -0600, Andrew Masterson wrote:
> I have recently commissioned a box running RHEL5.4 and samba sernet
> 3.5.2 that is AD integrated. 
> 
> The other shares on the box seem to obey the "inherit acls" and "inherit
> permissions" flags as well as "force create mode" and "force directory
> mode", but not on the _homes_ directory.
> 
> Has anyone experienced similar problems, and where should I start
> looking to troubleshoot this problem?

Are the homes directories mounted via NFS, or have some other
difference in their mount options ?

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL inheritance issue on homes directory

2010-05-10 Thread Andrew Masterson 
I have recently commissioned a box running RHEL5.4 and samba sernet
3.5.2 that is AD integrated. 

The other shares on the box seem to obey the "inherit acls" and "inherit
permissions" flags as well as "force create mode" and "force directory
mode", but not on the _homes_ directory.

Has anyone experienced similar problems, and where should I start
looking to troubleshoot this problem?

Thanks,
Andrew
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL madness

2010-05-07 Thread big beer 
Hello list,

I'm having a "fun" time trying to figure out my ACL problems.
I've gone through the default ACL settings and the mask settings on
the filesystem to ensure that the user I am using does indeed have
access to the filesystem that is being shared out.
My issue is that I am unable to overwrite a file that already exists
with another file of the same name. I get the windows dialog "Are you
sure you want to overwrite this file" but when selecting "yes" it
fails with a big fat "The request is not supported". I can
edit/rename/delete this file so I think I have the right ACLs on the
folder it is in and on the file itself.

Here is the ACL on the folder that contains the file:
~ getfacl test
# file: test
# owner: root
# group: root
user::rwx
group::r-x
group:DOMAIN\134domain\040admins:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:DOMAIN\134domain\040admins:rwx
default:mask::rwx
default:other::r-x

And here is the ACL on the actual file:
~ getfacl New\ Text\ Document.txt
# file: New\040Text\040Document.txt
# owner: DOMAIN\134Myuser
# group: DOMAIN\134domain\040users
user::rwx
group::r-x
group:DOMAIN\134domain\040admins:rwx
mask::rwx
other::r--

Here is the output from the logfile when I click yes to the dialog to
overwrite the file:
[2010/05/07 03:34:38.392475,  3] smbd/process.c:1485(process_smb)
 Transaction 422 of length 144 (0 toread)
[2010/05/07 03:34:38.392572,  3] smbd/process.c:1294(switch_message)
 switch message SMBntcreateX (pid 11135) conn 0x7fa8cc722b40
[2010/05/07 03:34:38.392670,  3] smbd/vfs.c:851(check_reduced_name)
 check_reduced_name [test/New Text Document.txt] [/gpfs1]
[2010/05/07 03:34:38.392724,  3] smbd/vfs.c:1008(check_reduced_name)
 check_reduced_name: test/New Text Document.txt reduced to
/gpfs1/test/New Text Document.txt
[2010/05/07 03:34:38.392752,  3] smbd/vfs.c:851(check_reduced_name)
 check_reduced_name [test/New Text Document.txt] [/gpfs1]
[2010/05/07 03:34:38.392792,  3] smbd/vfs.c:1008(check_reduced_name)
 check_reduced_name: test/New Text Document.txt reduced to
/gpfs1/test/New Text Document.txt
[2010/05/07 03:34:38.392833,  3] smbd/dosmode.c:166(unix_mode)
 unix_mode(test/New Text Document.txt) returning 0764
[2010/05/07 03:34:38.392859,  3] smbd/vfs.c:851(check_reduced_name)
 check_reduced_name [test/New Text Document.txt] [/gpfs1]
[2010/05/07 03:34:38.392899,  3] smbd/vfs.c:1008(check_reduced_name)
 check_reduced_name: test/New Text Document.txt reduced to
/gpfs1/test/New Text Document.txt
[2010/05/07 03:34:38.393030,  1] modules/vfs_gpfs.c:961(gpfs_get_xattr)
 gpfs_get_xattr:name is user.SAMBA_PAI
[2010/05/07 03:34:38.393133,  2] smbd/open.c:631(open_file)
 DOMAIN\Myuser opened file test/New Text Document.txt read=No write=Yes
(numopen=2)
[2010/05/07 03:34:38.393339,  3] smbd/error.c:80(error_packet_set)
 error packet at smbd/error.c(160) cmd=162 (SMBntcreateX)
NT_STATUS_NOT_SUPPORTED


I should also note that if I try to overwrite a folder with a folder
of the same name instead of a file with a file of the same name, it is
successful.

Any help would be greatly appreciated.

Thanks,

Bigbeer
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL problem after upgrade from 3.0.24 to 3.4.5

2010-04-03 Thread Quartexx 
2010/4/3 grant little wrote:
> Upgrade to 3.5.1 (or 2 real soon)...


I tried sernet lenny 3.4 packages and no ACL bug.
So it's something related to lenny-backports packages.



>
> On Fri, Apr 2, 2010 at 5:33 AM, Quartexx  wrote:
>>
>> >After upgrading from Debian Etch with samba 3.0.24-6etch10 to Lenny
>> >with a backport of 2:3.4.5~dfsg-1 (with libtalloc2 2.0.1-1), i get a
>> >fully working service but with a strange ACL bug : people can
>> >create/delete/rename files, but not modify them (error "espace
>> >insuffisant pour traiter cette commande" in french, which should
>> >translate into "Not enough storage is available to process this
>> >command")
>>
>>
>> Same problem here.  It happens on 3.2.5 upgrade to 3.4, lenny
>> backport.  It happens on 3.4 fresh install too
>> Anyone can give us some advices about this issue?
>> Thanks
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL problem after upgrade from 3.0.24 to 3.4.5

2010-04-02 Thread Quartexx 
>After upgrading from Debian Etch with samba 3.0.24-6etch10 to Lenny
>with a backport of 2:3.4.5~dfsg-1 (with libtalloc2 2.0.1-1), i get a
>fully working service but with a strange ACL bug : people can
>create/delete/rename files, but not modify them (error "espace
>insuffisant pour traiter cette commande" in french, which should
>translate into "Not enough storage is available to process this
>command")


Same problem here.  It happens on 3.2.5 upgrade to 3.4, lenny
backport.  It happens on 3.4 fresh install too
Anyone can give us some advices about this issue?
Thanks
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL problem after upgrade from 3.0.24 to 3.4.5

2010-02-10 Thread Marc Dequènes 

Hello,

After upgrading from Debian Etch with samba 3.0.24-6etch10 to Lenny  
with a backport of 2:3.4.5~dfsg-1 (with libtalloc2 2.0.1-1), i get a  
fully working service but with a strange ACL bug : people can  
create/delete/rename files, but not modify them (error "espace  
insuffisant pour traiter cette commande" in french, which should  
translate into "Not enough storage is available to process this  
command"). In the Windows XP rights manager interface, the modify  
right is missing, and adding it using the samba admin account result  
in a silent failure (the interface refreshed its view and the added  
rights has disappeared again). No other problem has been found, and i  
cannot reproduce this problem using a smbfs mount on a GNU/Linux box.  
The only strange thing i found was the result of smbcacls for a test  
file and user being :

  ACL:KEAspuig:ALLOWED/0x0/0x001e01ff
I don't know what is 0x001e01ff when i expected FULL (due to 'acl map  
full control = true').


My smb.conf file is attached. The detailed log when trying to add the  
missing right is also attached. Any help would be much appreciated.


Regards.

