HPE Community
Operating System - HP-UX
1822147 Members
4067 Online
109640 Solutions
New Discussion юеВ

Samba problem: writing to samba share for groups

 
CFI-beheer
Advisor

тАО05-22-2007 03:51 AM

тАО05-22-2007 03:51 AM

Samba problem: writing to samba share for groups

Dear all,


I have a samba based HP CIFS Server 2.2.12 A.01.11.04 running.
Only the dba group and the oinstall group should be allowed to read/write/modify and delete files on the /fot share.
Everyone else should not be allowed to access the share, not even readonly.

I have this samba share configuration:
---------------------------------
[global]

# SAMBA FOT local variables
server string = Samba FotSuite e-loket
netbios name = cfiux07
interfaces = 172.18.129.7/255.255.252.0
bind interfaces only = yes
log file = /var/opt/samba/logs/log.%m
lock dir = /var/opt/samba/locks
pid directory = /var/opt/samba/pids

# Samba globals
workgroup = CFI
max log size = 100
security = server
password server = cfidc04p
encrypt passwords = yes
socket options = TCP_NODELAY
local master = no
wins server = cfidc04p.cfi.local
preserve case = yes
short preserve case = no
dos filetime resolution = yes
read only = no
syslog = 0

#============================ Share Definitions ==============================
[samba_ux07]
comment = Fot share (cfiux07)
path = /fot
public = yes
writable = yes
printable = no
write list = @dba @oinstall

dba and oinstall are domain groups, they also exist on the local node in the /etc/passwd file.

But with this setting the dba group and oinstall group are not allowed to modify/write files, they can only read the files.
A chmod 777 /fot allows everyone to write to the share.
When creating a file with chmod 777 directory the created file has ownership smbnull:smbnull(user:group).(as you can see down below)

-rw-r--r-- 1 oracle dba 176 May 3 16:02 README.txt
-rwxr--r-- 1 smbnull smbnull 176 May 3 16:02 Copy of README.txt
-rwxr--r-- 1 smbnull smbnull 6 May 16 11:35 New - Textdocument.txt
cfiux07:/fot #

I thought write list would only permit the dba & oinstall group to write files but it doesn't work.

Can anyone help me with that?

thx,

kind regards,
0 Kudos
Reply
4 REPLIES 4
Ivan Ferreira
Honored Contributor

тАО05-22-2007 04:16 AM

тАО05-22-2007 04:16 AM

Re: Samba problem: writing to samba share for groups

This is what I would do, you have a problem, you need two different groups to share the same permissions, but you only have three permissions possible to assign, owner, group, others.

This means that you need to add the @dba and @oinstall members to a common group, let's say "database" group. In this way, members of the database group will have the apropiate permissions to write to /fot, but nobody else.

So, the procedure should be:

1- Create a group called database
2- Add members to the databse group.
3- Set the owners to the /fot directory
chwon root:database /fot
4- Set the permissions to the /fot directory
chmod 2770 /fot

NOTE: The SGID permissions for the /fot directory will force that the files created on the directory, are created with the "database" group, the group of the parent directory.

5- Change your share definition like this:

[samba_ux07]
comment = Fot share (cfiux07)
path = /fot
public = no
writable = no
printable = no
valid users = @database
write list = @database

This will deny access to the samba_ux07 share to everyone but database users (valid users), and is not writable (writable=no) except by the users specified in the write list option.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Heironimus
Honored Contributor

тАО05-22-2007 09:39 AM

тАО05-22-2007 09:39 AM

Re: Samba problem: writing to samba share for groups

The "force group" and "force create mode" options in smb.conf would probably help.
0 Kudos
Reply
CFI-beheer
Advisor

тАО05-23-2007 12:06 AM

тАО05-23-2007 12:06 AM

Re: Samba problem: writing to samba share for groups

Hi Ivan,

The steps that you post did not help the dba and the oinstall groups
do write to the share.In stead I now have to type a password to
get access to the /fot share. In my previous configuration I
could access the share without password.

Do you know what might be wrong?

Here is the output that I found in the log of my machine

2007/05/23 13:48:07, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam1(1369)
unable to open passdb database.
[2007/05/23 13:48:07, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam1(1369)
unable to open passdb database.
[2007/05/23 13:48:20, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam1(1369)
unable to open passdb database.
[2007/05/23 13:48:20, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam1(1369)
unable to open passdb database.

Thanks in advance,

Kind Regards,

Feisal
0 Kudos
Reply
Heironimus
Honored Contributor

тАО05-23-2007 02:54 AM

тАО05-23-2007 02:54 AM

Re: Samba problem: writing to samba share for groups

In the original file you posted you had "public = yes", which means you had NO authentication at all - everything was done as "guest" on the Windows side, which gets mapped to smbnull on the UNIX side. Any user could connect, not just the ones in the write list. You really don't want to do that.

"public = no" is what you want. It probably should work without requesting a password, as long as it's authenticating against the same domain as your desktop. But since you weren't trying to authenticate anybody before it's hard to say if your authentication is set up correctly or not.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.