problems with permissions

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

problems with permissions

Samba - General mailing list
hi list,

environment:

Windows 2008 Domain

Centos 7 server running samba 4.4.4

Problem:

I am creating a number of samba shares on the Centos server to be used
on the Domain. Right now I have two major directories setup as shares
with minor directories being created.

How do I specify read/write permissions on the minor directories without
having to create a share for each directory?  When I specify a domain
group the centos server does not see the group.

The configuration now shows multiple shares but it does not preserve the
read only access in the minor shares.

Here is the config:

[global]
         workgroup = Accounting
         security = ADS
         realm = Accounting.edt.local
         log file = /var/log/samba/%m.log
         log level = 1
        # Default ID mapping configuration for local BUILTIN accounts
        # and groups on a domain member. The default (*) domain:
        # - must not overlap with any domain ID mapping configuration!
        # - must use a read-write-enabled back end, such as tdb.
        # - Adding just this is not enough
        # - You must set a DOMAIN backend configuration, see below
        idmap config * : backend = tdb
        idmap config * : range = 1000000-2000000
#
         username map = /usr/local/etc/samba/user.map

         winbind use default domain = yes

         passdb backend = tdbsam

         printing = cups
         printcap name = cups
         load printers = yes
         cups options = raw

[custinfo]
         path = /cui/admin/Customer Info
         comment = Mfg and Purchasing
         valid users = tiana bob carol jessica janet lynne
         read list = lynne janet jessica
         write list = tiana bob carol
         writable = yes
         browsable = yes

[custorders]

         path = /cui/admin/Customer Orders
         comment = Mfg and Purchasing
         valid users = tiana bob carol jessica janet lynne
         read list = lynne janet jessica
         write list = tiana bob carol
         writable = yes
         browsable = yes

[custdandb]

         path = /cui/admin/Customer credit reports (D&B)
         comment = Mfg and Purchasing
         valid users = tiana bob carol jessica janet lynne
         write list = lynne janet jessica
         read list = tiana bob carol
         writable = yes
         browsable = yes

[acctcui]
         path = /cui/acct
         comment = Accounting CUI Directories
         valid users = jlowry, lynne, janet, jessica
         browsable = yes
         read only = No

[admincui]
         path = /cui/admin
         comment = Accounting CUI Directories
         valid users = jlowry lynne janet jessica bob tiana cynthia jill
thuylinh carol wendy tom
         browsable = yes
         read only = No


--

---------------------------------------------------------------------------
Jerold Lowry
Principal Network/Systems Engineer
Engineering Design Team (EDT), Inc. a HEICO company
3423 NW John Olsen Pl
Hillsboro, Oregon 97124 (U.S.A.)
Phone: 503-690-1234 / 800-435-4320
Fax: 503-690-1243
Web: _www.edt.com <http://www.edt.com/>_


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: problems with permissions

Samba - General mailing list
On Mon, 27 Nov 2017 12:14:44 -0800
Jerry Lowry via samba <[hidden email]> wrote:

> hi list,
>
> environment:
>
> Windows 2008 Domain
>
> Centos 7 server running samba 4.4.4
>
> Problem:
>
> I am creating a number of samba shares on the Centos server to be
> used on the Domain. Right now I have two major directories setup as
> shares with minor directories being created.
>
> How do I specify read/write permissions on the minor directories
> without having to create a share for each directory?  When I specify
> a domain group the centos server does not see the group.
>
> The configuration now shows multiple shares but it does not preserve
> the read only access in the minor shares.
>
> Here is the config:
>
> [global]
>          workgroup = Accounting
>          security = ADS
>          realm = Accounting.edt.local
>          log file = /var/log/samba/%m.log
>          log level = 1
>         # Default ID mapping configuration for local BUILTIN accounts
>         # and groups on a domain member. The default (*) domain:
>         # - must not overlap with any domain ID mapping configuration!
>         # - must use a read-write-enabled back end, such as tdb.
>         # - Adding just this is not enough
>         # - You must set a DOMAIN backend configuration, see below
>         idmap config * : backend = tdb
>         idmap config * : range = 1000000-2000000

Either:
A) you are using sssd, in which case you should ask on the sssd-users
mailing list, because sssd is doing the authentication.

Or

B) You totally missed this: '# - Adding just this is not enough' when
you cut and pasted it from the Samba wiki, you need to use the winbind
'rid' or 'ad' backend.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: problems with permissions

Samba - General mailing list
On Mon, 27 Nov 2017 14:05:36 -0800
Jerry Lowry <[hidden email]> wrote:

> Okay, I missed the "ad".  Got that fixed, but how do you reference
> subdirectories with groups when referencing the major shares.  So, to
> explain better hopefully. I would like to shares "acct" and "admin"
> with sub directories that have different group permissions than the
> major share.  The major share should allow read/write to everyone,
> the directories under these shares have finer granularity. Is that
> possible on the major shares?
>
>

In a way, you gave feedback on the wiki, so for that, thanks ;-)
I have made the lines on the wikipage bold, hopefully this will help in
future.

I don't think you can do what you are trying to do with POSIX ACLs, but
you may be able to do this with Windows ACLs, read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Set the ACLs on the share first, then on the directories beneath them.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: problems with permissions

Samba - General mailing list
On Mon, 27 Nov 2017 14:57:30 -0800
Jerry Lowry <[hidden email]> wrote:

> Thanks for the reply,
>
> I forgot a bit of info, oops.  the users/groups are in the AD but the
> shares are held on the centos samba server. So setting windows ACL's
> is not going to work in this case.

And the centos samba server is a domain member, so the Windows ACLs
will work.

>
> After working through this problem and looking at what needs to be
> put in a share, I think it will be best suited to create the shares
> and drop the major share at the top.  This way the granularity will
> be consistent across the shares.
>
>
> thanks for the help!
>
> p.s !! kudos on the response time,  much better that what I get from
> other forums!!
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba