[Samba] problems with Windows ACL - Samba

This is a discussion on [Samba] problems with Windows ACL - Samba ; Hi, I have set up samba with ACL Support. I have set up Groups and users: #net groupmap list Domain Admins (S-1-5-21-3027381482-3940328739-3509331320-512) -> ntadmin Domain Guests (S-1-5-21-3027381482-3940328739-3509331320-514) -> nobody Domain Users (S-1-5-21-3027381482-3940328739-3509331320-513) -> users #pdbedit -L -v sambasven Unix username: ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [Samba] problems with Windows ACL

  1. [Samba] problems with Windows ACL

    Hi,

    I have set up samba with ACL Support.
    I have set up Groups and users:


    #net groupmap list

    Domain Admins (S-1-5-21-3027381482-3940328739-3509331320-512) -> ntadmin
    Domain Guests (S-1-5-21-3027381482-3940328739-3509331320-514) -> nobody
    Domain Users (S-1-5-21-3027381482-3940328739-3509331320-513) -> users


    #pdbedit -L -v sambasven

    Unix username: sambasven
    NT username:
    Account Flags: [U ]
    User SID: S-1-5-21-3027381482-3940328739-3509331320-3004
    Primary Group SID: S-1-5-21-3027381482-3940328739-3509331320-513
    Full Name:
    Home Directory: \\asw-server\sambasven
    HomeDir Drive: K:
    Logon Script: logon.bat
    Profile Path: \\asw-server\profiles\.msprofile
    Domain: ASW.LOCAL
    Account desc:
    Workstations:
    Munged dial:
    Logon time: 0
    Logoff time: Di, 19 Jan 2038 04:14:07 CET
    Kickoff time: Di, 19 Jan 2038 04:14:07 CET
    Password last set: Do, 03 Jan 2008 10:58:29 CET
    Password can change: Do, 03 Jan 2008 10:58:29 CET
    Password must change: Di, 19 Jan 2038 04:14:07 CET
    Last bad password : 0
    Bad password count : 0
    Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


    # pdbedit -L -v nicos

    Unix username: nicos
    NT username:
    Account Flags: [U ]
    User SID: S-1-5-21-3027381482-3940328739-3509331320-3000
    Primary Group SID: S-1-5-21-3027381482-3940328739-3509331320-513
    Full Name: nicos,,,
    Home Directory: \\asw-server\nicos
    HomeDir Drive: K:
    Logon Script: logon.bat
    Profile Path: \\asw-server\profiles\.msprofile
    Domain: ASTERISK
    Account desc:
    Workstations:
    Munged dial:
    Logon time: 0
    Logoff time: Di, 19 Jan 2038 04:14:07 CET
    Kickoff time: Di, 19 Jan 2038 04:14:07 CET
    Password last set: Do, 03 Jan 2008 10:16:01 CET
    Password can change: Do, 03 Jan 2008 10:16:01 CET
    Password must change: Di, 19 Jan 2038 04:14:07 CET
    Last bad password : 0
    Bad password count : 0
    Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    asterisk:~#



    I have setup a samba share:

    [daten]
    comment = Dateiverzeichnis
    path = /mnt/sdc1/daten
    readonly=no
    create mask = 0770
    directory mask = 0770





    Now user nicos is greating a file on the share.
    The acl looks like expected:


    # file: mnt/sdc1/daten/nicos.txt
    # owner: nicos
    # group: users
    user::rwx
    group::rw-
    other::---


    Now I do not want user "sambasven" to delete the file, so I change the acl
    to:



    # file: mnt/sdc1/daten/nicos.txt
    # owner: nicos
    # group: users
    user::rwx
    group::---
    other::---



    No User "sambasven" can open the file but cannot save the file.
    But the problem is he can delete the file.

    Has anybody a idée?

    I am thanksfull for any help.


    Sven


















    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] problems with Windows ACL

    Sven Neukirchner schrieb:

    >
    >
    >
    > Now user nicos is greating a file on the share.
    > The acl looks like expected:
    >
    >
    > # file: mnt/sdc1/daten/nicos.txt
    > # owner: nicos
    > # group: users
    > user::rwx
    > group::rw-
    > other::---
    >
    >
    > Now I do not want user "sambasven" to delete the file, so I change the acl
    > to:
    >
    >
    >
    > # file: mnt/sdc1/daten/nicos.txt
    > # owner: nicos
    > # group: users
    > user::rwx
    > group::---
    > other::---
    >
    >
    >
    > No User "sambasven" can open the file but cannot save the file.
    > But the problem is he can delete the file.
    >
    > Has anybody a idée?
    >


    Just a shot in the dark:

    sambasven can write into /mnt/sdc1/daten ?
    So he can delete nicos.txt of course. If you can write to a directory,
    you can also delete files inside the directory, no matter on rights of
    the file.

    greets

    Knut

  3. Re: [Samba] problems with Windows ACL

    Sven Neukirchner schrieb:

    >
    >
    >
    > Now user nicos is greating a file on the share.
    > The acl looks like expected:
    >
    >
    > # file: mnt/sdc1/daten/nicos.txt
    > # owner: nicos
    > # group: users
    > user::rwx
    > group::rw-
    > other::---
    >
    >
    > Now I do not want user "sambasven" to delete the file, so I change the acl
    > to:
    >
    >
    >
    > # file: mnt/sdc1/daten/nicos.txt
    > # owner: nicos
    > # group: users
    > user::rwx
    > group::---
    > other::---
    >
    >
    >
    > No User "sambasven" can open the file but cannot save the file.
    > But the problem is he can delete the file.
    >
    > Has anybody a idée?
    >


    Just a shot in the dark:

    sambasven can write into /mnt/sdc1/daten ?
    So he can delete nicos.txt of course. If you can write to a directory,
    you can also delete files inside the directory, no matter on rights of
    the file.

    greets

    Knut

+ Reply to Thread