summaryrefslogtreecommitdiff
path: root/docs/Samba-HOWTO-Collection
diff options
context:
space:
mode:
Diffstat (limited to 'docs/Samba-HOWTO-Collection')
-rw-r--r--docs/Samba-HOWTO-Collection/TOSHARG-AccessControls.xml32
-rw-r--r--docs/Samba-HOWTO-Collection/TOSHARG-Group-Mapping.xml22
-rw-r--r--docs/Samba-HOWTO-Collection/index.xml3
3 files changed, 45 insertions, 12 deletions
diff --git a/docs/Samba-HOWTO-Collection/TOSHARG-AccessControls.xml b/docs/Samba-HOWTO-Collection/TOSHARG-AccessControls.xml
index 251cc32fcc..f074d2c140 100644
--- a/docs/Samba-HOWTO-Collection/TOSHARG-AccessControls.xml
+++ b/docs/Samba-HOWTO-Collection/TOSHARG-AccessControls.xml
@@ -352,10 +352,12 @@ drwsrwsrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado08
An overview of the permissions field can be found in <link linkend="access1">Overview of UNIX permissions field</link>.
</para>
- <image id="access1"><imagedescription>Overview of UNIX permissions field.</imagedescription><imagefile scale="40">access1</imagefile></image>
+ <image id="access1"><imagedescription>Overview of UNIX permissions field.</imagedescription>
+ <imagefile scale="40">access1</imagefile></image>
<para>
- Any bit flag may be unset. An unset bit flag is the equivalent of <quote>cannot</quote> and is represented as a <quote>-</quote> character.
+ Any bit flag may be unset. An unset bit flag is the equivalent of <quote>cannot</quote> and is represented
+ as a <quote>-</quote> character.
<example>
<title>Example File</title>
@@ -373,9 +375,9 @@ drwsrwsrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado08
</para>
<para>
- The letters <constant>rwxXst</constant> set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),
- execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s),
- sticky (t).
+ The letters <constant>rwxXst</constant> set permissions for the user, group and others as: read (r), write (w),
+ execute (or access for directories) (x), execute only if the file is a directory or already has execute
+ permission for some user (X), set user or group ID on execution (s), sticky (t).
</para>
<para>
@@ -406,11 +408,21 @@ drwsrwsrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado08
For example, Windows NT/2K/XP provides the capacity to set access controls on a directory into which people can
write files but not delete them. It is possible to set an ACL on a Windows file that permits the file to be written to
but not deleted. Such concepts are foreign to the UNIX operating system file space. Within the UNIX file system
- anyone who has the ability to create a file can write to it, and has the capability to delete it. Of necessity, Samba
- is subject to the file system semantics of the host operating system. Samba is therefore limited in the file system
- capabilities that can be made available through Windows ACLs, and therefore performs a <quote>best fit</quote>
- translation to POSIX ACLs. Some UNIX file systems do however support a feature known as extended attributes. Only
- the Windows concept of <quote>inheritance</quote> is implemented by Samba through the appropriate extended attribute.
+ anyone who has the ability to create a file can write to it, and has the capability to delete it.
+ </para>
+
+ <para>
+ For the record, in the UNIX environment the ability to delete a file is controlled by the permissions on
+ the directory that the file is in. In other words, a user can delete a file in a directory to which that
+ user had write access, even if that user does not own the file.
+ </para>
+
+ <para>
+ Of necessity, Samba is subject to the file system semantics of the host operating system. Samba is therefore
+ limited in the file system capabilities that can be made available through Windows ACLs, and therefore performs
+ a <quote>best fit</quote> translation to POSIX ACLs. Some UNIX file systems do however support a feature known
+ as extended attributes. Only the Windows concept of <quote>inheritance</quote> is implemented by Samba through
+ the appropriate extended attribute.
</para>
<para>
diff --git a/docs/Samba-HOWTO-Collection/TOSHARG-Group-Mapping.xml b/docs/Samba-HOWTO-Collection/TOSHARG-Group-Mapping.xml
index 68459cf2f0..f9cb236bcc 100644
--- a/docs/Samba-HOWTO-Collection/TOSHARG-Group-Mapping.xml
+++ b/docs/Samba-HOWTO-Collection/TOSHARG-Group-Mapping.xml
@@ -69,7 +69,8 @@
<para>
<indexterm><primary>IDMAP</primary></indexterm>
In both cases, when winbindd is not running, only locally resolvable groups can be recognized. Please refer to
- <link linkend="idmap-sid2gid">IDMAP: group SID to GID resolution</link> and <link linkend="idmap-gid2sid">IDMAP: GID resolution to matching SID</link>.
+ <link linkend="idmap-sid2gid">IDMAP: group SID to GID resolution</link> and
+ <link linkend="idmap-gid2sid">IDMAP: GID resolution to matching SID</link>.
The <command>net groupmap</command> is
used to establish UNIX group to NT SID mappings as shown in <link linkend="idmap-store-gid2sid">IDMAP: storing group mappings</link>.
</para>
@@ -200,6 +201,25 @@
</para>
<sect2>
+ <title>Warning &smbmmdsh; User Private Group Problems</title>
+
+ <para>
+ Windows does not permit user and group accounts to have the same name.
+ This has serious implications for all sites that use private group accounts.
+ A private group account is an administrative practice whereby users are each
+ given their own group account. Red Hat Linux, as well as several free distributions
+ of Linux by default create private groups.
+ </para>
+
+ <para>
+ When mapping a UNIX/Linux group to a Windows group account all conflict can
+ be avoided by assuring that the Windows domain group name does not overlap
+ with any user account name.
+ </para>
+
+ </sect2>
+
+ <sect2>
<title>Important Administrative Information</title>
<para>
diff --git a/docs/Samba-HOWTO-Collection/index.xml b/docs/Samba-HOWTO-Collection/index.xml
index a95c6b21b7..7e788ab0d0 100644
--- a/docs/Samba-HOWTO-Collection/index.xml
+++ b/docs/Samba-HOWTO-Collection/index.xml
@@ -117,6 +117,7 @@ The chapters in this part each cover specific Samba features.
<xi:include href="TOSHARG-Backup.xml"/>
<xi:include href="TOSHARG-HighAvailability.xml"/>
<xi:include href="TOSHARG-LargeFile.xml"/>
+ <!-- <xi:include href="TOSHARG-SecureLDAP.xml"/> -->
</part>
@@ -149,7 +150,7 @@ The chapters in this part each cover specific Samba features.
<!-- Comment out the following line to include the manpages.
*Please* do not commit with the line below enabled! -->
- <!--<xi:include href="manpages.xml"/>-->
+ <!-- <xi:include href="manpages.xml"/> -->
<xi:include href="http://www.gnu.org/licenses/gpl.xml"/>
<xi:include href="TOSHARG-glossary.xml"/>