+ Post New Thread
Results 1 to 8 of 8
*nix Thread, Samba / Windows ACL mapping problem. in Technical; I'm having fun trying to setup my ACLs here so that they do what I want. Currently I'm doing the ...
  1. #1

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227

    Samba / Windows ACL mapping problem.

    I'm having fun trying to setup my ACLs here so that they do what I want. Currently I'm doing the ACLs for the staff area.

    The filesystem has EA/ACL support (it's jfs). The following samba global settings are enabled:

    Code:
    # Enable ACLs
    
      inherit permissions = yes
      inherit owner = yes
      map acl inherit = yes
      nt acl support = yes
      ea support = yes
      store dos attributes = yes
    The share is setup as follows:

    Code:
    [staff$]
       comment = Staff Share
       read only = no
       path = /home/staff
       guest ok = no
       hide unreadable = yes
       admin users = @"domain admins", administrator
       hide files = /*quota.*/
       veto files = /*.bat/*.cmd/*.com/*.exe/*.vbs/*.msi/*.pif/*.reg/
       vfs objects = default_quota
    I want the following setup:

    all_staff has read access /home/staff (and is group owner) and r/w to /home/staff/* (and is group owner)
    <username> has r/w to /home/staff/<username> and owns the directory (for quotas)
    root,administrator and domain admins have full rights to /home/staff

    I concocted the following script to set the permissions:

    Code:
    cd /home/staff
    
    #*nix permissions
    chown administrator:all_staff .
    chmod  740 .
    ls -l | grep "^d" | awk -F" " '{print "chown -v -R "tolower($9)" "$9}' | sh
    ls -l | grep "^d" | awk -F" " '{print "chgrp -v -R all_staff "$9}' | sh
    ls -l | grep "^d" | awk -F" " '{print "chmod -v -R 660 "$8}' | sh
    
    #Extended ACLs
    setfacl -R -b .
    setfacl -R -m u:administrator:rwx .
    setfacl -R -m g:"domain admins":rwx .
    setfacl -R -m u:root:rwx .
    However, when users browse their my documents they cannot see their files. Inspecting the ACLs from Windows reveals that users have no right to delete or directory traversal. What have I missed?

  2. #2

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    Boston, MA
    Posts
    7,597
    Thank Post
    109
    Thanked 770 Times in 598 Posts
    Rep Power
    183
    Because Windows uses the x bit for directory traversal, don't you need to chmod to 670? I know you mentioned something in the chat about it breaking Samba security mind.

    Are you not able to stick full control for an admin on the folder and then alter the permissions from a Windows machine?

  3. #3

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    Quote Originally Posted by Ric_ View Post
    Because Windows uses the x bit for directory traversal, don't you need to chmod to 670? I know you mentioned something in the chat about it breaking Samba security mind.
    My understanding is that samba maps execute to full control?

    Are you not able to stick full control for an admin on the folder and then alter the permissions from a Windows machine?
    No, any attempt to alter the permissions from the windows side gets me a permission denied error. I have no idea why, as Administrator/Domain Admins are listed as having full control...

  4. #4


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Code:
    ls -l | grep "^d" | awk -F" " '{print "chmod -v -R 660 "$8}' | sh
    660 Denies the user execute permissions on the directory, does this then get inherited? try 770

  5. #5

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    If I set execute permissions, as I explained above, it means they get full control and can start fiddling with the ACLs.

  6. #6


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    I see, I figured the nt mapping was done to an acl, rather than the unix rwx bits.

  7. #7

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    I'm going to set:

    Code:
    acl map full control = no
    and see if that helps.

  8. #8

    Join Date
    Aug 2008
    Location
    Gosport
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    The problem with not giving them the exec bit is that under UNIX systems permission to read the contents of a directory is granted by the exec bit for some reason, so no exec permission = can't read dir.



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 5
    Last Post: 12th June 2008, 05:14 PM
  2. joomla acl
    By alonebfg in forum EduGeek Joomla 1.0 Package
    Replies: 1
    Last Post: 21st March 2008, 05:19 PM
  3. Replies: 5
    Last Post: 7th September 2007, 12:22 PM
  4. Replies: 4
    Last Post: 16th January 2007, 09:36 AM
  5. mapping a drive to web folder in windows xp
    By russdev in forum Windows
    Replies: 1
    Last Post: 3rd October 2005, 09:31 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •