LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 09-29-2004, 11:33 AM   #1
pauljtester
LQ Newbie
 
Registered: Apr 2004
Posts: 28

Rep: Reputation: 15
winbind samba user vs. group permission denied prob


I'm setting up Samba with security = domain to get my linux server to talk to the NT PDC. I can do a wbinfo -g and all those commands to get the expected (correct) results. I can change user/group ownership on the files on the Linux box to those users/groups defined in the PDC just fine. Winbind is working and all that jazz. I SHOULD NOT be required to add individual accounts on the linux box for those users who need write access - that was the point of creating the security=domain switch.

What I want to do is give all the users in my domain read access, but on top of that give specific users write access. So for the LSSNET share below, if I change the permissions on the folder to 775 and change the group to LSS_A+Domain Users, then everyone has write access (not good), unless I include the read list which "overrides any other samba permissions granted - as well as Unix permissions on the server system - to deny write access" Therefore I can't grant specific users access afterward because they are all part of the Domain Users group and the read list will override.

The other option, if I chown to 755, even adding specific users to the write list will not give them access because "write list overrides other Samba permissions to grant write access, but cannot grant write access if the user lacks write permissions for the file on the Unix system."

Is there no way then to have all users with read access, but only certain ones with write access?

##########Samba Config#############
[global]
workgroup = LSS_A
server string = Intranet Server
log file = /var/log/samba/%m.log
max log size = 500
security = domain
password server = lss_pdc bdc1 bdc2
encrypt passwords = yes
smb passwd file = /usr/local/samba/private/smbpasswd

####Winbind####

winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = no
winbind cache time = 20
winbind enum users = yes
winbind enum groups = yes

force create mode = 0775
force directory mode = 0775
read only = yes
veto oplock files = /*.cgi/
guest ok = no
browseable = no
writable = no

# Note: This line is added for security purposes. The following
# users should never have access to the Samba shares

invalid users = root,bin,daemon,adm,sync,shutdown,halt,mail,news,uucp,operator,gopher


[lssnet]
path = /www/lssnet
comment = Intranet Web Files
read list = 'LSS_A+Domain Users'
write list = LSS_A+pryan

This is a rather confusing issue, I hope the description was clear
Thanks in advance for any help.
PJT
 
Old 09-30-2004, 09:32 AM   #2
pauljtester
LQ Newbie
 
Registered: Apr 2004
Posts: 28

Original Poster
Rep: Reputation: 15
I think I figured it out...

Although it probably makes every sysadmin cringe to do so, you have to set the perms to 777 and the user and group owner of the file is a local account. In this way, you can use the switches set forth in Samba to control access of 'everyone else' (the last group of ------rwx). This means that you can use read list and write list to set different users defined on your PDC as being allowed to access the share or not.

I hope this helps others of you out there trying to implement security = domain.
Woot!
PJT
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
samba : access denied for some user in same NT group on a folder mtrento Linux - Networking 0 06-27-2005 10:01 AM
Winbind Samba - Access Denied Shares Wylz Linux - Software 3 10-06-2004 04:30 AM
Permission denied using a user? SLACKER Alinuxnoob Linux - Newbie 7 10-05-2004 11:20 AM
smb permission for (sub)user group mweil Linux - Networking 0 07-23-2004 07:59 AM
Samba + Winbind + Domain Users group wheeliemonster Linux - Networking 0 01-27-2004 09:56 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 03:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration