winbind samba user vs. group permission denied prob
I'm setting up Samba with security = domain to get my linux server to talk to the NT PDC. I can do a wbinfo -g and all those commands to get the expected (correct) results. I can change user/group ownership on the files on the Linux box to those users/groups defined in the PDC just fine. Winbind is working and all that jazz. I SHOULD NOT be required to add individual accounts on the linux box for those users who need write access - that was the point of creating the security=domain switch.
What I want to do is give all the users in my domain read access, but on top of that give specific users write access. So for the LSSNET share below, if I change the permissions on the folder to 775 and change the group to LSS_A+Domain Users, then everyone has write access (not good), unless I include the read list which "overrides any other samba permissions granted - as well as Unix permissions on the server system - to deny write access" Therefore I can't grant specific users access afterward because they are all part of the Domain Users group and the read list will override.
The other option, if I chown to 755, even adding specific users to the write list will not give them access because "write list overrides other Samba permissions to grant write access, but cannot grant write access if the user lacks write permissions for the file on the Unix system."
Is there no way then to have all users with read access, but only certain ones with write access?
##########Samba Config#############
[global]
workgroup = LSS_A
server string = Intranet Server
log file = /var/log/samba/%m.log
max log size = 500
security = domain
password server = lss_pdc bdc1 bdc2
encrypt passwords = yes
smb passwd file = /usr/local/samba/private/smbpasswd
####Winbind####
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = no
winbind cache time = 20
winbind enum users = yes
winbind enum groups = yes
force create mode = 0775
force directory mode = 0775
read only = yes
veto oplock files = /*.cgi/
guest ok = no
browseable = no
writable = no
# Note: This line is added for security purposes. The following
# users should never have access to the Samba shares
invalid users = root,bin,daemon,adm,sync,shutdown,halt,mail,news,uucp,operator,gopher
[lssnet]
path = /www/lssnet
comment = Intranet Web Files
read list = 'LSS_A+Domain Users'
write list = LSS_A+pryan
This is a rather confusing issue, I hope the description was clear
Thanks in advance for any help.
PJT
|