Re: [Samba] Force user doesn't work

[Jonathan Buzzard]

On Mon, 2013-09-23 at 11:45 +0200, Bart-Jan van Hummel wrote:
> I am using Samba 3.6.6 on Debian Wheezy. 
> 
> I want to be able to change www files on my dev server using my macbook.

That is your problem right there. The MacOS X smb client does not
generally respect force user/group parameters when Unix extensions are
present.

Simplest solution is to put "unix extensions = no" in your smb.conf and
restart Samba. Though this requires that you don't rely on them
elsewhere.


JAB.

-- 
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Force user doesn't work

[Bart-Jan van Hummel]

On Mon, 2013-09-23 at 16:20 Jonathan Buzzard wrote: 
> Simplest solution is to put "unix extensions = no" in your smb.conf and 
> restart Samba. Though this requires that you don't rely on them 
> elsewhere. 

Thanks I will do that just to be sure. 
Just now I found another solution as well: 
Removing the admin users also works, this used to work fine on older versions 
of Samba, 
on this version (and I take it on newer versions as well) this needs te be 
removed. 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Force user permission in specific folders

[Patric Falinder]

So I found a solution that will work for me.

inherit owner = yes


On Thu, Aug 29, 2013 at 1:40 PM, Patric Falinder wrote:

> Hi,
>
> It's not that often that I'm messing around with Samba but I have a
> dilemma that I need some help with.
>
> I have a share called "common", users can create folders and files just
> fine but I'm wondering if it's possible to force folders/files to be
> created with certain user/group owner in just that specific folder.
> I not I can force so that everything is created with a specific
> user/group, but I want it specific to folders.
>
> Lets say I create a file in "/common/" and it will be created with the
> owner that I'm logged in as, lets say the user "john".
> But if John, or anyone, creates a file in "/common/files/" I want it to be
> created with the owner "james" no matter who creates it.
>
> Is this possible to achieve?
>
> The reason I need this is because I have a Samba share with all our
> www/ftp folders and they are owned by the user that's has the FTP-account
> for that specific folder. If I create a folder or whatever it will change
> the permission so that the FTP-user can't edit/delete it. I don't really
> want to chmod 777 on everything in there.
>
> If it's not possible, how do people mange this? Or should I not make a
> Samba share like this?
>
> Thanks,
> -Patric
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Force user permission in specific folders

[Patric Falinder]

On Thu, Aug 29, 2013 at 6:32 PM, TAKAHASHI Motonobu  wrote:

>
> From: Patric Falinder 
> Date: Thu, 29 Aug 2013 13:40:01 +0200
>
> > It's not that often that I'm messing around with Samba but I have a
> dilemma
> > that I need some help with.
> >
> > I have a share called "common", users can create folders and files just
> > fine but I'm wondering if it's possible to force folders/files to be
> > created with certain user/group owner in just that specific folder.
> > I not I can force so that everything is created with a specific
> user/group,
> > but I want it specific to folders.
>
> Please use "force user" and "force group" parameters.
>
> I don't think you understand what I said. That will force those
permissions on everything, that's not what I'm looking for.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Force user permission in specific folders

[TAKAHASHI Motonobu]

From: Patric Falinder 
Date: Thu, 29 Aug 2013 13:40:01 +0200

> It's not that often that I'm messing around with Samba but I have a dilemma
> that I need some help with.
> 
> I have a share called "common", users can create folders and files just
> fine but I'm wondering if it's possible to force folders/files to be
> created with certain user/group owner in just that specific folder.
> I not I can force so that everything is created with a specific user/group,
> but I want it specific to folders.

Please use "force user" and "force group" parameters.

---
TAKAHASHI Motonobu  / @damemonyo 
   facebook.com/takahashi.motonobu

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Force user permission in specific folders

[Eric Shubert]

On 08/29/2013 04:40 AM, Patric Falinder wrote:

Hi,

It's not that often that I'm messing around with Samba but I have a dilemma
that I need some help with.

I have a share called "common", users can create folders and files just
fine but I'm wondering if it's possible to force folders/files to be
created with certain user/group owner in just that specific folder.
I not I can force so that everything is created with a specific user/group,
but I want it specific to folders.

Lets say I create a file in "/common/" and it will be created with the
owner that I'm logged in as, lets say the user "john".
But if John, or anyone, creates a file in "/common/files/" I want it to be
created with the owner "james" no matter who creates it.

Is this possible to achieve?

The reason I need this is because I have a Samba share with all our www/ftp
folders and they are owned by the user that's has the FTP-account for that
specific folder. If I create a folder or whatever it will change the
permission so that the FTP-user can't edit/delete it. I don't really want
to chmod 777 on everything in there.

If it's not possible, how do people mange this? Or should I not make a
Samba share like this?

Thanks,
-Patric



Use group permissions?

--
-Eric 'shubes'

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] force user broken - 3.2.11

[Karolin Seeger]

Hi,

On Tue, May 12, 2009 at 08:37:07PM -0400, mrosa...@eastgranby.k12.ct.us wrote:
> Last month, I updated to Fedora 10 with samba 3.2.11-0.30.fc10 via a
> complete reinstall. Using x86-64.  We are now experiencing a problem on a
> share with the force user parameter.
> 
> [zz]
> comment = Test Share
> path = /home/zz
> force user = zzadminp
> create mask = 0770
> directory mask = 0770
> 
> 
> The primary group of zzadminp above is admplus.
> 
> If user markoren with primary group ntadmin writes a file to the above
> share, the file owner is markoren and the file group is admplus.
> 
> -rwxrw 1 markoren admplus 94 2009-05-12 19:51 MAOtestfilezz8.txt
> 
> Samba is setting the primary group of the forced user properly, but is not
> setting the forced user as the owner.

that's a known bug in 3.2.11.
A fix will be included in 3.2.12. Please see
https://bugzilla.samba.org/show_bug.cgi?id=6291 for more details
including the patch.

Thanks for reporting and sorry for the inconveniences!

Karolin

-- 
Samba   http://www.samba.org
SerNet  http://www.sernet.de
sambaXP http://www.sambaxp.org



pgpiMeERKWh36.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] force user and read only

[Urs Golla]

The folder is owned by a local group which belongs to the application.
And I dont want to add developers to this application group. I did it
now with the "force user" option and "read only". This way I can make
sure that they can always read the application logs (because they are
owned by the app user) and they are not allowed to write in to that
share. And I dont have to maintain group memberships, acls or file
permissions.
The more I think about the combination of this 2 options, the more I
like it... :-) Do you see any risk if I force to use root WITH
read-only?

On Fri, Oct 24, 2008 at 4:25 PM, Dennis B. Hopp <[EMAIL PROTECTED]> wrote:
>
>
> On Fri, 2008-10-24 at 17:08 +0200, Urs Golla wrote:
>> This works only if the samba user is also the owner of the file.
>>
>
> Please CC the list so that other users can benefit from this
> conversation and if I'm mistaken, somebody else can correct me.
>
> The users (or groups) will still need file system permissions to access
> the directories/files, regardless of what samba gives them access to.
> So you will need to make sure the permissions on the Linux file system
> allow those users/groups access.
>
> You could place all the developers in a group and give that group read
> access (so mode 740).  And then in the smb.conf file use
>
> valid users = "@MYDOMAIN+DEVELOPERGROUP"
>
> (the @ sign may have to go outside the quotes, I can't remember off the
> top of my head)
>
> Or maybe a better option is the "read list" option instead of "valid
> users"
>
> If you aren't using groups (or need more then one group to access it)
> then you will need to have the file system mounted with the "acl" option
> so that you can place extended acls on the directories for each
> user/group.
>
> --Dennis
>
>> On Fri, Oct 24, 2008 at 5:00 PM, Dennis B. Hopp <[EMAIL PROTECTED]> wrote:
>> >
>> >
>> > On Fri, 2008-10-24 at 08:45 +0200, Urs Golla wrote:
>> >> Hi
>> >>
>> >> I need a share with read-only access for some developers (to read
>> >> logfiles). the logfiles are owned by the application user and group
>> >> and have 700 permissions. I have set up the share like this:
>> >>
>> >> path = /applicationx/logs
>> >> read only = Yes
>> >> valid users =  "MYDOMAIN+DEVELOPER1"
>> >> force user = applicationx
>> >>
>> >
>> > You shouldn't need the "force user" setting if this is read only.  That
>> > setting is so that samba will force that user to be the owner of any
>> > files written to the share.
>> >
>> > If you want it to be read only, the only thing you should have to set is
>> > "read only = yes".
>> >
>> > --Dennis
>> >
>> >
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] force user and read only

[Dennis B. Hopp]

On Fri, 2008-10-24 at 17:08 +0200, Urs Golla wrote:
> This works only if the samba user is also the owner of the file.
> 

Please CC the list so that other users can benefit from this
conversation and if I'm mistaken, somebody else can correct me.

The users (or groups) will still need file system permissions to access
the directories/files, regardless of what samba gives them access to.
So you will need to make sure the permissions on the Linux file system
allow those users/groups access. 

You could place all the developers in a group and give that group read
access (so mode 740).  And then in the smb.conf file use

valid users = "@MYDOMAIN+DEVELOPERGROUP" 

(the @ sign may have to go outside the quotes, I can't remember off the
top of my head)

Or maybe a better option is the "read list" option instead of "valid
users"

If you aren't using groups (or need more then one group to access it)
then you will need to have the file system mounted with the "acl" option
so that you can place extended acls on the directories for each
user/group.

--Dennis

> On Fri, Oct 24, 2008 at 5:00 PM, Dennis B. Hopp <[EMAIL PROTECTED]> wrote:
> >
> >
> > On Fri, 2008-10-24 at 08:45 +0200, Urs Golla wrote:
> >> Hi
> >>
> >> I need a share with read-only access for some developers (to read
> >> logfiles). the logfiles are owned by the application user and group
> >> and have 700 permissions. I have set up the share like this:
> >>
> >> path = /applicationx/logs
> >> read only = Yes
> >> valid users =  "MYDOMAIN+DEVELOPER1"
> >> force user = applicationx
> >>
> >
> > You shouldn't need the "force user" setting if this is read only.  That
> > setting is so that samba will force that user to be the owner of any
> > files written to the share.
> >
> > If you want it to be read only, the only thing you should have to set is
> > "read only = yes".
> >
> > --Dennis
> >
> >

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] force user and read only

[Dennis B. Hopp]

On Fri, 2008-10-24 at 08:45 +0200, Urs Golla wrote:
> Hi
> 
> I need a share with read-only access for some developers (to read
> logfiles). the logfiles are owned by the application user and group
> and have 700 permissions. I have set up the share like this:
> 
> path = /applicationx/logs
> read only = Yes
> valid users =  "MYDOMAIN+DEVELOPER1"
> force user = applicationx
> 

You shouldn't need the "force user" setting if this is read only.  That
setting is so that samba will force that user to be the owner of any
files written to the share.

If you want it to be read only, the only thing you should have to set is
"read only = yes".

--Dennis

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Force User based on directory name

[Michael Heydon]

hevfuture wrote:

Hi,

Is there a way that I can force the user based on the directory name? I have
administrators who need to place files in the [homes] directories of
multiple users, and I need the user of all the files to be based on the name
of the directory (the user cannot be administrator even when the
administrator puts the file in), so that the user can access the files in
his or her [homes]. Any help is appreciated!

Thanks!


  


"force user = %S" maybe?

*Michael Heydon - IT Administrator *
[EMAIL PROTECTED] 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Force user and replace with SUID and SGID. Realize error, but please assist

[Michael Kelly]

Hello again,

Okay so I realize the error I made with the SUID ans SGID. Those
settings represent what user/group the "file" is executed under. Must
have had a brain cramp or something. I would however still appreciate
some assistance in trying to get rid of the "force user" setting I am
having to use to resolve an issue with Microsoft Office files and their
time stamps being changed upon viewing of the file.

Thanks
Michael Kelly

>>> "Michael Kelly" <[EMAIL PROTECTED]> 06/12/2004 10:02:18 am
>>>
Hi all,

I am trying to get rid of a force user setting on our samba server. I
read an article that talked about setting the SUID and SGID on the
top-level directory, and all sub-directories, of a share and this
would
cause all files to be own by the user and group for which the sticky
bit
has been set.

Here is what I did.

1. recursively changed owner/group on all file and directories in the
share to the user and group who I wanted to own said files and
directories.
2. executed "find /mnt/fileserver/server -type d -exec ug+s {} \;" to
set the sticky bit on all directories within the share.
3. removed the "force user" entry from the share definition and
restarted Samba
4. Browsed the share and created a new file. It came up as owned by me
not the user who I had set the sticky bit for. It did have the proper
group as I am a member of that group.
5. Opened and Excel file and then closed that file. It prompted me to
save changes, made none, and when I said no it updated the time stamp
anyway.


I am using the "force user" entry to solve the known problem with
Microsoft Office files. I have about 14 employees who access the share
and all file and directories within it. Timestamps are very important
and we need them not be changed when simply viewing a file.

It was my understanding that by setting the SUID and SGID it would
cause all files to retain their ownership and all newly created files
to
get the user and group for which the sticky bit was set. 

I know that this is a Linux file system question, but it is relating
to
Samba and I am hoping that someone out there has experienced this and
can point me in the right direction.

Thank you
Michael Kelly
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] force user problem

[Mac]

>
>I have samba 3.0.4 set up as a PDC and have a problem with using "force user"
> with thie following share:
>
>[shared]
>  path = /usr/local/samba/shared
>  write list = usera, userb, userc
>  force user = usera
>  guest ok = true
>
>If I try to write a file from an XP system as usera I get an "Access is denied" 
>failure.  If I take out the "force user" line there is no problem!



There's a known bug in Samba using 'write list' and 'force user'.

See :-

http://us4.samba.org/samba/ftp/WHATSNEW-3-0-7.txt

(the section for 3.0.6)

So you need to upgrade.  And you should jump directly to 3.0.7 to get
rid of the vulnerability recently fixed.

   Mac
  Assistant Systems Adminstrator @nibsc.ac.uk
[EMAIL PROTECTED]
   Work: +44 1707 641565  Everything else: +44 7956 237670 (anytime)
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RE: [Samba] force user = %u ????

[Adrian Tam]

It's not in the code. It makes no sense anyway since you will just be
forcing yourself to be yourself.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Michael Gasch
Sent: Friday, June 18, 2004 6:47 AM
To: [EMAIL PROTECTED]
Subject: [Samba] force user = %u 

does samba understand

force user = %u

in [homes] 

thx&bye
-- 


  "Matrix - more than a vision"

**
  Michael Gasch

- Central IT Department -

Max Planck Institute for Evolutionary Anthropology
Deutscher Platz 6
04103 Leipzig

Germany
**

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Force user

[Wang, Yu]

Sue,

The 6775 sets the directory a set-uid and set-gid directory NOT set the sticky bit on. 
1775 or 1777 is to set the directory's sticky bit (the difference between 1775 and 
1777 is former allows directory owner and group members to write to the directory and 
latter allows all users to write to the directory. All files/directories created under 
the directory owned by the creator).


--Yu Wang

Information Technology Services
University of North Florida
(904) 620-2820



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Susan
McConnell
Sent: Thursday, June 03, 2004 2:06 PM
To: [EMAIL PROTECTED]
Subject: [Samba] Force user


Hello list

The Samba Howto Collection repeatedly asserts that by setting the sticky
bit on directories any files created in those directories will be created
with the owner set to that of the directory (for example, see
http://samba.mirror.ac.uk/samba/docs/man/howto/AccessControls.html#id2541262).

This has never worked for me. Files created inherit the group of the
directory, but not the owner. I have even followed, line for line, the
sequence on that page as follows:

# chmod 6775 /foodbar
$ ls -al /foodbar/..

You should see:

drwsrwsr-x  2 jack  engr48 2003-02-04 09:55 foodbar

#

Now type:

$ su - jill
$ cd /foodbar
$ touch Afile
$ ls -al

You should see that the file Afile created by Jill will have ownership and
permissions of Jack, as follows:

-rw-r--r--  1 jack  engr 0 2003-02-04 09:57 Afile

That all works right up until the last line, where I see the file owner is
jill, not jack. Maybe I've misunderstood this, but the chmod(1) man pages
don't mention the owner being forced, only group. So have I got it wrong
(most likely), or is the Samba Howto Collection wrong in the many places it
asserts that this can be done?

Thank you for guidance,
Sue
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Force user

[Tony Whitmore]

Robert Sossomon wrote:
You should see that the file Afile created by Jill will have ownership
and permissions of Jack, as follows:
-rw-r--r--  1 jack  engr 0 2003-02-04 09:57 Afile
That all works right up until the last line, where I see the file owner
is jill, not jack. Maybe I've misunderstood this, 


Sue,
It looks to me that the owner and group are still the same, there is no
mention of jill anywhere.  If you mean the permissions are wrong, then
you need to look at your smb.conf file again to make sure you set the
permissions flag correctly.
I think that what Sue pasted was what she thinks she _should_ have seen, 
rather than what she _did_ see.