--
Marc Dequènes
Homepage: http://www.proformatique.com/
Proformatique - 10 bis, rue Lucien VOILIN - 92800 Puteaux
Tel. : 01 41 38 99 68 - Fax. : 01 41 38 99 70
#=== Global Settings ===

[global]

## Network ##

interfaces = lo eth0
bind interfaces only = yes


## Browsing/Identification ###

netbios name = KEAFILER1
server string = %h PDC (Samba %v)

workgroup = KEA
realm = in.kea-partners.com

wins support = yes
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
name resolve order = lmhosts host wins bcast


 Debugging/Accounting 

#log level = 3 auth:5 smb:10 acls:10 vfs:10
log level = 0
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d


### Authentication ###

security = user
null passwords = false
guest account = samba-nobody
;invalid users = root
obey pam restrictions = no
unix password sync = no

admin users = samba-admin @samba-domain-admins

passdb backend = ldapsam:ldap://ldap-master.in.kea-partners.com
# Duck: does not work (in Samba 3.0.x in Etch at least)
#ldapsam:trusted = yes
ldap ssl = no
ldap suffix = dc=kea-partners,dc=com
ldap admin dn = "cn=root,dc=kea-partners,dc=com"
ldap delete dn = yes
ldap user suffix = ou=Users,ou=OxObjects
ldap group suffix = ou=Groups,ou=OxObjects
ldap machine suffix = ou=winstations,ou=systems
ldap idmap suffix = ou=Idmap


## Domains ###

os level = 255
domain master = yes
local master = yes
prefered master = yes

domain logons = yes
# defined in LDAP
#logon path = \\%N\profiles\%U
#logon drive = H:
#logon home = \\%N\%U
logon script = logon.vbs


## Printing ##

# deactivated
load printers = no
#printing = cups
#printcap name = cups
#printer admin = @samba-domain_admins
#show add printer wizard = no


 Misc 

#add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
#add group script = /usr/sbin/smbldap-groupadd -p "%g"
#delete group script = /usr/sbin/smbldap-groupdel "%g"
#add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
#delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
#set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

#strict allocate = yes


 ACLs 

create mask = 0750
directory mask = 0755
force create mode = 0750
force security mode = 0700
force directory mode = 0755

# windows silliness
#veto files = /*.eml/*.nws/*.{*}/
veto files = /*.Zone.Identifier:*/
veto oplock files = /*.doc/*.xls/*.mdb/*.cdx/*.dbf/*.ppt/
strict locking = No

# needed for correct POSIX ACLs mapping
inherit acls = yes
inherit permissions = no
store dos attributes = yes
dos filetime resolution = yes
ea support = yes
map read only = Permissions
map acl inherit = yes
acl map full control = true

hide special files = yes
hide unreadable = Yes


#=== Share Definitions ===

[homes]
   comment = Home Directories
   browseable = no
   guest ok = no
   writable = yes
   create mask = 0700
   directory mask = 0700
   root preexec = /usr/local/sbin/mksambadir home "/home/%u" "%u" "%g"
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
   valid users = %S

[netlogon]
   comment = Network Logon Service
   path = /data/samba/netlogon
   guest ok = yes
   writable = yes
   share modes = no

[profiles]
   comment = Users profiles
   path = /data/win-profiles
   browseable = no

[Samba] ACL

2009-09-29 Thread Luis Taboada 

I'm trying to use samba to share some files with ACL.
But when i create a new folder or file, I have to press F5 before I can see any 
change on the folder.
For example:
I create a new folder on a directory. But I can´t see it until i press F5
Someone knows how to fix it?



Acabo de compartir una carpeta en samba la cual tiene
permisos de ACL. 

Solamente cuando accedo a esta carpeta, al crear un documento, no actualiza los
datos, es decir que debo aprtar F5 para que se actualice el contenido de la
carpeta.

Alguien sabe como arreglarlo?

Desde ya muchas gracias


 /etc/samba/smb.conf
[global]
log file = /var/log/samba/%m.log
smb passwd file = /etc/samba/smbpasswd
load printers = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
map to guest = bad user
encrypt passwords = yes
printcap cache time = 60
dns proxy = no
netbios name = 58tmp
server string = Nexo Server 58 
printing = cups
workgroup = MyGroup
os level = 1
printcap name = cups
security = user
preferred master = no
max log size = 50
log level = 2
domain master = no
local master = no
smb ports = 139

[Compartido]
writeable = yes
path = /Compartido
write list = useringenieria
valid users = useringenieria
public = yes
user = useringenieria
inherit acls = yes
inherit permissions = yes
map acl inherit = yes
nt acl support = Yes



[CompartidoTest]
writeable = yes
path = /CompartidoTest
write list = useringenieria
comment =
valid users = useringenieria
public = yes
user = useringenieria


[r...@fileserver /]# getfacl Compartido
# file: Compartido
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

[r...@fileserver /]# getfacl /Compartido/*
getfacl: Removing leading '/' from absolute path names
# file: Compartido/Calidad
# owner: root
# group: Calidad
user::rwx
user:useringenieria:r-x
user:useringenieria2:rwx
group::r-x
group:Calidad:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:Calidad:rwx
default:mask::rwx
default:other::---

# file: Compartido/Ingenieria
# owner: root
# group: Ingenieria
user::r-x
group::r-x
group:Ingenieria:rwx
mask::rwx
other::r-x
default:user::r-x
default:group::r-x
default:group:Ingenieria:rwx
default:mask::rwx
default:other::r-x

[r...@fileserver Calidad]# getfacl ./*
getfacl: Removing leading '/' from absolute path names
# file: Compartido/Calidad/dirp2/dirp2/dirp2/dirp2/dirp2
# owner: root
# group: Calidad
user::rwx
user:useringenieria:rwx
group::r-x
group:Calidad:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:Calidad:rwx
default:mask::rwx
default:other::---

# file: dircal1
# owner: usercalidad1
# group: Calidad
user::rwx
user:useringenieria:rwx
user:useringenieria2:rwx
group::r-x
group:Calidad:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:Calidad:rwx
default:mask::rwx
default:other::---

# file: dircal2
# owner: usercalidad2
# group: Calidad
user::rwx
group::r-x
group:Calidad:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:Calidad:rwx
default:mask::rwx
default:other::---

# file: dirp1
# owner: root
# group: Calidad
user::rwx
user:useringenieria:r-x
group::r-x
group:Calidad:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:Calidad:rwx
default:mask::rwx
default:other::---

# file: dirp2
# owner: root
# group: Calidad
user::rwx
user:useringenieria:rwx
group::r-x
group:Calidad:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:Calidad:rwx
default:mask::rwx
default:other::---



_
Revisá tus correos de Hotmail en tu BlackBerry - Clic Aquí
http://www.windowsliveentublackberry.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba ACL open-for-delete problem

2009-09-28 Thread Shaochun Wang 
All my fault. I forget to execute "make clean" before compiling samba
with ACL support.


-- 
Shaochun Wang(王绍春) 
PH.D Candidate
State Key Laboratory of Computer Science,
Institute of Software,
Chinese Academy of Sciences
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba ACL open-for-delete problem

2009-09-27 Thread Shaochun Wang 
Hi, all

It seems that samba-3.4.1 still has something wrong with ACL for
open-for-delete operation. I give a group of users full access, which
means rwx permission, to a directory and make this as the default ACL
for this directory. Then I found that I can do anthing as a member of
that group but deleting files and this directory.

After skiming through its source code, I did not find any ACL check at
function can_delete_file_in_directory() in file file_access.c.

Am I right?

The following is my ACL setting:
-bash-4.0$ getfacl Downloads/
# file: Downloads/
# owner: tsmn
# group: bt
user::rwx
group::r-x
group:smb_g0:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:smb_g0:rwx
default:mask::rwx
default:other::r-x

-bash-4.0$ getfacl Downloads/aaa
# file: Downloads/aaa
# owner: tsmn
# group: bt
user::rw-
group::r-x  #effective:r--
group:smb_g0:rwx#effective:rw-
mask::rw-
other::r--

I can't delete file "aaa" when logining in as SAMBA user smb_u0 whose
main group is smb_g0.

-- 
Shaochun Wang 

Jabber: fung...@jabber.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr

2009-09-18 Thread Wes Deviers 
On Friday 18 September 2009 02:06:41 pm Miguel Medalha wrote:
> Please pardon me if I insist, but I am doing it with the interest of the 
> community in mind, not just bitching about it.
> 
> 
> 
> I really don't see why this could not be implemented. Perhaps it goes 
> somewhat against established thinking but it really seems possible to me.
> 
> NOTE: Perhaps we wouldn't even need a VFS module, only a smb.conf 
> parameter to switch the behavior of the samba daemon? Please note: all 
> disk operations would be done in the name of that special user, using 
> full permissions. Ownership and rights would then be "filtered" by the 
> adequate layer to be seen by clients in the appropriate way.
> 
> Best regards
> Miguel

Miguel (and others..)

I've been dinking around with implementing this in my "spare time", using the 
existing 3.3 VFS ACL_xattr module as a guide.  I *think* the number of 
modifications to get it to work that way are pretty minor, actually.  Of 
course, I could be completely wrong because my C is very rusty and I'm not all 
that familiar with the Samba source code.

Jeremy's idea is pretty straightforward; if you just discard any filesystem-
level ACL operations, the existing xattr code should still work.  Then, you 
can do some share definitions to force user & group ownership of everything, 
and hopefully walk away.

If somebody who's better at it wants to work on the problem, that would be 
awesome, because I have little confidence in my own.  But I'll keep at it and 
see what happens.

Wes


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr

2009-09-18 Thread Miguel Medalha 
Please pardon me if I insist, but I am doing it with the interest of the 
community in mind, not just bitching about it.


I understand that if you address the problem of full compatibility with 
Windows ACLs you risk to break compatibility with other clients, such as 
NFS clients. Yet, in numerous cases Samba provides services to Windows 
clients only. Many people will use a Linux server to provide services to 
a network of Windows clients. This is very common. Even Linux clients 
can use CIFS to connect.


This is why it seems to me that an optional special behavior of samba, 
maybe through a VFS module, would be highly adequate to address this 
problem.



Remember, the NTACL vfs module calls down to a lower layer
module to set the mapped acl onto the underlying filesystem.

Without a null ACL module you'll get the following problem:

If you don't have posix acls on the filesystem how do you
map an incoming ACL containing two or more users or groups ?
  


Please consider the following:

- The underlying file system would need no ACLs and all files would be 
owned *by a special user* possessing common ugw 777/666 rights over them.


- A special VFS module would then receive all requests from clients. All 
permissions and user/group rights would be taken care of by the VFS 
module and stored as extended attributes (I am assuming, of course that 
the storage space provided to extended attributes by the filesystem is 
big enough for that purpose. If not, could another storage method be 
envisioned?). Clients would never communicate directly with the 
underlying filesystem, all operations would be conducted by means of the 
VFS layer.


- This VFS module would be turned on by a smb.conf entry and the options 
for the VFS module would also allow a system administrator to chose a 
name of his for that special user, in order to make it unique and 
different from all other systems out there.


- Even if none of the current VFS modules is capable of the described 
behavior, it seems to me that it would be VERY advantageous to produce a 
new one for the certainly very numerous users needing the described 
functionality. Only users needing it would use the proper VFS module, to 
the others the current status would remain unchanged.



I really don't see why this could not be implemented. Perhaps it goes 
somewhat against established thinking but it really seems possible to me.


NOTE: Perhaps we wouldn't even need a VFS module, only a smb.conf 
parameter to switch the behavior of the samba daemon? Please note: all 
disk operations would be done in the name of that special user, using 
full permissions. Ownership and rights would then be "filtered" by the 
adequate layer to be seen by clients in the appropriate way.


Best regards
Miguel


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr

2009-09-17 Thread Jeremy Allison 
On Wed, Sep 16, 2009 at 11:01:21PM +0100, Miguel Medalha wrote:
>
>>> All files/dirs are 666 or 777.  According to my reading, since there 
>>> are no POSIX extended ACLs, if the VFS layer "passes" an access, then 
>>> it only should be compared against the standard UGO permissions.
>>> 
>>
>> That's correct - but the problem isn't access, it's when the
>> incoming ACL is "set" onto the underlying filesystem. Most
>> ACLs can't be mapped onto ugw permissions.
>>
>> As I said, you need a vfs_acl_null module that will drop
>> any set call, and will return Everyone:Full control on
>> read.
>>   
>
> I am ignorant enough on these low-level matters. I "almost" understand  
> your statement. But... consider the following:
>
> - At the filesystem level ALL the permissions are 666 or 777
> - The above are ONLY seen by the VFS layer, not by the client side
> - The VFS module writes the real ACLs as extended attributes only (or  
> some other method), always setting  them as 666/777 at the filesystem 
> level
> - Clients only see the ACLs provided to them *by the VFS layer* and  
> never directly from the filesystem
>
> Wouldn't this provide any desired type of ACLs? What am I missing here?

Remember, the NTACL vfs module calls down to a lower layer
module to set the mapped acl onto the underlying filesystem.

Without a null ACL module you'll get the following problem:

If you don't have posix acls on the filesystem how do you
map an incoming ACL containing two or more users or groups ?

Can't be done without an underlying ACL implementation.
The mapping code will fail and RETURN AN ERROR. Then
the underlying ACL set will fail, so the entire operation
will fail.

That is what you are missing.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr

2009-09-17 Thread Wes Deviers 
On Wednesday 16 September 2009 06:01:21 pm Miguel Medalha wrote:
> 
> I am ignorant enough on these low-level matters. I "almost" understand 
> your statement. But... consider the following:
> 
> - At the filesystem level ALL the permissions are 666 or 777
> - The above are ONLY seen by the VFS layer, not by the client side
> - The VFS module writes the real ACLs as extended attributes only (or 
> some other method), always setting  them as 666/777 at the filesystem level
> - Clients only see the ACLs provided to them *by the VFS layer* and 
> never directly from the filesystem
> 
> Wouldn't this provide any desired type of ACLs? What am I missing here?
> 
> Thank you

That's the direction I'm heading experimentally; there are a few shortcomings 
that I can think of right away, but they can be mitigated (and the upside is 
big from a usability standpoint, I think)

- If there's a flaw discovered in Samba that takes place in non-root code, the 
filesystem level ACLs will still prevent information disclosure.  If you turn 
over all ACL validation to Samba and that validation is what can be bypassed, 
then you've lost a layer of protection.

- POSIX ACLs mean that you can set permissions from Windows and those 
permissions will be also affect non-Samba services (FTP and such).  In lots of 
installations that's probably nice to have, but for a dedicated file server 
where the only user "interface" is Samba, it wouldn't matter.

- How to apply actions might be odd;  "Traverse Folders" is pretty self-
explanatory and is easy to manage in the virtual ACL database.  "Take 
Ownership" is slightly harder:  if you take ownership of a set of files, does 
that imply fake ownership in just ACLs, or real ownership at the POSIX layer?  
If "Take Ownership" doesn't change the UNIX owner, it means that any action on 
a file owned by POSIX user A but "owned" by NTACL user Z would have to be run 
as root.  Adding more root operations is generally considered Bad.

A bit farther on, and the logical next step, then, is that you don't actually 
need matching POSIX accounts anymore,  By the time you've implemented the VFS 
ACL the way you and I were thinking (and trust that it's secure) you can just 
run the entire Samba infrastructure as UID = samba, and let the VFS ACL layer 
take care of all access control.  Every file on the server is now owned by 
POSIX user "samba", libnss-ldap is no longer necessary

Of course, that idea has been debated thoroughly both on mailing lists and 
anywhere two Samba users meet on the street, so I'm not touching it : )

Is that along the lines you were thinking, or did I totally miss?

Best,

Wes


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr

2009-09-16 Thread Miguel Medalha 


All files/dirs are 666 or 777.  According to my reading, since there are 
no POSIX extended ACLs, if the VFS layer "passes" an access, then it only 
should be compared against the standard UGO permissions.



That's correct - but the problem isn't access, it's when the
incoming ACL is "set" onto the underlying filesystem. Most
ACLs can't be mapped onto ugw permissions.

As I said, you need a vfs_acl_null module that will drop
any set call, and will return Everyone:Full control on
read.
  


I am ignorant enough on these low-level matters. I "almost" understand 
your statement. But... consider the following:


- At the filesystem level ALL the permissions are 666 or 777
- The above are ONLY seen by the VFS layer, not by the client side
- The VFS module writes the real ACLs as extended attributes only (or 
some other method), always setting  them as 666/777 at the filesystem level
- Clients only see the ACLs provided to them *by the VFS layer* and 
never directly from the filesystem


Wouldn't this provide any desired type of ACLs? What am I missing here?

Thank you
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr

2009-09-16 Thread Jeremy Allison 
On Wed, Sep 16, 2009 at 07:20:11PM +0100, Miguel Medalha wrote:
>
> All files/dirs are 666 or 777.  According to my reading, since there are 
> no POSIX extended ACLs, if the VFS layer "passes" an access, then it only 
> should be compared against the standard UGO permissions.

That's correct - but the problem isn't access, it's when the
incoming ACL is "set" onto the underlying filesystem. Most
ACLs can't be mapped onto ugw permissions.

As I said, you need a vfs_acl_null module that will drop
any set call, and will return Everyone:Full control on
read.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr

2009-09-16 Thread Miguel Medalha 

Dear Jeremy

Since I once thought about doing the same, I would like to know your 
views on the method that Wes describes.

I quote:

»

What I've been doing, which is dangerous but effective, is setting 
file creation mode to 666 and letting the Samba VFS ACL layer take care of 
everything.  That's worked.

«

»
All files/dirs are 666 or 777.  According to my reading, since there are no POSIX extended ACLs, if the VFS layer "passes" an access, then it only should be compared against 
the standard UGO permissions.

«

Thank you


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr

2009-09-16 Thread Jeremy Allison 
On Wed, Sep 16, 2009 at 01:38:13PM -0400, Wes Deviers wrote:
> 
> Or, alternately, "Does Samba, with vfs object = acl_xattr, store ACLs both as 
> a user_xattr AND an ext3 ACL at the same time?"  My limited testing shows 
> that 
> *not* to be the case, but I'm certainly not the expert.

Yes it does (store ACLs both as a user_xattr AND an ext3 ACL at the same time).
It's designed that way. You might be getting away with the use cases you're
trying, but it won't work long term. If you want the underlying filesystem
to ignore ACLs you'll need to write a module that does this (and doesn't
pass down the ACL requests to the underlying file system).

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr

2009-09-16 Thread Wes Deviers 
On Wednesday 16 September 2009 12:56:11 pm Jeremy Allison wrote:
> On Wed, Sep 16, 2009 at 11:18:58AM -0400, Wes Deviers wrote:
SNIP
> > 
> > How can I insist that Samba use the vfs object ACL module, instead of the 
> > POSIX acls?
> 
> You can't at the moment. Samba still requires the incoming
> ACL to be converted into an underlying file system ACL, as
> the underlying filesystem still must have the final decision
> on access decisions. The NT acl is stored as an "extra" layer
> of ACL metadata on top of this, which is also consulted.
> 
> You could slot in a "null" ACL module underneath the acl_xattr
> layer that always allowed acl set and returned an "allow everyone"
> acl on read, but that isn't coded yet (shouldn't be too hard
> though).
> 
> Currently if you want "native" NT ACLs only I suggest you
> use the NFSv4 module, which is pretty close to native Windows
> ACLs. 
> 
> Jeremy
> 


Jeremy,

As always, thank you for your reply!

I'm confused now.  I have a VirtualBox instance set up identically, except 
that the underlying filesystem (ext3) has never had -o acl set on it, only -o 
user_xattr.  What I've been doing, which is dangerous but effective, is setting 
file creation mode to 666 and letting the Samba VFS ACL layer take care of 
everything.  That's worked.

As I understood the system under the new VFS module, Samba does its internal 
ACL checks and if those pass, it then attempts file operations as normal, which 
may or may not work depending on the "real" file permissions.  If I have POSIX 
ACLs applied, those also have to agree; otherwise, the normal UGO permissions 
are what must work.  I'm clear through this part.

Where I'm confused is that on a machine that I do have working, there is no 
POSIX ACL support, but the Samba VFS layer works brilliantly.  Inheritance, 
take ownership, everything works on the VFS layer without needing any POSIX 
ACLs.  

On the "old" server, I've taken a machine that was previously storing the 
Samba ACL metadata as POSIX mappings, pulled the POSIX mappings out from under 
it, and tried to get it to use the VFS module exclusively.  All files/dirs are 
666 or 777.  According to my reading, since there are no POSIX extended ACLs, 
if the VFS layer "passes" an access, then it only should be compared against 
the standard UGO permissions.  Testing on a virtual machine seemed to confirm 
this.

I think you read my question as: "Why am I denied access because of my POSIX 
ACLs, even though the VFS ACL module is in place?"  I'm clear on what's 
involved there, I think.  What I was *trying* to make my question:

"Since I've turned POSIX ACLs *off* at the filesystem layer by removing the ACL 
mount option, why does Samba continue to want to store it's ACL metadata in 
the POSIX ACL layer instead of the VFS module?"  So, no Linux ACLs, and a+rwx 
on all files/directories.  It works on one machine  : (

Or, alternately, "Does Samba, with vfs object = acl_xattr, store ACLs both as 
a user_xattr AND an ext3 ACL at the same time?"  My limited testing shows that 
*not* to be the case, but I'm certainly not the expert.


Thanks again!

Wes


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr

2009-09-16 Thread Jeremy Allison 
On Wed, Sep 16, 2009 at 11:18:58AM -0400, Wes Deviers wrote:
> List,
> 
> I had Samba 3.0 running on Debian Lenny configured to use POSIX ACLs on ext3. 
>  
> They worked fine, or at least as fine as NT -> POSIX mapping ever did.  After 
> testing 3.3 with acl_xattr on using a different machine, I decided to give it 
> a 
> whirl on the production server.  And yes, I know it's experimental.
> 
> I defined a share thusly:
> 
> vfs objects = acl_xatt
> acl map full control = true
> inherit acls = yes
> map acl inherit = yes
> map read only = Permissions
> nt acl support = yes
> acl group control = true
> dos filemode = yes
> enable privileges = yes
> store dos attributes = yes
> 
> 
> This is identical to the setup on the test machine, which worked correctly.
> 
> On the production machine, trying to set ACLs via XP's Explorer interface 
> fails with a permission denied.  The log:
> 
> set_canon_ace_list: sys_acl_set_file type file failed for file 
> TestDirectory/Test 
> (Operation not supported).
> 
> Having both POSIX ACL and the VFS object turned on produced some interest 
> results, so last night I unmounted /samba, turned off -o acl, and remounted 
> it.  
> It now has user_xattr turned on, but -o acl is *off*.  Restarted Samba, 
> everything seemed to work.
> 
> In the harsh light of users' morning, it appears that Samba is still trying 
> to 
> use the POSIX ACL layer to store ACLs, although that's a best guess based on 
> the error message.
> 
> How can I insist that Samba use the vfs object ACL module, instead of the 
> POSIX acls?

You can't at the moment. Samba still requires the incoming
ACL to be converted into an underlying file system ACL, as
the underlying filesystem still must have the final decision
on access decisions. The NT acl is stored as an "extra" layer
of ACL metadata on top of this, which is also consulted.

You could slot in a "null" ACL module underneath the acl_xattr
layer that always allowed acl set and returned an "allow everyone"
acl on read, but that isn't coded yet (shouldn't be too hard
though).

Currently if you want "native" NT ACLs only I suggest you
use the NFSv4 module, which is pretty close to native Windows
ACLs. 

Jeremy
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr

2009-09-16 Thread Wes Deviers 
List,

I had Samba 3.0 running on Debian Lenny configured to use POSIX ACLs on ext3.  
They worked fine, or at least as fine as NT -> POSIX mapping ever did.  After 
testing 3.3 with acl_xattr on using a different machine, I decided to give it a 
whirl on the production server.  And yes, I know it's experimental.

I defined a share thusly:

vfs objects = acl_xatt
acl map full control = true
inherit acls = yes
map acl inherit = yes
map read only = Permissions
nt acl support = yes
acl group control = true
dos filemode = yes
enable privileges = yes
store dos attributes = yes


This is identical to the setup on the test machine, which worked correctly.

On the production machine, trying to set ACLs via XP's Explorer interface 
fails with a permission denied.  The log:

set_canon_ace_list: sys_acl_set_file type file failed for file 
TestDirectory/Test 
(Operation not supported).

Having both POSIX ACL and the VFS object turned on produced some interest 
results, so last night I unmounted /samba, turned off -o acl, and remounted it. 
 
It now has user_xattr turned on, but -o acl is *off*.  Restarted Samba, 
everything seemed to work.

In the harsh light of users' morning, it appears that Samba is still trying to 
use the POSIX ACL layer to store ACLs, although that's a best guess based on 
the error message.

How can I insist that Samba use the vfs object ACL module, instead of the 
POSIX acls?

Thanks!

Wes


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL special permission

2009-07-01 Thread Davy Stoffel 
Hello everybody,

I'm currently using samba with complete ACL support and windows domain
integration.
This work fine, but i've a question regarding "special permission". On
windows, when you take a look to the security tab for a directory (not
file), you see all effective permission trough "special
permission/advance permission.

Is there a way to don't have this option checked and have "normal"
permission, like files ?

Thanks in advance,

-- 
Davy STOFFEL
GPG Key ID/Fingerprint: 66A51FF7/524F 3424 2CFA 76C3 A0A8  6166 702B CF9A 66A5 
1FF7

Conostix S.A.
70, rue de Tétange
3672 Kayl, Luxembourg

Tel : +352 26 10 30 61
Fax : +352 26 10 30 62


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba ACL and Office 2007

2009-04-28 Thread David Vaz 
Harry Jede wrote:
> Am Montag, 27. April 2009 15:33 schrieb David Vaz:
>   
>> I am using samba 3.3.2-1 in a debian squeze installation, using ext3
>> with acl support.
>>
>> The problem I am experiencing is easy to replicate as I have tried it
>> in different machines.
>>
>> In a given share, user "A" is the owner of the folder "test", inside
>> this folder there is a office file "test.doc" for example. User "B"
>> has write privileges over file "test.doc" but not over "test". When
>> user "B" tries to save the office document (using office 2007) an
>> error appears "Access Denied. Contact your administrator".
>>
>> # file: test
>> # owner: A
>> # group: G
>> user::rwx
>> group::r-x
>> other::---
>>
>> # file: test.doc
>> # owner: A
>> # group: G
>> user::rwx
>> user:B:rwx
>> group::r-x
>> mask::rwx
>> other::---
>>
>> Notice that if the user copy the file to his desktop, modifies it and
>> later overwrites the original there is no problem.
>> 
> That's normal with Office 2007. Thanks to M$.
>
> They create a NEW file, when the user saves the old one, delete the old 
> one, then rename the new file to the old name.
>
> So, your users are able to update files with office 2007, only when they 
> have write permissons on the directory.
>
> Search this list archive for a more detailed explanation.
>   
Is there any workaround to this?

>   
>> This error is similar in some ways to this
>> https://bugzilla.samba.org/show_bug.cgi?id=6160, but i suppose now
>> the lock over the folder.
>> 
>
>   

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL problem under FC9

2009-04-28 Thread Christos Karaviotis 
On Fri, March 13, 2009 11:07, Christos Karaviotis wrote:
> On Wed, March 11, 2009 14:26, Adam Tauno Williams wrote:
>>> I am running Samba for some years now (3 years) and had absolutely no
>>> problems.  For the last month on one of the machines the NT ACL stopped
>>> working and everyone have full access everywhere even if they are not
>>> in
>>> the acl.
>>> If I try to add them and restrict them only to read and execute the acl
>>> will show that this is the case but it will have no effect.
>>> I am running Fedora 9 and Samba-3.2.4.  I have done the installation
>>> many
>>> times and this particular one used to work but now it fails.
>>> I have tried to upgrade to 3.2.8 but still the same problem.  I have
>>> remounted the FS with the option (acl) it did it but that did not solve
>>> the problem.
>>
>> If you do a getfacl on the object do you see the ACLs you think you set?
>> --
>> OpenGroupware developer: awill...@whitemice.org
>> 
>> OpenGroupare & Cyrus IMAPd documenation @
>> 
>>
>>
>>
> Well I did that.  Even users that do not exist in that folder's ACL have
> rwx effective permissions.  I am going crazy.  The same exact setup with
> the same permissions on another machine is still working fine.
>
>
> Chris
>
Sorry for the delay

This is my smb.conf

===
[global]
acl map full control = yes
admin users = user1,@Directors
socket options = SO_KEEPALIVE TCP_NODELAY SO_SNDBUF=8192
SO_RCVBUF=8192
force group = Directors
encrypt passwords = yes
passdb backend = tdbsam
nt acl support = yes
netbios name = Atlas
server string = Public Folders
default = Public Folders
unix password sync = yes
local master = yes
workgroup = mydomain
acl group control = Yes
os level = 33
debug level = 10
security = user
username map = /etc/samba/smbusers
winbind enum users = yes
winbind enum groups = yes
#  Server configuration parameters
[homes]
browsable = no
hide dot files = yes
hide files = /.*
writable = yes
create mask = 765


[Public Folders]
nt acl support = yes
acl map full control = yes
writeable = yes
inherit acls = yes
inherit permissions = Yes
directory mode = 0770
security mask = 0770
force security mode = 0770
path = /usr/local/SHARES
write list = @Directors,@Administrator
valid users = user1,user2,user3,@staff,@Directors,@Accounting
create mode = 770
user = user1,user2,user3,@staff,@Directors,@Administrator
===

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba ACL and Office 2007

2009-04-27 Thread Harry Jede 
Am Montag, 27. April 2009 15:33 schrieb David Vaz:
> I am using samba 3.3.2-1 in a debian squeze installation, using ext3
> with acl support.
>
> The problem I am experiencing is easy to replicate as I have tried it
> in different machines.
>
> In a given share, user "A" is the owner of the folder "test", inside
> this folder there is a office file "test.doc" for example. User "B"
> has write privileges over file "test.doc" but not over "test". When
> user "B" tries to save the office document (using office 2007) an
> error appears "Access Denied. Contact your administrator".
>
> # file: test
> # owner: A
> # group: G
> user::rwx
> group::r-x
> other::---
>
> # file: test.doc
> # owner: A
> # group: G
> user::rwx
> user:B:rwx
> group::r-x
> mask::rwx
> other::---
>
> Notice that if the user copy the file to his desktop, modifies it and
> later overwrites the original there is no problem.
That's normal with Office 2007. Thanks to M$.

They create a NEW file, when the user saves the old one, delete the old 
one, then rename the new file to the old name.

So, your users are able to update files with office 2007, only when they 
have write permissons on the directory.

Search this list archive for a more detailed explanation.

>
> This error is similar in some ways to this
> https://bugzilla.samba.org/show_bug.cgi?id=6160, but i suppose now
> the lock over the folder.

-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba ACL and Office 2007

2009-04-27 Thread David Vaz 
I am using samba 3.3.2-1 in a debian squeze installation, using ext3
with acl support.

The problem I am experiencing is easy to replicate as I have tried it in
different machines.

In a given share, user "A" is the owner of the folder "test", inside
this folder there is a office file "test.doc" for example. User "B" has
write privileges over file "test.doc" but not over "test". When user "B"
tries to save the office document (using office 2007) an error appears
"Access Denied. Contact your administrator".

# file: test
# owner: A
# group: G
user::rwx
group::r-x
other::---

# file: test.doc
# owner: A
# group: G
user::rwx
user:B:rwx
group::r-x
mask::rwx
other::---

Notice that if the user copy the file to his desktop, modifies it and
later overwrites the original there is no problem.

This error is similar in some ways to this
https://bugzilla.samba.org/show_bug.cgi?id=6160, but i suppose now the
lock over the folder.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL problem under FC9

2009-03-13 Thread Christos Karaviotis 
On Wed, March 11, 2009 14:26, Adam Tauno Williams wrote:
>> I am running Samba for some years now (3 years) and had absolutely no
>> problems.  For the last month on one of the machines the NT ACL stopped
>> working and everyone have full access everywhere even if they are not in
>> the acl.
>> If I try to add them and restrict them only to read and execute the acl
>> will show that this is the case but it will have no effect.
>> I am running Fedora 9 and Samba-3.2.4.  I have done the installation
>> many
>> times and this particular one used to work but now it fails.
>> I have tried to upgrade to 3.2.8 but still the same problem.  I have
>> remounted the FS with the option (acl) it did it but that did not solve
>> the problem.
>
> If you do a getfacl on the object do you see the ACLs you think you set?
> --
> OpenGroupware developer: awill...@whitemice.org
> 
> OpenGroupare & Cyrus IMAPd documenation @
> 
>
>
>
Well I did that.  Even users that do not exist in that folder's ACL have
rwx effective permissions.  I am going crazy.  The same exact setup with
the same permissions on another machine is still working fine.


Chris

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL problem under FC9

2009-03-11 Thread Adam Tauno Williams 
> I am running Samba for some years now (3 years) and had absolutely no
> problems.  For the last month on one of the machines the NT ACL stopped
> working and everyone have full access everywhere even if they are not in
> the acl.
> If I try to add them and restrict them only to read and execute the acl
> will show that this is the case but it will have no effect.
> I am running Fedora 9 and Samba-3.2.4.  I have done the installation many
> times and this particular one used to work but now it fails.
> I have tried to upgrade to 3.2.8 but still the same problem.  I have
> remounted the FS with the option (acl) it did it but that did not solve
> the problem.

If you do a getfacl on the object do you see the ACLs you think you set?
-- 
OpenGroupware developer: awill...@whitemice.org

OpenGroupare & Cyrus IMAPd documenation @


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL problem under FC9

2009-03-11 Thread Christos Karaviotis 
Hi list,

This is my first post and I hope I will not make people mad as this may
have been answered before.

Here it goes.

I am running Samba for some years now (3 years) and had absolutely no
problems.  For the last month on one of the machines the NT ACL stopped
working and everyone have full access everywhere even if they are not in
the acl.
If I try to add them and restrict them only to read and execute the acl
will show that this is the case but it will have no effect.
I am running Fedora 9 and Samba-3.2.4.  I have done the installation many
times and this particular one used to work but now it fails.
I have tried to upgrade to 3.2.8 but still the same problem.  I have
remounted the FS with the option (acl) it did it but that did not solve
the problem.
I have the same configuration on other machines and it works great.  Could
there be a problem with the File system? The file system is ext3.

Thank you

Chris

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+acl problem on OSX

2009-02-19 Thread Eero Volotinen 


Is that the only option? We've noticed the same behavior of osx clients 
recently, but we also have linux clients connecting and I don't wish to 
degrade the experience by disabling unix extensions. 


What is effect of disabling unix extensions? At least with it acls work 
on OSX too.


--
Eero
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+acl problem on OSX

2009-02-18 Thread Christian McHugh 
On Tuesday 17 February 2009 16:19:19 James Peach wrote:
> 2009/2/17 Eero Volotinen :
> > I have problem using samba+acl (ext3+acl) on OSX client.
> >
> > Access rights works fine on Linux and Windows series, but OSX Leopard
> > says access denied to every directory that is using acl.
> >
> > Is OSX cifs client too stripped that it cannot use acl or is this OSX
> > bug? Is there any solution on OSX that can access samba+acl directories?
>
> The Mac OS X client looks at the posix mode bits to preflight access
> checks. you can disable this on the server side by setting "unix
> extensions = no"

Is that the only option? We've noticed the same behavior of osx clients 
recently, but we also have linux clients connecting and I don't wish to 
degrade the experience by disabling unix extensions. 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+acl problem on OSX

2009-02-17 Thread James Peach 
2009/2/17 Eero Volotinen :
> I have problem using samba+acl (ext3+acl) on OSX client.
>
> Access rights works fine on Linux and Windows series, but OSX Leopard says
> access denied to every directory that is using acl.
>
> Is OSX cifs client too stripped that it cannot use acl or is this OSX bug?
> Is there any solution on OSX that can access samba+acl directories?

The Mac OS X client looks at the posix mode bits to preflight access
checks. you can disable this on the server side by setting "unix
extensions = no"

-- 
James Peach | jor...@gmail.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba+acl problem on OSX

2009-02-17 Thread Eero Volotinen 

I have problem using samba+acl (ext3+acl) on OSX client.

Access rights works fine on Linux and Windows series, but OSX Leopard 
says access denied to every directory that is using acl.


Is OSX cifs client too stripped that it cannot use acl or is this OSX 
bug? Is there any solution on OSX that can access samba+acl directories?


thanks,
--
Eero
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

RE: [Samba] ACL

2009-01-30 Thread Clinton Mills 
I believe that XFS is setup for ACL by default

getfacl yo.txt 
# file: yo.txt
# owner: root
# group: root
user::rw-
user:admin1:rwx
user:jon:r--
group::r--
mask::rwx
other::r--

Seems like that is all working.

-Original Message-
From: samba-bounces+clinton=hitcents@lists.samba.org
[mailto:samba-bounces+clinton=hitcents@lists.samba.org] On Behalf Of
Collen Blijenberg
Sent: Friday, January 30, 2009 3:01 AM
To: samba@lists.samba.org
Subject: Re: [Samba] ACL

Did you also setup ACL in your fstab ??

the mounted partition needs acl to make samba use it.

Cheers, Collen

Clinton Mills wrote:
> Hi samba group,
>
>  
>
> I'm trying to get samba to act like Windows in the Security tab (to be
able
> to add, remove, and modify ACLs on certain files/folders). We are running
> Centos 5.2 (2.6.18-92.1.22.el5) with XFS installed for the /share
partition.
>
>  
>
> I currently have these versions of samba installed:
>
> samba-3.0.28-1.el5_2.1
>
> samba-common-3.0.28-1.el5_2.1
>
>  
>
> I am pretty sure the ACL is all setup and working correctly. I can
maintain
> ACL from Linux and I can even see them in the security tab for windows. I
> can also remove users from the security tab in Windows.
>
>  
>
> These are the things I need help with
>
> . When I try and add a user it ask me for a username and password.
I
> cannot get this to accept my password.
>
> . When I first load up the security tab it shows a long number
> "S-1-5-21-..." This screen takes a while to change these numbers to names.
> Is there a way to speed this up?
>
> . Is there a way to restrict people from adding them self to
> files/folder they do not have access to?
>
>  
>
> I have looked all over and cannot find clear instructions on how to set
ACL
> up in a user environment. If you could point me to one of these documents
> that would be very helpful.
>
>  
>
> We currently have Samba setup to work without a domain. I have read on
other
> websites that this is not a good idea:
>
>  
>
> One problem with Samba ACL support is that listing users to use for access
> control entries (ACEs) within ACLs can be troublesome. Specifically, if
> you're using Samba in a standalone mode (i.e., configured with "user"
> security mode), Windows 2000 and Windows XP users might not be able to
> consistently list Samba users when configuring an ACL.
>
>  
>
> We really don't have the option of doing a PDC. Is this a bad idea to try
> and get this to work without using PDC?
>
>  
>
> smbd -b | grep ACL
>
>HAVE_SYS_ACL_H
>
>HAVE_ACL_LIBACL_H
>
>HAVE_POSIX_ACLS
>
>  
>
> smb.conf
>
> [global]
>
>  
>
>  
>
> passdb backend = tdbsam
>
>  
>
> add user script = /usr/sbin/useradd -m %u
>
> delete user script = /usr/sbin/userdel -r %u
>
> add group script = /usr/sbin/groupadd %g
>
> delete group script = /usr/sbin/groupdel %g
>
> add user to group script = /usr/sbin/groupmod -A %u %g
>
> delete user from group script = /usr/sbin/groupmod -R %u %g
>
> add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u
>
>  
>
> security = user
>
> encrypt passwords = yes
>
>  
>
> preferred master = Yes
>
> domain master = Yes
>
> domain logons = Yes
>
>  
>
> debuglevel = 3 
>
>  
>
> workgroup = Workgroup
>
> workgroup = temp
>
> netbios name = hitsnap
>
> bind interfaces only = True
>
> interfaces = eth1 lo
>
>  
>
> max disk size = 99   ;some programs (like PS7) can't deal with more
than
> 1TB 
>
>  
>
> allow hosts = 192.168.0.0/16
>
> socket options = TCP_NODELAY
>
> server string = Hitsnap
>
> smb ports = 139
>
>  
>
> syslog = 0
>
> log level = 2 
>
> log file = /var/log/samba/log.%m
>
>  
>
> vfs objects = recycle
>
>  
>
> client ntlmv2 auth = yes
>
> ;recycle:repository = .recycle
>
> ;recycle:keeptree = Yes
>
> ;recycle:versions = Yes
>
> ;recycle:touch = Yes
>
>  
>
> [netlogon]
>
> path = /var/lib/samba/netlogon
>
> read only = yes
>
>  
>
>  
>
>  
>
> [homes]
>
> read only = no
>
> browseable = no
>
>  
>
> [share1]
>
> ;minauth=none
>
> path = /share/hdrive/share1
>
> read only = no
>
> browseable = yes
>
> writable = yes
>
> admin users = admin1
>
> valid users = admin1
>
> public = no
>
> create mask = 0777
>
> directory mask = 0777
>
> nt acl support = yes
>
> acl map full control = yes
>
>  
>
> dont descend = .recycle
>
>  
>
> Thanks
>
> Clinton Mills
>
>  
>
>   

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ACL

2009-01-30 Thread Collen Blijenberg 

Did you also setup ACL in your fstab ??

the mounted partition needs acl to make samba use it.

Cheers, Collen

Clinton Mills wrote:

Hi samba group,

 


I'm trying to get samba to act like Windows in the Security tab (to be able
to add, remove, and modify ACLs on certain files/folders). We are running
Centos 5.2 (2.6.18-92.1.22.el5) with XFS installed for the /share partition.

 


I currently have these versions of samba installed:

samba-3.0.28-1.el5_2.1

samba-common-3.0.28-1.el5_2.1

 


I am pretty sure the ACL is all setup and working correctly. I can maintain
ACL from Linux and I can even see them in the security tab for windows. I
can also remove users from the security tab in Windows.

 


These are the things I need help with

. When I try and add a user it ask me for a username and password. I
cannot get this to accept my password.

. When I first load up the security tab it shows a long number
"S-1-5-21-..." This screen takes a while to change these numbers to names.
Is there a way to speed this up?

. Is there a way to restrict people from adding them self to
files/folder they do not have access to?

 


I have looked all over and cannot find clear instructions on how to set ACL
up in a user environment. If you could point me to one of these documents
that would be very helpful.

 


We currently have Samba setup to work without a domain. I have read on other
websites that this is not a good idea:

 


One problem with Samba ACL support is that listing users to use for access
control entries (ACEs) within ACLs can be troublesome. Specifically, if
you're using Samba in a standalone mode (i.e., configured with "user"
security mode), Windows 2000 and Windows XP users might not be able to
consistently list Samba users when configuring an ACL.

 


We really don't have the option of doing a PDC. Is this a bad idea to try
and get this to work without using PDC?

 


smbd -b | grep ACL

   HAVE_SYS_ACL_H

   HAVE_ACL_LIBACL_H

   HAVE_POSIX_ACLS

 


smb.conf

[global]

 

 


passdb backend = tdbsam

 


add user script = /usr/sbin/useradd -m %u

delete user script = /usr/sbin/userdel -r %u

add group script = /usr/sbin/groupadd %g

delete group script = /usr/sbin/groupdel %g

add user to group script = /usr/sbin/groupmod -A %u %g

delete user from group script = /usr/sbin/groupmod -R %u %g

add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u

 


security = user

encrypt passwords = yes

 


preferred master = Yes

domain master = Yes

domain logons = Yes

 

debuglevel = 3 

 


workgroup = Workgroup

workgroup = temp

netbios name = hitsnap

bind interfaces only = True

interfaces = eth1 lo

 


max disk size = 99   ;some programs (like PS7) can't deal with more than
1TB 

 


allow hosts = 192.168.0.0/16

socket options = TCP_NODELAY

server string = Hitsnap

smb ports = 139

 


syslog = 0

log level = 2 


log file = /var/log/samba/log.%m

 


vfs objects = recycle

 


client ntlmv2 auth = yes

;recycle:repository = .recycle

;recycle:keeptree = Yes

;recycle:versions = Yes

;recycle:touch = Yes

 


[netlogon]

path = /var/lib/samba/netlogon

read only = yes

 

 

 


[homes]

read only = no

browseable = no

 


[share1]

;minauth=none

path = /share/hdrive/share1

read only = no

browseable = yes

writable = yes

admin users = admin1

valid users = admin1

public = no

create mask = 0777

directory mask = 0777

nt acl support = yes

acl map full control = yes

 


dont descend = .recycle

 


Thanks

Clinton Mills

 

  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL

2009-01-29 Thread Clinton Mills 
Hi samba group,

 

I'm trying to get samba to act like Windows in the Security tab (to be able
to add, remove, and modify ACLs on certain files/folders). We are running
Centos 5.2 (2.6.18-92.1.22.el5) with XFS installed for the /share partition.

 

I currently have these versions of samba installed:

samba-3.0.28-1.el5_2.1

samba-common-3.0.28-1.el5_2.1

 

I am pretty sure the ACL is all setup and working correctly. I can maintain
ACL from Linux and I can even see them in the security tab for windows. I
can also remove users from the security tab in Windows.

 

These are the things I need help with

. When I try and add a user it ask me for a username and password. I
cannot get this to accept my password.

. When I first load up the security tab it shows a long number
"S-1-5-21-..." This screen takes a while to change these numbers to names.
Is there a way to speed this up?

. Is there a way to restrict people from adding them self to
files/folder they do not have access to?

 

I have looked all over and cannot find clear instructions on how to set ACL
up in a user environment. If you could point me to one of these documents
that would be very helpful.

 

We currently have Samba setup to work without a domain. I have read on other
websites that this is not a good idea:

 

One problem with Samba ACL support is that listing users to use for access
control entries (ACEs) within ACLs can be troublesome. Specifically, if
you're using Samba in a standalone mode (i.e., configured with "user"
security mode), Windows 2000 and Windows XP users might not be able to
consistently list Samba users when configuring an ACL.

 

We really don't have the option of doing a PDC. Is this a bad idea to try
and get this to work without using PDC?

 

smbd -b | grep ACL

   HAVE_SYS_ACL_H

   HAVE_ACL_LIBACL_H

   HAVE_POSIX_ACLS

 

smb.conf

[global]

 

 

passdb backend = tdbsam

 

add user script = /usr/sbin/useradd -m %u

delete user script = /usr/sbin/userdel -r %u

add group script = /usr/sbin/groupadd %g

delete group script = /usr/sbin/groupdel %g

add user to group script = /usr/sbin/groupmod -A %u %g

delete user from group script = /usr/sbin/groupmod -R %u %g

add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u

 

security = user

encrypt passwords = yes

 

preferred master = Yes

domain master = Yes

domain logons = Yes

 

debuglevel = 3 

 

workgroup = Workgroup

workgroup = temp

netbios name = hitsnap

bind interfaces only = True

interfaces = eth1 lo

 

max disk size = 99   ;some programs (like PS7) can't deal with more than
1TB 

 

allow hosts = 192.168.0.0/16

socket options = TCP_NODELAY

server string = Hitsnap

smb ports = 139

 

syslog = 0

log level = 2 

log file = /var/log/samba/log.%m

 

vfs objects = recycle

 

client ntlmv2 auth = yes

;recycle:repository = .recycle

;recycle:keeptree = Yes

;recycle:versions = Yes

;recycle:touch = Yes

 

[netlogon]

path = /var/lib/samba/netlogon

read only = yes

 

 

 

[homes]

read only = no

browseable = no

 

[share1]

;minauth=none

path = /share/hdrive/share1

read only = no

browseable = yes

writable = yes

admin users = admin1

valid users = admin1

public = no

create mask = 0777

directory mask = 0777

nt acl support = yes

acl map full control = yes

 

dont descend = .recycle

 

Thanks

Clinton Mills

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ACL execute bits always set

2008-11-18 Thread Juraj Hrubša 
Hello

I have a problem with POSIX ACLs. I have created a directory with these
ACLs:

> getfacl .
# file: .
# owner: testuser
# group: tls
user::rwx
group::rwx
group:ptls:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:tls:rwx
default:group:ptls:r-x
default:mask::rwx
default:other::---


When I create a file in it, it inherits the containing directory's default
ACLs and it's ACL mask is set to rw- (for directory it would be rwx), which
essentialy marks it not executable.

> touch test
# getfacl test
# file: test
# owner: root
# group: root
user::rw-
group::rwx#effective:rw-
group:tls:rwx#effective:rw-
group:ptls:r-x#effective:r--
mask::rw-
other::---


The problem arises when I create another file from a Windows machine on the
network drive which points to the same directory. The mask stays rwx as for
directory and file is executable.

> getfacl test.txt  ### Empty text file created in Windows
# file: test.txt
# owner: hrubsa
# group: hrubsa
user::rwx
group::rwx
group:tls:rwx
group:ptls:r-x
mask::rwx
other::---


Relevant part of smb.conf:
read only = No
create mask = 0666
security mask = 0666
inherit acls = Yes
map acl inherit = Yes
map archive = No
map readonly = no
store dos attributes = Yes
wide links = No


After setting inherit acls = No, the create/security mask were applied to
standard unix permissions, but not on ACL entries.

> getfacl test2.txt
# file: test2.txt
# owner: hrubsa
# group: hrubsa
user::rw-
group::rw-
group:tls:rwx
group:ptls:r-x
mask::rwx
other::rw-


The problem is I need to share this directory through samba and use it on
Debian Linux at the same time, I don't want all files created in Windows to
be executable in Linux. Maybe I'm blind and I don't see the way to configure
it, maybe it has to be changed in samba source to allow this behavior
(setting mode when creating new files?).

What do you think?

Thank you for your answers

-- 

Regards
Juraj Hrubsa
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] acl owner

2008-09-21 Thread vishesh kumar 
dear all

i am using winbind for samba authentication. I just want to know

does acl permission can be reset only by root and owner of file/folder ?.

does any way to allow domain admins to reset acl of any file/folder.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] acl reset

2008-09-19 Thread vishesh kumar 
dear all

i am using samba 3.0.28-0 on EL5.2 with winbind that get users and group
window 2003 active directory (native mode).
i implemented acl for user and group permission. What i want that regardless
of file/folder group owner, member of AD 'domain admins ' can change acl of
any file/folder.

Thanking you
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba + acl

2008-08-18 Thread bikrish 
Hello

I am using samba 3.2.1 version on centos 5.2 with ldap. Everything is working 
fine as i expected. I have shared a share , say , NOA on samba server. 
Now i log into windows and access the share and tried to give rights on share 
by right click > properties > security . I want to give a group call noag only 
read , write and but no permission of delete on share NOA . I have a group who 
can full access to the share NOA. I right click on it , use security tab to 
give only read permission , it works fine, but when i select? all the options 
except delete and full control and click ok , it chages to full control , which 
is what i don't want. I am searched a lot but couldn't find the solution. Is 
there any solutiont for this or this is not possible in samba.

Thanks in advance

Bikrish
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] ACL howto that works with windows explorer security tab

2008-08-14 Thread Keith Sudbury 
Does anyone have a guide / howto that allows the setup of ACL's the 
works with the windows security tab.



Or any advice on the above, am I wasting my time trying to make it work 
with the security tab in windows explorer?



Many Thanks

Keith
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ACL -Manage with Windows security tab?

2008-08-08 Thread John Drescher 
>
> security = ads
> passdb backend = tdbsam
>
>
>  password server = server01.mydomain.local
>  realm = MYDOMAIN.LOCAL
>  idmap uid = 16777216-33554431
>  idmap gid = 16777216-33554431
>  template shell = /bin/bash
>  winbind use default domain = yes
>  winbind enum users = yes
>  obey pam restrictions = yes
>
>
> I will test what you pasted above in a VM.
>
>
If you are using ads then what I posted would need modified. I got to
that point because without the idmap setup I was getting could not
allocate uid and allocate gid messages in my samba logs. It took a lot
of debugging to determine that the idmaping was not working correctly.
Also wbinfo --allocate-uid  and wbinfo --allocate-gid both failed.

This may not be what is causing your problem at all. I would suggest
turning your log level up to 10 stopping samba deleting all log files
then restart samba and trying the xp properties quickly after that so
that you can easily see what errors are being generated in the logs.


John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ACL -Manage with Windows security tab?

2008-08-08 Thread Keith Sudbury 

John Drescher wrote:

On Thu, Aug 7, 2008 at 8:10 PM, Keith Sudbury <[EMAIL PROTECTED]> wrote:
  

Hi Guys,

I am attempting to configure AC:L's I have enabled it in smb.conf for my
share and remounted my fs with acl enabled. However if I attempt to edit
security permissions for the group "Domain Users" it creates two more group
"CREATOR GROUP" and "CREATOR OWNER" and refreshes the security properties
and then just resets the tick boxes i had  selected.

I have attached a screenshot of the windows security tab, here is the share
aprt of my smb.conf

# scratch space // Sneakernet // ***NOT BACKED UP***
  [Scratch]
  comment = Sneakernet
  path = /home/scratch
  public = no
  writable = yes
  browseable = yes
  follow symlinks = yes
  force group = "Domain Users"
  nt acl support = yes
  create mask = 770
  directory mask = 770





Have you configured idmap?


Here is what I have for a test domain called YOUR_DOMAIN

idmap domains = YOUR_DOMAIN TRUSTEDDOMAINS
idmap config YOUR_DOMAIN:backend  = nss
idmap config YOUR_DOMAIN:readonly = yes
idmap config TRUSTEDDOMAINS:default = yes
idmap config TRUSTEDDOMAINS:backend = tdb
idmap config TRUSTEDDOMAINS:range   = 1 - 5
idmap alloc backend  = tdb
idmap alloc config:range = 1 - 5


John
  

Hi John,

I have...

security = ads
passdb backend = tdbsam


  password server = server01.mydomain.local
  realm = MYDOMAIN.LOCAL
  idmap uid = 16777216-33554431
  idmap gid = 16777216-33554431
  template shell = /bin/bash
  winbind use default domain = yes
  winbind enum users = yes
  obey pam restrictions = yes 




I will test what you pasted above in a VM.


Regards

--
Keith Sudbury
Netzen Solution Ltd
Suite 5, Piccadilly House, London Rd, Bath, BA1 6PL, UK
Mobile: +44 (0)7921464106
Tel: +44 (0)1225 588 588
Fax: +44 (0)1225 580 061

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ACL -Manage with Windows security tab?

2008-08-07 Thread John Drescher 
On Thu, Aug 7, 2008 at 8:10 PM, Keith Sudbury <[EMAIL PROTECTED]> wrote:
> Hi Guys,
>
> I am attempting to configure AC:L's I have enabled it in smb.conf for my
> share and remounted my fs with acl enabled. However if I attempt to edit
> security permissions for the group "Domain Users" it creates two more group
> "CREATOR GROUP" and "CREATOR OWNER" and refreshes the security properties
> and then just resets the tick boxes i had  selected.
>
> I have attached a screenshot of the windows security tab, here is the share
> aprt of my smb.conf
>
> # scratch space // Sneakernet // ***NOT BACKED UP***
>   [Scratch]
>   comment = Sneakernet
>   path = /home/scratch
>   public = no
>   writable = yes
>   browseable = yes
>   follow symlinks = yes
>   force group = "Domain Users"
>   nt acl support = yes
>   create mask = 770
>   directory mask = 770
>
>
>
Have you configured idmap?


Here is what I have for a test domain called YOUR_DOMAIN

idmap domains = YOUR_DOMAIN TRUSTEDDOMAINS
idmap config YOUR_DOMAIN:backend  = nss
idmap config YOUR_DOMAIN:readonly = yes
idmap config TRUSTEDDOMAINS:default = yes
idmap config TRUSTEDDOMAINS:backend = tdb
idmap config TRUSTEDDOMAINS:range   = 1 - 5
idmap alloc backend  = tdb
idmap alloc config:range = 1 - 5


John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] ACL -Manage with Windows security tab?

2008-08-07 Thread Keith Sudbury 

Hi Guys,

I am attempting to configure AC:L's I have enabled it in smb.conf for my 
share and remounted my fs with acl enabled. However if I attempt to edit 
security permissions for the group "Domain Users" it creates two more 
group "CREATOR GROUP" and "CREATOR OWNER" and refreshes the security 
properties and then just resets the tick boxes i had  selected.


I have attached a screenshot of the windows security tab, here is the 
share aprt of my smb.conf


# scratch space // Sneakernet // ***NOT BACKED UP***
   [Scratch]
   comment = Sneakernet
   path = /home/scratch
   public = no
   writable = yes
   browseable = yes
   follow symlinks = yes
   force group = "Domain Users"
   nt acl support = yes
   create mask = 770
   directory mask = 770



Thanks in advance!

Keith

--
Keith Sudbury
Netzen Solution Ltd
Suite 5, Piccadilly House, London Rd, Bath, BA1 6PL, UK
Mobile: +44 (0)7921464106
Tel: +44 (0)1225 588 588
Fax: +44 (0)1225 580 061

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] [acl] setting user/group permissions from windows

2008-08-07 Thread Heiko Harders 
Hello,

I've setup a samba PDC (3.0.31) and I am using Windows Vista clients.
Logging on works fine using roaming profiles and folder redirections.
I am also able to write to shares, etc.

Now I am trying to get the advanced permissions on files to work. So
on my share:

[share]
comment = Shared directories
path = /samba/share
read only = No
guest ok = Yes

With the following user rights in Linux:
drwxrwxr-x 5 nobody Domain Users 4096 2008-08-07 13:53 share

I create a directory called 'test' with the user 'tdummy'.
The permissions on this directory in Linux are now:
drwxrwxr-x  3 tdummy Domain Users4096 2008-08-07 13:23 test

When I try to give the user 'mbuster' (also a member of the group
"Domain Users") a special set of user rights from windows (using the
security tab on the directory properties), I get the message that
access is denied (whatever rights I choose). So I thought lets try it
from the Linux side and I added some acl rights to that directory for
the user 'mbuster'. So a getfacl now shows:

# file: test
# owner: tdummy
# group: Domain\040Users
user::rwx
user:mbuster:rwx
group::r-x
mask::rwx
other::r-x

But the user permissions for 'mbuster' are not shown in the security
tab of the windows file properties. So this does not seem to work (is
it supposed to work like this?).

I have build samba with the --with-acl-support option. In my fstab,
the options acl and user_xattr are used. My smb.conf can be found
overhere:
http://pastebin.ca/1094618

So, I have a properly working domain, users can log on, they can
create/delete/modify files on their home directories and the shared
directories, but I am not able to change acl permissions from windows
and if I change them from Linux with setfacl, they are not shown nor
do have any effect in Windows.

Does anybody know what I am doing wrong? Or can a extensive guide to
setup acl's properly be found somewhere (the guides I found were not
that extensive and didn't work for me)?

Greetings,
Heiko
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba / ACL / File System Permissions Active Directory & winbind

2008-07-30 Thread Jeremy Allison 
On Wed, Jul 30, 2008 at 11:17:10PM +0100, Keith Sudbury wrote:
> Hi Guys,
> 
> I have a windows 2003 SBS handling domain logins, I also have an Ubuntu 
> machine being used as a file server this is using winbind and is on the 
> domain I can chown dirs etc with Active Directory users.
> 
> However I have the following problem, I need to allow certain users to 
> access some dirs and not others... for example.
> 
> "folder1" would need to be accessed by "user1" "user2" and "user3"
> 
> Now my understanding of this would be to add users 1,2 & 3 to a group 
> say for example "group1" then chown folder1 with that group?
> 
> "chown -R :"DOMAIN\Domain Users" folder1"
> 
> Thats fine but then when user 1,2 or 3 access folder1 and write to the 
> folder and there primary group is "Domain Users" for example it will 
> make it unreadable for other users?
> 
> I could force it to take permissions from the parent directory using 
> sticky bit? but what if the users creates a dir and then another dir 
> would it still take its permissions from its parent directory then?

Use the setgid bit on the directory. This causes the group ownership
of the created directory to be inherited from the owning directory,
not the creating process (and also inherit the setgid bit).

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

  1   2   3   4   5   >