Hi.

I am running Samba 2.2.0a, and windows 2000 on two different computers. I create shares with Samba alright, but can not change the permissions of the shares. I also have the kernel patched with ACL support if that makes a difference.

Here is my smb.conf file:

[global]
netbios name = server2
workgroup = YELAVICH
server string = Main Server 2
log file = /var/log/samba/log.%m
max log size = 50
security = user
encrypt passwords = yes
smb passwd file = /usr/local/samba/private/smbpasswd
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *password* %n\n *password* %n\n *success*
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
local master = yes
os level = 40
domain master = yes
preferred master = yes
domain logons = yes
# logon script = logon.bat
logon path = \\server1\profiles\%u
name resolve order = wins lmhosts bcast
wins support = yes
add user script = /usr/sbin/useradd -d /dev/null -g 200 -s /bin/false -M %u
domain admin group = @adm
domain groups = adm users

[netlogon]
comment = Network Logon Service
path = /usr/local/samba/private/netlogon
guest ok = no
writable = no
share modes = no
write list = @adm

[homes]
comment = Home Dirs
browsable = no
writable = yes

Appreciate any help.

Thanks.

Have a look at: http://www.maximumlinux.org/article.php?story=20010626142256574
http://marc.theaimsgroup.com/?l=samba&r=1&w=2
and search on acl

Are you logged in as someone in your adm group?

I haven't played with the acl stuff yet.

Okay, I've been able to get my RH6.2 machine running Samba (I think it's 2.2.... does anyone know the rpm grep that will tell me the version) added to the W2000 domain. As long as I have the samba shares (in smb.conf) set to public = yes and the directory properties open to all (777), people can access the shares. But as soon as I change the smb.conf (ie valid user = Fred) or buckle down a directory to anything other than 777, access becomes a problem. Can someone please help me? I've spent quite a bit of time looking and I haven't found anything. This post above is the closest I've gotten, but can't find specific instruction. Can't find a How to that addresses W2000 (it's all still NT). How do I manage security? Mike.

TheMuso,

When you say "share permissions", are you referring to permissions on the share itself, not file system permissions?

If you are talking about share permissions, I beleive the only way to change them is to modify the smb.conf file. You use things like "write list = @groupname" in smb.conf.
To be able to do that with Windows Explorer remotely from Win2k to Samba like you would from Win2k to NT would require the smb.conf file to be rewritten and Samba restarted.

When I want to modify Samba share permissions remotely, I use SWAT or Webmin to modify my smb.conf file. Then restart Samba.

Okay, can you talk a little bit about the 'write list' entry. I don't have that in my smb.conf file. I have been using the user name with the 'valid user' entry.

I see the adm entry in my groups file, but the W2000 administrator does not appear to be part of it. I used the 'administrator' to join the Linux box to the domain and it worked fine.

What am I missing?

Well, I don't use ACLS any more, but I worked out the permission thing awhile ago. Can't remember how I did it, as I don't have the same setup any more.

The "write list" option for smb.conf controls who can write to a share. The best way to use it is to set the entire share to read only with

read only = yes

Then designate those users who can write to the share with

write list = user1 @group1

Only user1 and anyone who is a member of group1 could write to the share.
Of course, you also need to set the proper file system permissions on the directory your are sharing out for user1 and group1.
If for some reason I'm going to designate more that one user or group with the write list option, I'll just make the permissions on the directory 777.

The difference between that and valid user is that when you use the valid user option, only that user or group can have any type of access, read or write, to the share. Valid user is much more restrictive.