From fec4b31bc1a76e408732e1a80b366d97fcf38143 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 10 Oct 2003 16:46:22 +0000 Subject: removing docs tree from 3.0 (This used to be commit 0a3eb5574c91685ab07436c67b031266fb329693) --- docs/docbook/projdoc/AccessControls.xml | 1309 ------------------------------- 1 file changed, 1309 deletions(-) delete mode 100644 docs/docbook/projdoc/AccessControls.xml (limited to 'docs/docbook/projdoc/AccessControls.xml') diff --git a/docs/docbook/projdoc/AccessControls.xml b/docs/docbook/projdoc/AccessControls.xml deleted file mode 100644 index 2badb82810..0000000000 --- a/docs/docbook/projdoc/AccessControls.xml +++ /dev/null @@ -1,1309 +0,0 @@ - - - &author.jht; - &author.jeremy; - &person.jelmer;drawing - May 10, 2003 - -File, Directory and Share Access Controls - - -ACLs -Advanced MS Windows users are frequently perplexed when file, directory and share manipulation of -resources shared via Samba do not behave in the manner they might expect. MS Windows network -administrators are often confused regarding network access controls and how to -provide users with the access they need while protecting resources from unauthorized access. - - - -Many UNIX administrators are unfamiliar with the MS Windows environment and in particular -have difficulty in visualizing what the MS Windows user wishes to achieve in attempts to set file -and directory access permissions. - - - -The problem lies in the differences in how file and directory permissions and controls work -between the two environments. This difference is one that Samba cannot completely hide, even -though it does try to bridge the chasm to a degree. - - - -Extended Attributes -ACLsPOSIX - -POSIX Access Control List technology has been available (along with Extended Attributes) -for UNIX for many years, yet there is little evidence today of any significant use. This -explains to some extent the slow adoption of ACLs into commercial Linux products. MS Windows -administrators are astounded at this, given that ACLs were a foundational capability of the now -decade-old MS Windows NT operating system. - - - -The purpose of this chapter is to present each of the points of control that are possible with -Samba-3 in the hope that this will help the network administrator to find the optimum method -for delivering the best environment for MS Windows desktop users. - - - -This is an opportune point to mention that Samba was created to provide a means of interoperability -and interchange of data between differing operating environments. Samba has no intent to change -UNIX/Linux into a platform like MS Windows. Instead the purpose was and is to provide a sufficient -level of exchange of data between the two environments. What is available today extends well -beyond early plans and expectations, yet the gap continues to shrink. - - - -Features and Benefits - - - Samba offers a lot of flexibility in file system access management. These are the key access control - facilities present in Samba today: - - - - Samba Access Control Facilities - - permissionsUNIX file and directory - UNIX File and Directory Permissions - - - - Samba honors and implements UNIX file system access controls. Users - who access a Samba server will do so as a particular MS Windows user. - This information is passed to the Samba server as part of the logon or - connection setup process. Samba uses this user identity to validate - whether or not the user should be given access to file system resources - (files and directories). This chapter provides an overview for those - to whom the UNIX permissions and controls are a little strange or unknown. - - - - - Samba Share Definitions - - - - In configuring share settings and controls in the &smb.conf; file, - the network administrator can exercise overrides to native file - system permissions and behaviors. This can be handy and convenient - to effect behavior that is more like what MS Windows NT users expect - but it is seldom the best way to achieve this. - The basic options and techniques are described herein. - - - - - Samba Share ACLs - ACLsshare - - - - Just like it is possible in MS Windows NT to set ACLs on shares - themselves, so it is possible to do this in Samba. - Few people make use of this facility, yet it remains on of the - easiest ways to affect access controls (restrictions) and can often - do so with minimum invasiveness compared with other methods. - - - - - ACLsPOSIX - ACLsWindows - MS Windows ACLs through UNIX POSIX ACLs - - - - The use of POSIX ACLs on UNIX/Linux is possible only if the underlying - operating system supports them. If not, then this option will not be - available to you. Current UNIX technology platforms have native support - for POSIX ACLs. There are patches for the Linux kernel that also provide - this. Sadly, few Linux platforms ship today with native ACLs and - Extended Attributes enabled. This chapter has pertinent information - for users of platforms that support them. - - - - - - - -File System Access Controls - - -Perhaps the most important recognition to be made is the simple fact that MS Windows NT4/200x/XP -implement a totally divergent file system technology from what is provided in the UNIX operating system -environment. First we consider what the most significant differences are, then we look -at how Samba helps to bridge the differences. - - - - MS Windows NTFS Comparison with UNIX File Systems - - -NTFS -File System -File SystemUNIX -File SystemWindows - - Samba operates on top of the UNIX file system. This means it is subject to UNIX file system conventions - and permissions. It also means that if the MS Windows networking environment requires file system - behavior that differs from UNIX file system behavior then somehow Samba is responsible for emulating - that in a transparent and consistent manner. - - - - It is good news that Samba does this to a large extent and on top of that provides a high degree - of optional configuration to override the default behavior. We look at some of these over-rides, - but for the greater part we will stay within the bounds of default behavior. Those wishing to explore - the depths of control ability should review the &smb.conf; man page. - - - The following compares file system features for UNIX with those of Microsoft Windows NT/200x: - File Systemfeature comparison - - - - - - Name Space - - - MS Windows NT4/200x/XP files names may be up to 254 characters long, and UNIX file names - may be 1023 characters long. In MS Windows, file extensions indicate particular file types, - in UNIX this is not so rigorously observed as all names are considered arbitrary. - - - What MS Windows calls a folder, UNIX calls a directory. - - - - - - Case Sensitivity - - - 8.3 file names - File Systemcase sensitivity - MS Windows file names are generally upper case if made up of 8.3 (8 character file name - and 3 character extension. File names that are longer than 8.3 are case preserving and case - insensitive. - - - - UNIX file and directory names are case sensitive and case preserving. Samba implements the - MS Windows file name behavior, but it does so as a user application. The UNIX file system - provides no mechanism to perform case insensitive file name lookups. MS Windows does this - by default. This means that Samba has to carry the processing overhead to provide features - that are not native to the UNIX operating system environment. - - - Consider the following. All are unique UNIX names but one single MS Windows file name: - - MYFILE.TXT - MyFile.txt - myfile.txt - - - - So clearly, in an MS Windows file name space these three files cannot co-exist, but in UNIX - they can. - - - So what should Samba do if all three are present? That which is lexically first will be - accessible to MS Windows users, the others are invisible and unaccessible &smbmdash; any - other solution would be suicidal. - - - - - - Directory Separators - - - - Directory Separators - MS Windows and DOS uses the backslash \ as a directory delimiter, and UNIX uses - the forward-slash / as its directory delimiter. This is handled transparently by Samba. - - - - - - Drive Identification - - - Drive Identification - MS Windows products support a notion of drive letters, like C: to represent - disk partitions. UNIX has no concept of separate identifiers for file partitions, each - such file system is mounted to become part of the overall directory tree. - The UNIX directory tree begins at / just like the root of a DOS drive is specified as - C:\. - - - - - - File Naming Conventions - - - File Naming Conventions - MS Windows generally never experiences file names that begin with a dot (.) while in UNIX these - are commonly found in a user's home directory. Files that begin with a dot (.) are typically - either start-up files for various UNIX applications, or they may be files that contain - start-up configuration data. - - - - - - Links and Short-Cuts - - - Linkshard - Linkssoft - Short-Cuts - MS Windows make use of links and short-cuts that are actually special types of files that will - redirect an attempt to execute the file to the real location of the file. UNIX knows of file and directory - links, but they are entirely different from what MS Windows users are used to. - - - Symbolic links are files in UNIX that contain the actual location of the data (file or directory). An - operation (like read or write) will operate directly on the file referenced. Symbolic links are also - referred to as soft links. A hard link is something that MS Windows is not familiar with. It allows - one physical file to be known simultaneously by more than one file name. - - - - - - - There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort - in the process of becoming familiar with UNIX/Linux. These are best left for a text that is dedicated to the - purpose of UNIX/Linux training and education. - - - - - - Managing Directories - - - There are three basic operations for managing directories: create, delete, rename. - - Managing Directories with UNIX and Windows - - - ActionMS Windows CommandUNIX Command - - - - createmd foldermkdir folder - deleterd folderrmdir folder - renamerename oldname newnamemv oldname newname - - -
- - - - - - File and Directory Access Control - - - - ACLsFile System - The network administrator is strongly advised to read foundational training manuals and reference materials - regarding file and directory permissions maintenance. Much can be achieved with the basic UNIX permissions - without having to resort to more complex facilities like POSIX Access Control Lists (ACLs) or Extended - Attributes (EAs). - - - - UNIX/Linux file and directory access permissions involves setting three primary sets of data and one control set. - A UNIX file listing looks as follows: - -&prompt;ls -la -total 632 -drwxr-xr-x 13 maryo gnomes 816 2003-05-12 22:56 . -drwxrwxr-x 37 maryo gnomes 3800 2003-05-12 22:29 .. -dr-xr-xr-x 2 maryo gnomes 48 2003-05-12 22:29 muchado02 -drwxrwxrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado03 -drw-rw-rw- 2 maryo gnomes 48 2003-05-12 22:29 muchado04 -d-w--w--w- 2 maryo gnomes 48 2003-05-12 22:29 muchado05 -dr--r--r-- 2 maryo gnomes 48 2003-05-12 22:29 muchado06 -drwsrwsrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado08 ----------- 1 maryo gnomes 1242 2003-05-12 22:31 mydata00.lst ---w--w--w- 1 maryo gnomes 7754 2003-05-12 22:33 mydata02.lst --r--r--r-- 1 maryo gnomes 21017 2003-05-12 22:32 mydata04.lst --rw-rw-rw- 1 maryo gnomes 41105 2003-05-12 22:32 mydata06.lst -&prompt; - - - - - The columns above represent (from left to right): permissions, number of hard links to file, owner, group, size (bytes), access date, access time, file name. - - - - An overview of the permissions field can be found in the image below. - - - Overview of UNIX permissions field.access1 - - - Any bit flag may be unset. An unset bit flag is the equivalent of cannot and is represented as a - character. - - - Example File - - -rwxr-x--- Means: The owner (user) can read, write, execute - the group can read and execute - everyone else cannot do anything with it. - - - - - - - Additional possibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = UNIX Domain Socket. - - - - The letters rwxXst set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x), - execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s), - sticky (t). - - - - When the sticky bit is set on a directory, files in that directory may be unlinked (deleted) or renamed only by root or their owner. - Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on - directories, such as /tmp, that are world-writable. - - - - When the set user or group ID bit (s) is set on a directory, then all files created within it will be owned by the user and/or - group whose `set user or group' bit is set. This can be helpful in setting up directories for which it is desired that - all users who are in a group should be able to write to and read from a file, particularly when it is undesirable for that file - to be exclusively owned by a user whose primary group is not the group that all such users belong to. - - - - When a directory is set drw-r----- this means that the owner can read and create (write) files in it, but because - the (x) execute flags are not set, files cannot be listed (seen) in the directory by anyone. The group can read files in the - directory but cannot create new files. If files in the directory are set to be readable and writable for the group, then - group members will be able to write to (or delete) them. - - - - - - - -Share Definition Access Controls - - - -permissionsshare -The following parameters in the &smb.conf; file sections define a share control or effect access controls. -Before using any of the following options, please refer to the man page for &smb.conf;. - - - - User and Group-Based Controls - - - User and group-based controls can prove quite useful. In some situations it is distinctly desirable to affect all - file system operations as if a single user were doing so. The use of the force user and - force group behavior will achieve this. In other situations it may be necessary to effect a - paranoia level of control to ensure that only particular authorized persons will be able to access a share or - its contents. Here the use of the valid users or the - invalid users may be most useful. - - - - As always, it is highly advisable to use the least difficult to maintain and the least ambiguous method for - controlling access. Remember, when you leave the scene someone else will need to provide assistance and - if he finds too great a mess or does not understand what you have done, there is risk of - Samba being removed and an alternative solution being adopted. - - - - The table below enumerates these controls. - - - User and Group Based Controls - - - - - - Control Parameter - Description - Action - Notes - - - - - admin users - - List of users who will be granted administrative privileges on the share. - They will do all file operations as the super-user (root). - Any user in this list will be able to do anything they like on the share, - irrespective of file permissions. - - - - force group - - Specifies a UNIX group name that will be assigned as the default primary group - for all users connecting to this service. - - - - force user - - Specifies a UNIX user name that will be assigned as the default user for all users connecting to this service. - This is useful for sharing files. Incorrect use can cause security problems. - - - - guest ok - - If this parameter is set for a service, then no password is required to connect to the service. Privileges will be - those of the guest account. - - - - invalid users - - List of users that should not be allowed to login to this service. - - - - only user - - Controls whether connections with usernames not in the user list will be allowed. - - - - read list - - List of users that are given read-only access to a service. Users in this list - will not be given write access, no matter what the read only option is set to. - - - - username - - Refer to the &smb.conf; man page for more information -- this is a complex and potentially misused parameter. - - - - valid users - - List of users that should be allowed to login to this service. - - - - write list - - List of users that are given read-write access to a service. - - - - -
- - - - - File and Directory Permissions-Based Controls - - - The following file and directory permission-based controls, if misused, can result in considerable difficulty to - diagnose causes of misconfiguration. Use them sparingly and carefully. By gradually introducing each one by one, - undesirable side effects may be detected. In the event of a problem, always comment all of them out and then gradually - reintroduce them in a controlled way. - - - - Refer to the table below for information regarding the parameters that may be used to affect file and - directory permission-based access controls. - - - File and Directory Permission Based Controls - - - - - - Control Parameter - Description - Action - Notes - - - - - create mask - - Refer to the &smb.conf; man page. - - - - directory mask - - The octal modes used when converting DOS modes to UNIX modes when creating UNIX directories. - See also: directory security mask. - - - dos filemode - - Enabling this parameter allows a user who has write access to the file to modify the permissions on it. - - - - force create mode - - This parameter specifies a set of UNIX mode bit permissions that will always be set on a file created by Samba. - - - - force directory mode - - This parameter specifies a set of UNIX mode bit permissions that will always be set on a directory created by Samba. - - - - force directory security mode - - Controls UNIX permission bits modified when a Windows NT client is manipulating UNIX permissions on a directory. - - - - force security mode - - Controls UNIX permission bits modified when a Windows NT client manipulates UNIX permissions. - - - - hide unreadable - - Prevents clients from seeing the existence of files that cannot be read. - - - - hide unwriteable files - - Prevents clients from seeing the existence of files that cannot be written to. Unwriteable directories are shown as usual. - - - - nt acl support - - This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT access control lists. - - - - security mask - - Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file. - - - - -
- - - - - Miscellaneous Controls - - - The following are documented because of the prevalence of administrators creating inadvertent barriers to file - access by not understanding the full implications of &smb.conf; file settings. See the table below. - - - Other Controls - - - - - - Control Parameter - Description - Action - Notes - - - - - case sensitive, default case, short preserve case - - This means that all file name lookup will be done in a case sensitive manner. - Files will be created with the precise file name Samba received from the MS Windows client. - - - - csc policy - - Client Side Caching Policy - parallels MS Windows client side file caching capabilities. - - - - dont descend - - Allows specifying a comma-delimited list of directories that the server should always show as empty. - - - - dos filetime resolution - - This option is mainly used as a compatibility option for Visual C++ when used against Samba shares. - - - - dos filetimes - - DOS and Windows allow users to change file time stamps if they can write to the file. POSIX semantics prevent this. - This option allows DOS and Windows behavior. - - - - fake oplocks - - Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an - oplock, the client is free to assume that it is the only one accessing the file and it will aggressively cache file data. - - - - hide dot files, hide files, veto files - - Note: MS Windows Explorer allows over-ride of files marked as hidden so they will still be visible. - - - - read only - - If this parameter is yes, then users of a service may not create or modify files in the service's directory. - - - - veto files - - List of files and directories that are neither visible nor accessible. - - - - -
- - - - - - -Access Controls on Shares - - - -permissionsshare ACLs - This section deals with how to configure Samba per share access control restrictions. - By default, Samba sets no restrictions on the share itself. Restrictions on the share itself - can be set on MS Windows NT4/200x/XP shares. This can be an effective way to limit who can - connect to a share. In the absence of specific restrictions the default setting is to allow - the global user Everyone - Full Control (full control, change and read). - - - - At this time Samba does not provide a tool for configuring access control setting on the share - itself. Samba does have the capacity to store and act on access control settings, but the only - way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for - Computer Management. - - - - Samba stores the per share access control settings in a file called share_info.tdb. - The location of this file on your system will depend on how Samba was compiled. The default location - for Samba's tdb files is under /usr/local/samba/var. If the tdbdump - utility has been compiled and installed on your system, then you can examine the contents of this file - by executing: tdbdump share_info.tdb in the directory containing the tdb files. - - - - Share Permissions Management - - - The best tool for the task is platform dependant. Choose the best tool for your environment. - - - - Windows NT4 Workstation/Server - - The tool you need to use to manage share permissions on a Samba server is the NT Server Manager. - Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation. - You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft &smbmdash; see details below. - - - - - - Instructions - - Launch the NT4 Server Manager, click on the Samba server you want to administer. From the menu - select Computer, then click on Shared Directories. - - - - Click on the share that you wish to manage, then click the Properties tab. then click - the Permissions tab. Now you can add or change access control settings as you wish. - - - - - - - Windows 200x/XP - - - On MS Windows NT4/200x/XP system access control lists on the share itself are set using native - tools, usually from File Manager. For example, in Windows 200x, right click on the shared folder, - then select Sharing, then click on Permissions. The default - Windows NT4/200x permission allows Everyone full control on the share. - - - - MS Windows 200x and later versions come with a tool called the Computer Management snap-in for the - Microsoft Management Console (MMC). This tool is located by clicking on Control Panel -> - Administrative Tools -> Computer Management. - - - - Instructions - - After launching the MMC with the Computer Management snap-in, click the menu item Action, - and select Connect to another computer. If you are not logged onto a domain you will be prompted - to enter a domain login user identifier and a password. This will authenticate you to the domain. - If you are already logged in with administrative privilege, this step is not offered. - - - - If the Samba server is not shown in the Select Computer box, type in the name of the target - Samba server in the field Name:. Now click the on [+] next to - System Tools, then on the [+] next to Shared Folders in the - left panel. - - - - In the right panel, double-click on the share on which you wish to set access control permissions. - Then click the tab Share Permissions. It is now possible to add access control entities - to the shared folder. Remember to set what type of access (full control, change, read) you - wish to assign for each entry. - - - - - - Be careful. If you take away all permissions from the Everyone user without removing this user, - effectively no user will be able to access the share. This is a result of what is known as - ACL precedence. Everyone with no access means that MaryK who is part of the group - Everyone will have no access even if she is given explicit full control access. - - - - - - - - - -MS Windows Access Control Lists and UNIX Interoperability - - - Managing UNIX Permissions Using NT Security Dialogs - - - -permissionsfile/directory ACLs - Windows NT clients can use their native security settings dialog box to view and modify the - underlying UNIX permissions. - - - - This ability is careful not to compromise the security of the UNIX host on which Samba is running, and - still obeys all the file permission rules that a Samba administrator can set. - - - - Samba does not attempt to go beyond POSIX ACLs, so the various finer-grained access control - options provided in Windows are actually ignored. - - - - - All access to UNIX/Linux system files via Samba is controlled by the operating system file access controls. - When trying to figure out file access problems, it is vitally important to find the identity of the Windows - user as it is presented by Samba at the point of file access. This can best be determined from the - Samba log files. - - - - - - Viewing File Security on a Samba Share - - - From an NT4/2000/XP client, right click on any file or directory in a Samba-mounted drive letter - or UNC path. When the menu pops up, click on the Properties entry at the bottom - of the menu. This brings up the file Properties dialog box. Click on the - Security tab and you will see three buttons: Permissions, - Auditing, and Ownership. The Auditing - button will cause either an error message `A requested privilege is not held by the client' - to appear if the user is not the NT Administrator, or a dialog which is intended to allow an Administrator - to add auditing requirements to a file if the user is logged on as the NT Administrator. This dialog is - non-functional with a Samba share at this time, as the only useful button, the Add - button, will not currently allow a list of users to be seen. - - - - - - Viewing File Ownership - - - Clicking on the Ownership button brings up a dialog box telling you who owns - the given file. The owner name will be displayed like this: - - - - "SERVER\user (Long name)" - - - - SERVER is the NetBIOS name of the Samba server, user - is the user name of the UNIX user who owns the file, and (Long name) is the - descriptive string identifying the user (normally found in the GECOS field of the UNIX password database). - Click on the Close button to remove this dialog. - - - - If the parameter nt acl support is set to false, - the file owner will be shown as the NT user Everyone. - - - - The Take Ownership button will not allow you to change the ownership of this file to - yourself (clicking it will display a dialog box complaining that the user you are currently logged onto - the NT client cannot be found). The reason for this is that changing the ownership of a file is a privileged - operation in UNIX, available only to the root user. As clicking on this button causes - NT to attempt to change the ownership of a file to the current user logged into the NT clienti, this will - not work with Samba at this time. - - - There is an NT chown command that will work with Samba and allow a user with Administrator privilege connected - to a Samba server as root to change the ownership of files on both a local NTFS filesystem or remote mounted NTFS - or Samba drive. This is available as part of the Seclib NT security library written - by Jeremy Allison of the Samba Team, and is available from the main Samba FTP site. - - - - - Viewing File or Directory Permissions - - - The third button is the Permissions button. Clicking on this brings up a dialog box - that shows both the permissions and the UNIX owner of the file or directory. The owner is displayed like this: - - - SERVER\ - user - (Long name) - - Where SERVER is the NetBIOS name of the Samba server, - user is the user name of the UNIX user who owns the file, and - (Long name) is the descriptive string identifying the user (normally found in the - GECOS field of the UNIX password database). - - - If the parameter nt acl support is set to false, - the file owner will be shown as the NT user Everyone and the permissions will be - shown as NT Full Control. - - - - - The permissions field is displayed differently for files and directories, so I'll describe the way file permissions - are displayed first. - - - - File Permissions - - The standard UNIX user/group/world triplet and the corresponding read, write, execute permissions - triplets are mapped by Samba into a three element NT ACL with the r, w and x bits mapped into the corresponding - NT permissions. The UNIX world permissions are mapped into the global NT group Everyone, followed - by the list of permissions allowed for UNIX world. The UNIX owner and group permissions are displayed as an NT - user icon and an NT local group icon, respectively, followed by the list - of permissions allowed for the UNIX user and group. - - Because many UNIX permission sets do not map into common NT names such as read, - change or full control, usually the permissions will be prefixed - by the words Special Access in the NT display list. - - But what happens if the file has no permissions allowed for a particular UNIX user group or world component? In order - to allow no permissions to be seen and modified Samba then overloads the NT Take Ownership ACL attribute - (which has no meaning in UNIX) and reports a component with no permissions as having the NT O bit set. - This was chosen, of course, to make it look like a zero, meaning zero permissions. More details on the decision behind this is - given below. - - - - Directory Permissions - - Directories on an NT NTFS file system have two different sets of permissions. The first set is the ACL set on the - directory itself, which is usually displayed in the first set of parentheses in the normal RW - NT style. This first set of permissions is created by Samba in exactly the same way as normal file permissions are, described - above, and is displayed in the same way. - - The second set of directory permissions has no real meaning in the UNIX permissions world and represents the - inherited permissions that any file created within this directory would inherit. - - Samba synthesises these inherited permissions for NT by returning as an NT ACL the UNIX permission mode that a new file - created by Samba on this share would receive. - - - - - Modifying File or Directory Permissions - - Modifying file and directory permissions is as simple - as changing the displayed permissions in the dialog box, and - clicking on OK. However, there are - limitations that a user needs to be aware of, and also interactions - with the standard Samba permission masks and mapping of DOS - attributes that need to also be taken into account. - - If the parameter nt acl support - is set to false, any attempt to set - security permissions will fail with an `Access Denied' - message. - - The first thing to note is that the Add - button will not return a list of users in Samba (it will give - an error message saying `The remote procedure call failed - and did not execute'). This means that you can only - manipulate the current user/group/world permissions listed in - the dialog box. This actually works quite well as these are the - only permissions that UNIX actually has. - - If a permission triplet (either user, group, or world) - is removed from the list of permissions in the NT dialog box, - then when the OK button is pressed it will - be applied as no permissions on the UNIX side. If you then - view the permissions again, the no permissions entry will appear - as the NT O flag, as described above. This - allows you to add permissions back to a file or directory once - you have removed them from a triplet component. - - As UNIX supports only the r, w and x bits of - an NT ACL, if other NT security attributes such as Delete Access are - selected they will be ignored when applied on the Samba server. - - When setting permissions on a directory, the second - set of permissions (in the second set of parentheses) is - by default applied to all files within that directory. If this - is not what you want, you must uncheck the Replace - permissions on existing files checkbox in the NT - dialog before clicking on OK. - - If you wish to remove all permissions from a - user/group/world component, you may either highlight the - component and click on the Remove button, - or set the component to only have the special Take - Ownership permission (displayed as O - ) highlighted. - - - - Interaction with the Standard Samba <quote>create mask</quote> Parameters - - There are four parameters that control interaction with the standard Samba create mask parameters. - These are: - - - security mask - force security mode - directory security mask - force directory security mode - - - - - Once a user clicks on OK to apply the - permissions, Samba maps the given permissions into a user/group/world - r/w/x triplet set, and then checks the changed permissions for a - file against the bits set in the - security mask parameter. Any bits that - were changed that are not set to 1 in this parameter are left alone - in the file permissions. - - Essentially, zero bits in the security mask - may be treated as a set of bits the user is not - allowed to change, and one bits are those the user is allowed to change. - - - If not explicitly set, this parameter defaults to the same value as - the create mask parameter. To allow a user to modify all the - user/group/world permissions on a file, set this parameter to 0777. - - - Next Samba checks the changed permissions for a file against the bits set in the - force security mode parameter. Any bits - that were changed that correspond to bits set to 1 in this parameter - are forced to be set. - - Essentially, bits set in the force security mode parameter - may be treated as a set of bits that, when modifying security on a file, the user has always set to be on. - - If not explicitly set, this parameter defaults to the same value - as the force create mode parameter. - To allow a user to modify all the user/group/world permissions on a file - with no restrictions set this parameter to 000. The - security mask and force - security mode parameters are applied to the change - request in that order. - - For a directory, Samba will perform the same operations as - described above for a file except it uses the parameter - directory security mask instead of security - mask, and force directory security mode - parameter instead of force security mode - . - - The directory security mask parameter - by default is set to the same value as the directory mask - parameter and the force directory security - mode parameter by default is set to the same value as - the force directory mode parameter. - In this way Samba enforces the permission restrictions that - an administrator can set on a Samba share, while still allowing users - to modify the permission bits within that restriction. - - If you want to set up a share that allows users full control - in modifying the permission bits on their files and directories and - does not force any particular bits to be set on, then set the following - parameters in the &smb.conf; file in that share-specific section: - - - - security mask0777 - force security mode0 - directory security mask0777 - force directory security mode0 - - - - - Interaction with the Standard Samba File Attribute Mapping - - - Samba maps some of the DOS attribute bits (such as read - only) into the UNIX permissions of a file. This means there can - be a conflict between the permission bits set via the security - dialog and the permission bits set by the file attribute mapping. - - - - If a file has no UNIX read access for the owner, it will show up - as read only in the standard file attributes tabbed dialog. - Unfortunately, this dialog is the same one that contains the security information - in another tab. - - What this can mean is that if the owner changes the permissions - to allow himself read access using the security dialog, clicks on - OK to get back to the standard attributes tab - dialog, and clicks on OK on that dialog, then - NT will set the file permissions back to read-only (as that is what - the attributes still say in the dialog). This means that after setting - permissions and clicking on OK to get back to the - attributes dialog, you should always press Cancel - rather than OK to ensure that your changes - are not overridden. - - - - -Common Errors - - -File, directory and share access problems are common on the mailing list. The following -are examples taken from the mailing list in recent times. - - - - - Users Cannot Write to a Public Share - - - - We are facing some troubles with file/directory permissions. I can log on the domain as admin user(root), - and there's a public share on which everyone needs to have permission to create/modify files, but only - root can change the file, no one else can. We need to constantly go to the server to - chgrp -R users * and chown -R nobody * to allow others users to change the file. - - - - - There are many ways to solve this problem and here are a few hints: - - - - - - Go to the top of the directory that is shared. - - - - - - Set the ownership to what ever public owner and group you want - -&prompt;find 'directory_name' -type d -exec chown user.group {}\; -&prompt;find 'directory_name' -type d -exec chmod 6775 'directory_name' -&prompt;find 'directory_name' -type f -exec chmod 0775 {} \; -&prompt;find 'directory_name' -type f -exec chown user.group {}\; - - - - - The above will set the sticky bit on all directories. Read your - UNIX/Linux man page on what that does. It causes the OS to assign - to all files created in the directories the ownership of the - directory. - - - - - - Directory is: /foodbar - -&prompt;chown jack.engr /foodbar - - - - - This is the same as doing: - -&prompt;chown jack /foodbar -&prompt;chgrp engr /foodbar - - - - - Now type: - - -&prompt;chmod 6775 /foodbar -&prompt;ls -al /foodbar/.. - - - - - You should see: - -drwsrwsr-x 2 jack engr 48 2003-02-04 09:55 foodbar - - - - - - Now type: - -&prompt;su - jill -&prompt;cd /foodbar -&prompt;touch Afile -&prompt;ls -al - - - - - You should see that the file Afile created by Jill will have ownership - and permissions of Jack, as follows: - --rw-r--r-- 1 jack engr 0 2003-02-04 09:57 Afile - - - - - - - Now in your &smb.conf; for the share add: - -force create mode0775 -force direcrtory mode6775 - - - - - These procedures are needed only if your users are not members of the group - you have used. That is if within the OS do not have write permission on the directory. - - - - - An alternative is to set in the &smb.conf; entry for the share: - -force userjack -force groupengr - - - - - - - - - File Operations Done as <emphasis>root</emphasis> with <emphasis>force user</emphasis> Set - - - When you have a user in admin users, Samba will always do file operations for - this user as root, even if force user has been set. - - - - - MS Word with Samba Changes Owner of File - - - Question: When user B saves a word document that is owned by user A the updated file is now owned by user B. - Why is Samba doing this? How do I fix this? - - - - Answer: Word does the following when you modify/change a Word document: MS Word creates a NEW document with - a temporary name, Word then closes the old document and deletes it, Word then renames the new document to the original document name. - There is no mechanism by which Samba can in any way know that the new document really should be owned by the owners - of the original file. Samba has no way of knowing that the file will be renamed by MS Word. As far as Samba is able - to tell, the file that gets created is a NEW file, not one that the application (Word) is updating. - - - - There is a work-around to solve the permissions problem. That work-around involves understanding how you can manage file - system behavior from within the &smb.conf; file, as well as understanding how UNIX file systems work. Set on the directory - in which you are changing Word documents: chmod g+s `directory_name' This ensures that all files will - be created with the group that owns the directory. In &smb.conf; share declaration section set: - - - - - force create mode0660 - force directory mode0770 - - - - - These two settings will ensure that all directories and files that get created in the share will be read/writable by the - owner and group set on the directory itself. - - - - - - - -- cgit