I've been playing this a bit using 3.0.4 on a Debian Stable ext3 
partition and have found the same thing - files created in a SUID 
directory are not owned by the owner of that directory, but the user 
creating them. I've also found threads on the LKML that discuss whether 
or not to support the SUID bit on directories from about two years ago, 
which doesn't seem positive. So, this feature may work on other Unixes 
that support SUID on directories (like FreeBSD, IIRC).

My interest was having the ownership of files within a directory being 
assigned to the owner of that directory, rather than the user creating 
the files. This principally happens when technicians assist a user with 
a file restoration or other admin tasks and then forget to assign 
ownership to the user - which mucks up the quota system! :)

Cheers,
Tony
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Force user

[Robert Sossomon]

This has never worked for me. Files created inherit the group of the
directory, but not the owner. I have even followed, line for line, the
sequence on that page as follows:

# chmod 6775 /foodbar
$ ls -al /foodbar/..

You should see:

drwsrwsr-x  2 jack  engr48 2003-02-04 09:55 foodbar

#

Now type:

$ su - jill
$ cd /foodbar
$ touch Afile
$ ls -al

You should see that the file Afile created by Jill will have ownership
and permissions of Jack, as follows:

-rw-r--r--  1 jack  engr 0 2003-02-04 09:57 Afile

That all works right up until the last line, where I see the file owner
is jill, not jack. Maybe I've misunderstood this, 


Sue,

It looks to me that the owner and group are still the same, there is no
mention of jill anywhere.  If you mean the permissions are wrong, then
you need to look at your smb.conf file again to make sure you set the
permissions flag correctly.

What is your smb.conf for this section?

Robert

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Force user and force group?

[RRuegner]

Jose Martinez schrieb:

What does the Force user and Force Group option do under the homes and
profiles section of the smb.conf file do?
Jose

hi, per "default" a file is created with the permissions of the creator
in a samba share, with force user you can force the creator to be a 
different user or group, this is helpfull in a few cases i.e
if youre using a smb share for apache ( user wwwrun etc ),
but use this parameter with care it can break your security and result 
in miracle permissions behavior.
i recommend to read the samba faq, and man smb.conf
Regards
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] force user not working

[Chris]

>:0)

Just kidding.  I wouldn't do that to you guys :0)

I just hate it when people get the answer they want, and then don't post the 
solution!  How selfish!

The answer was this: "admin users = chris, administrator"

Apparently, this is handled differently in 2.0.7 than it is in 3.0.2a.  3.0.2a 
basicly says that anyone on the admin list is effectively root.  Since I was 
testing it with my account, it was setting my user to root, and hence any 
file I made was owned by the man.

I am simply going to do away with admin users, since I have no real use for 
that anymore anyway.

ciao.

Chris





On Tuesday 30 March 2004 02:43 pm, Chris wrote:
> Okay.
>
> Nevermind.  I got it.
>
> Chris
>
> On Tuesday 30 March 2004 01:18 pm, Chris wrote:
> > Hello.
> >
> > I am making a new samba server.  My old samba server was a RedHat machine
> > (6.2) with samba 2.0.7 on it.  My new samba server is a Gentoo machine
> > with Samba 3.0.2a.
> >
> > Aside from the fact that I am now using ADS instead of a traditional NT4
> > domain -- everything else is the same.  I am keeping all the shares the
> > same, I have synced all the gid's and uid's between the two machines, and
> > I rsynced all the files and directories over from the old machine so that
> > all the permissions and ownerships are the same between the two machines.
> >
> > For some reason, on the new machine, my "Force User =" is not working. 
> > All files are owned by root no matter what -- not the user that created
> > them. For all of my common directories (each dept has a commond dir that
> > only their dept can access) I have "Force User = %U".  This is important,
> > because without it the created files do not apply to the user's quota.
> >
> > I wish to stress that this did *not* happen with 2.0.7... it worked just
> > as it should.
> >
> > Could someone please give me a hand here?
> >
> > TIA
> >
> > Chris
> >
> > Here is a clip from my smb.conf:
> >
> > [global]
> > netbios name = PERSEUS
> > socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
> > idmap uid = 1-2
> > winbind enum users = yes
> > winbind gid = 1-2
> > winbind enum groups = yes
> > dns proxy = no
> > realm= MY.DOMAIN
> > workgroup = MYWRKGRP
> > netbios aliases = PERSEUS
> > server string = PERSEUS
> > security = ADS
> > wins proxy = no
> > map to guest = Bad User
> > password server = sisyphus.my.domain
> > name resolve order = lmhosts wins bcast
> > time server = Yes
> > os level = 0
> > preferred master = No
> > local master = No
> > domain master = No
> > wins server = 10.10.10.10
> > hosts allow = 127.0.0.1, 10.10.10.
> > oplocks = No
> > follow symlinks = No
> > printing = cups
> > printcap name = cups
> > load printers = yes
> > ==
> >
> > [Members]
> > path = "/home/Members"
> > valid users = +member_serv, chrisd, kurtk, administrator, jeffh
> > admin users = chris, administrator
> > read list = +member_serv, chrisd, kurtk, administrator, jeffh
> > write list = +member_serv, chrisd, kurtk, administrator, jeffh
> > force user = %U
> > force group = member_serv
> > read only = No
> > create mask = 0660
> > directory mask = 2770
> > browseable = No
> >
> > ==
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] force user not working

[Chris]

Okay.

Nevermind.  I got it.

Chris

On Tuesday 30 March 2004 01:18 pm, Chris wrote:
> Hello.
>
> I am making a new samba server.  My old samba server was a RedHat machine
> (6.2) with samba 2.0.7 on it.  My new samba server is a Gentoo machine with
> Samba 3.0.2a.
>
> Aside from the fact that I am now using ADS instead of a traditional NT4
> domain -- everything else is the same.  I am keeping all the shares the
> same, I have synced all the gid's and uid's between the two machines, and I
> rsynced all the files and directories over from the old machine so that all
> the permissions and ownerships are the same between the two machines.
>
> For some reason, on the new machine, my "Force User =" is not working.  All
> files are owned by root no matter what -- not the user that created them.
> For all of my common directories (each dept has a commond dir that only
> their dept can access) I have "Force User = %U".  This is important,
> because without it the created files do not apply to the user's quota.
>
> I wish to stress that this did *not* happen with 2.0.7... it worked just as
> it should.
>
> Could someone please give me a hand here?
>
> TIA
>
> Chris
>
> Here is a clip from my smb.conf:
>
> [global]
> netbios name = PERSEUS
> socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
> idmap uid = 1-2
> winbind enum users = yes
> winbind gid = 1-2
> winbind enum groups = yes
> dns proxy = no
> realm= MY.DOMAIN
> workgroup = MYWRKGRP
> netbios aliases = PERSEUS
> server string = PERSEUS
> security = ADS
> wins proxy = no
> map to guest = Bad User
> password server = sisyphus.my.domain
> name resolve order = lmhosts wins bcast
> time server = Yes
> os level = 0
> preferred master = No
> local master = No
> domain master = No
> wins server = 10.10.10.10
> hosts allow = 127.0.0.1, 10.10.10.
> oplocks = No
> follow symlinks = No
> printing = cups
> printcap name = cups
> load printers = yes
> ==
>
> [Members]
> path = "/home/Members"
> valid users = +member_serv, chrisd, kurtk, administrator, jeffh
> admin users = chrisd, kurtk, administrator, jeffh
> read list = +member_serv, chrisd, kurtk, administrator, jeffh
> write list = +member_serv, chrisd, kurtk, administrator, jeffh
> force user = %U
> force group = member_serv
> read only = No
> create mask = 0660
> directory mask = 2770
> browseable = No
>
> ==
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] force user vs read list

[John H Terpstra]

On Thu, 11 Mar 2004, William R. Knox wrote:

> I am in the process of expanding access to a share that currently has the
> following configuration:
>
> [uniqname]
>comment = Unique comment
>path = /path/to/the/stuff
>public = no
>writable = yes
>printable = no
>valid users = user1,user2,user3
>force user = cooluser

The 'force user' directive means that at the point of connection the real
users identity is lost and the user now is 'cooluser'.

>
> I want to add read-only access to an additional set of users. The smb.conf
> man page and the Samba-HOWTO are not clear (to me) about the precedence of
> the "force user" option versus the "read list" option - if I add user4 to
> a read list parameter entry, will they also get logged on as that user and
> have write permissions (as determined by the underlying filesystem)? I
> wanted to ask before even trying just to make sure that any discovery
> isn't later deemed a bug and changed.

This is a poor solution. The 'force user' and 'force group' directives
have serious side-effects and should be avoided if possible,

A better way to handle this is to use directory permissions to control who
can write and who can read. In this case you could set the directory as
read only to 'others' and writable to the group that owns the directory.
Then, if you set the SGID bit on the directory all files created within it
will always be owned by the group that owns the directory.

Alternately, as documented in the Samba-HOWTO-Collection you could jst as
well use Share level permissions to limit which groups can write and who
gets read-only access. In fact, you can ensure that no-one except members
of those groups can even access the share. If you use Share level
permissions (ACLs) then you do not need to set in smb.conf the 'valid
users' parameter either.

> If the force user overrides the read list, I suppose I can just set up an
> alternate share pointing to the samba path that is read only with a
> different set of valid users, but that just feels so kludgey...
>
> The samba version in use is 2.2.8a, but I will be upgrading to 3.0.2a in
> the very near future, in case there is any difference.

The Samba-HOWTO-Collection is available from:
http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf

The chapter "File, Directory and Share Access Controls" applies to both
Samba-2.2.x and Samba-3.


- John T.
-- 
John H Terpstra
Email: [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Force User -

[Marian Mlcoch, Ing]

 Why you dont use ftp?
Is more flexible as samba to web.
When you must use samba try disable force user and create cron job to change
owner on new files to apache.
It creates flexibility to  users can change uploaded files only by its owner
and only by time to cron job.
After this only admin user can change or delete.

> - Original Message -
> From: "info" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, November 05, 2002 1:21 AM
> Subject: [Samba] Force User -
>
>
> > Hello,
> > I am using Samba shares as a way for my users to publish files from
their
> > Windows XP PC's to my Apache Web Server on Red Hat Linux.
> >
> > The username I use for Apache is apache and it has full read,write and
> > execute access on all the files within my webserver root directory.  In
> the
> > Samba Shares I use force user = apache so this means that any files
> created
> > using the share actually get apache as the owner.  However, this
actually
> > gives the person who connects using the samba share the power of the
user
> > apache which means they can change anything.  I dont want this.  I just
> want
> > to set it so that the owner of any files created by using the samba
share
> is
> > set as apache.  I do not want people to have the power of apache!  Is
this
> > possible?
> >
> > Or does anyone know a better way of publishing to the apache webserver?
> > PLease help, thanks
> >
> >
> > Mr. Gerard O'Reilly
> > Intranet Manager
> > Siam Stars Ltd/ Thai-Belgium Industrial Co. Ltd
> > 21/6 Moo 3, Soi Kayha Bangbua,
> > Viphavadee Rangsit Road,
> > 60 Talad Bangkhen,
> > Laksi Bangkok 10210
> > Tel:  02-561-4649 or 02-940-8750
> > Fax: (66-2) 5611486
> >
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Force User -

[Yura Pismerov]

info wrote:
> 
> Thanks.
> But I already have NT ACL support set to 'yes'.


It won't help if your filesystem does not support ACL and your Samba is
not build with them. First make sure it does - "ldd smbd" should list
libacl among others.

> How does the ACL allow me to set the default owner without giving them the
> "rights" of the owner?  Please explain if you can.  THanks

You can apply ACLs using W2K or NT workstation. ACL can be changed
through Security Tab on File/Directory properties. Keep in mind that to
be able to do that you must be either root or the owner of the files.


> 
> - Original Message -
> From: "Yura Pismerov" <[EMAIL PROTECTED]>
> To: "info" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Tuesday, November 05, 2002 8:20 AM
> Subject: Re: [Samba] Force User -
> 
> >
> > You will need ACL support.
> >
> > info wrote:
> > >
> > > Hello,
> > > I am using Samba shares as a way for my users to publish files from
> their
> > > Windows XP PC's to my Apache Web Server on Red Hat Linux.
> > >
> > > The username I use for Apache is apache and it has full read,write and
> > > execute access on all the files within my webserver root directory.  In
> the
> > > Samba Shares I use force user = apache so this means that any files
> created
> > > using the share actually get apache as the owner.  However, this
> actually
> > > gives the person who connects using the samba share the power of the
> user
> > > apache which means they can change anything.  I dont want this.  I just
> want
> > > to set it so that the owner of any files created by using the samba
> share is
> > > set as apache.  I do not want people to have the power of apache!  Is
> this
> > > possible?
> > >
> > > Or does anyone know a better way of publishing to the apache webserver?
> > > PLease help, thanks
> > >
> > > Mr. Gerard O'Reilly
> > > Intranet Manager
> > > Siam Stars Ltd/ Thai-Belgium Industrial Co. Ltd
> > > 21/6 Moo 3, Soi Kayha Bangbua,
> > > Viphavadee Rangsit Road,
> > > 60 Talad Bangkhen,
> > > Laksi Bangkok 10210
> > > Tel:  02-561-4649 or 02-940-8750
> > > Fax: (66-2) 5611486
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Force User -

[info]

Thanks.
But I already have NT ACL support set to 'yes'.
How does the ACL allow me to set the default owner without giving them the
"rights" of the owner?  Please explain if you can.  THanks


- Original Message -
From: "Yura Pismerov" <[EMAIL PROTECTED]>
To: "info" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, November 05, 2002 8:20 AM
Subject: Re: [Samba] Force User -


>
> You will need ACL support.
>
> info wrote:
> >
> > Hello,
> > I am using Samba shares as a way for my users to publish files from
their
> > Windows XP PC's to my Apache Web Server on Red Hat Linux.
> >
> > The username I use for Apache is apache and it has full read,write and
> > execute access on all the files within my webserver root directory.  In
the
> > Samba Shares I use force user = apache so this means that any files
created
> > using the share actually get apache as the owner.  However, this
actually
> > gives the person who connects using the samba share the power of the
user
> > apache which means they can change anything.  I dont want this.  I just
want
> > to set it so that the owner of any files created by using the samba
share is
> > set as apache.  I do not want people to have the power of apache!  Is
this
> > possible?
> >
> > Or does anyone know a better way of publishing to the apache webserver?
> > PLease help, thanks
> >
> > Mr. Gerard O'Reilly
> > Intranet Manager
> > Siam Stars Ltd/ Thai-Belgium Industrial Co. Ltd
> > 21/6 Moo 3, Soi Kayha Bangbua,
> > Viphavadee Rangsit Road,
> > 60 Talad Bangkhen,
> > Laksi Bangkok 10210
> > Tel:  02-561-4649 or 02-940-8750
> > Fax: (66-2) 5611486

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Force User -

[Yura Pismerov]

You will need ACL support.

info wrote:
> 
> Hello,
> I am using Samba shares as a way for my users to publish files from their
> Windows XP PC's to my Apache Web Server on Red Hat Linux.
> 
> The username I use for Apache is apache and it has full read,write and
> execute access on all the files within my webserver root directory.  In the
> Samba Shares I use force user = apache so this means that any files created
> using the share actually get apache as the owner.  However, this actually
> gives the person who connects using the samba share the power of the user
> apache which means they can change anything.  I dont want this.  I just want
> to set it so that the owner of any files created by using the samba share is
> set as apache.  I do not want people to have the power of apache!  Is this
> possible?
> 
> Or does anyone know a better way of publishing to the apache webserver?
> PLease help, thanks
> 
> Mr. Gerard O'Reilly
> Intranet Manager
> Siam Stars Ltd/ Thai-Belgium Industrial Co. Ltd
> 21/6 Moo 3, Soi Kayha Bangbua,
> Viphavadee Rangsit Road,
> 60 Talad Bangkhen,
> Laksi Bangkok 10210
> Tel:  02-561-4649 or 02-940-8750
> Fax: (66-2) 5611486
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] force user

[Gerald Carter]

On Thu, 26 Sep 2002, Ssltbivdc.com wrote:

> Hello,
> I am using a samba share to upload files from my PC to an intranet server
> running apache on red hat 6.2.
> 
> However, i always want the user/owner of the file to be apache and the group
> to be webdev.  BUt even though I set these options in samba when I create a
> file and upload to the intranet via the samba share for some reason the
> user/owner of the file is always root.  Why??

Do you have the "admin users" pparameter set?




cheers, jerry
 -
 Hewlett-Packard http://www.hp.com
 SAMBA Team   http://www.samba.org
 --http://www.plainjoe.org
 "Sams Teach Yourself Samba in 24 Hours" 2ed.   ISBN 0-672-32269-2
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba