summaryrefslogtreecommitdiff
path: root/docs/docbook/projdoc/NT_Security.sgml
diff options
context:
space:
mode:
Diffstat (limited to 'docs/docbook/projdoc/NT_Security.sgml')
-rw-r--r--docs/docbook/projdoc/NT_Security.sgml58
1 files changed, 25 insertions, 33 deletions
diff --git a/docs/docbook/projdoc/NT_Security.sgml b/docs/docbook/projdoc/NT_Security.sgml
index 2843331519..c5e3b9b9f9 100644
--- a/docs/docbook/projdoc/NT_Security.sgml
+++ b/docs/docbook/projdoc/NT_Security.sgml
@@ -1,5 +1,4 @@
<chapter id="unix-permissions">
-
<chapterinfo>
<author>
<firstname>Jeremy</firstname><surname>Allison</surname>
@@ -10,39 +9,44 @@
</address>
</affiliation>
</author>
-
-
<pubdate>12 Apr 1999</pubdate>
</chapterinfo>
-
<title>UNIX Permission Bits and Windows NT Access Control Lists</title>
<sect1>
<title>Viewing and changing UNIX permissions using the NT
security dialogs</title>
-
- <para>New in the Samba 2.0.4 release is the ability for Windows
- NT clients to use their native security settings dialog box to
- view and modify the underlying UNIX permissions.</para>
+ <para>Windows NT clients can use their native security settings
+ dialog box to view and modify the underlying UNIX permissions.</para>
<para>Note that this ability is careful not to compromise
the security of the UNIX host Samba is running on, and
still obeys all the file permission rules that a Samba
administrator can set.</para>
+
+ <note>
+ <para>
+ All access to Unix/Linux system file via Samba is controlled at
+ the operating system file access control level. When trying to
+ figure out file access problems it is vitally important to identify
+ the identity of the Windows user as it is presented by Samba at
+ the point of file access. This can best be determined from the
+ Samba log files.
+ </para>
+ </note>
</sect1>
<sect1>
<title>How to view file security on a Samba share</title>
- <para>From an NT 4.0 client, single-click with the right
+ <para>From an NT4/2000/XP client, single-click with the right
mouse button on any file or directory in a Samba mounted
drive letter or UNC path. When the menu pops-up, click
on the <emphasis>Properties</emphasis> entry at the bottom of
- the menu. This brings up the normal file properties dialog
- box, but with Samba 2.0.4 this will have a new tab along the top
- marked <emphasis>Security</emphasis>. Click on this tab and you
+ the menu. This brings up the file properties dialog
+ box. Click on the tab <emphasis>Security</emphasis> and you
will see three buttons, <emphasis>Permissions</emphasis>,
<emphasis>Auditing</emphasis>, and <emphasis>Ownership</emphasis>.
The <emphasis>Auditing</emphasis> button will cause either
@@ -89,7 +93,7 @@
<para>There is an NT chown command that will work with Samba
and allow a user with Administrator privilege connected
- to a Samba 2.0.4 server as root to change the ownership of
+ to a Samba server as root to change the ownership of
files on both a local NTFS filesystem or remote mounted NTFS
or Samba drive. This is available as part of the <emphasis>Seclib
</emphasis> NT security library written by Jeremy Allison of
@@ -193,7 +197,7 @@
</command> message.</para>
<para>The first thing to note is that the <command>"Add"</command>
- button will not return a list of users in Samba 2.0.4 (it will give
+ button will not return a list of users in Samba (it will give
an error message of <command>"The remote procedure call failed
and did not execute"</command>). This means that you can only
manipulate the current user/group/world permissions listed in
@@ -233,8 +237,9 @@
<title>Interaction with the standard Samba create mask
parameters</title>
- <para>Note that with Samba 2.0.5 there are four new parameters
- to control this interaction. These are :</para>
+ <para>There are four parameters
+ to control interaction with the standard Samba create mask parameters.
+ These are :</para>
<para><parameter>security mask</parameter></para>
<para><parameter>force security mode</parameter></para>
@@ -256,9 +261,8 @@
<para>If not set explicitly this parameter is set to the same value as
the <ulink url="smb.conf.5.html#CREATEMASK"><parameter>create mask
- </parameter></ulink> parameter to provide compatibility with Samba 2.0.4
- where this permission change facility was introduced. To allow a user to
- modify all the user/group/world permissions on a file, set this parameter
+ </parameter></ulink> parameter. To allow a user to modify all the
+ user/group/world permissions on a file, set this parameter
to 0777.</para>
<para>Next Samba checks the changed permissions for a file against
@@ -273,8 +277,7 @@
<para>If not set explicitly this parameter is set to the same value
as the <ulink url="smb.conf.5.html#FORCECREATEMODE"><parameter>force
- create mode</parameter></ulink> parameter to provide compatibility
- with Samba 2.0.4 where the permission change facility was introduced.
+ create mode</parameter></ulink> parameter.
To allow a user to modify all the user/group/world permissions on a file
with no restrictions set this parameter to 000.</para>
@@ -293,9 +296,7 @@
by default is set to the same value as the <parameter>directory mask
</parameter> parameter and the <parameter>force directory security
mode</parameter> parameter by default is set to the same value as
- the <parameter>force directory mode</parameter> parameter to provide
- compatibility with Samba 2.0.4 where the permission change facility
- was introduced.</para>
+ the <parameter>force directory mode</parameter> parameter. </para>
<para>In this way Samba enforces the permission restrictions that
an administrator can set on a Samba share, whilst still allowing users
@@ -311,15 +312,6 @@
<para><parameter>force security mode = 0</parameter></para>
<para><parameter>directory security mask = 0777</parameter></para>
<para><parameter>force directory security mode = 0</parameter></para>
-
- <para>As described, in Samba 2.0.4 the parameters :</para>
-
- <para><parameter>create mask</parameter></para>
- <para><parameter>force create mode</parameter></para>
- <para><parameter>directory mask</parameter></para>
- <para><parameter>force directory mode</parameter></para>
-
- <para>were used instead of the parameters discussed here.</para>
</sect1>
<sect1>