• Willkommen im Linux Club - dem deutschsprachigen Supportforum für GNU/Linux. Registriere dich kostenlos, um alle Inhalte zu sehen und Fragen zu stellen.

SAMBA und ACL - Richtige Einstellungen gesucht

S

Selachii

Newbie
Hallo Zusammen,
wollte für einen kleinen NAS eine einfache samba-Freigabe realisieren, bei der die gesetzten ACL-Rechte berücksichtigt werden.
Wenn ich aber nun mit einem WIN7-Rechner eine Datei auf der Freigabe erstelle besitzt diese x-Rechte im Gegensatz zu Dateien die direkt unter Linux erstellt werden (siehe weiter unten).
Ist das typisch/"normal" für samba oder liegt es an einer fehlerhaften samba-einstellung?
Und müssen/sollten noch Einstellungen ergänzt werden?
Ein Beitrag in einem anderem Forum verwirrt mich zusätzlich "http://forum.ubuntuusers.de/topic/merkwuerdige-interaktion-von-samba-mit-default/#post-2651777". :-|



Datei über smb-Erstellt:
Code: 
root@debian-server:/SERVER/VIDEO1/test# getfacl Allway\ Sync.lnk
# file: Allway Sync.lnk
# owner: user1
# group: user1
user::rwx
group::r-x
group:verwalter:rwx
group:family:r-x
group:filme:r-x
mask::rwx
other::---

Datei direkt unter Linux erstellt:
Code: 
root@debian-server:/SERVER/VIDEO1/test# touch test
root@debian-server:/SERVER/VIDEO1/test# getfacl test
# file: test
# owner: root
# group: root
user::rw-
group::r-x                      #effective:r--
group:verwalter:rwx             #effective:rw-
group:family:r-x                #effective:r--
group:filme:r-x                 #effective:r--
mask::rw-
other::---






Aktuelle Samba-Config:
Code: 
[global]
workgroup = Buero
security = user
encrypt passwords = yes


[musik]
comment = Musik-Freigabe
path= /SERVER/MUSIK
read only=no
#nt acl support = yes
inherit acls = yes
inherit permissions = yes

[video1]
comment = Video1-Freigabe
path= /SERVER/VIDEO1
read only=no
#nt acl support = yes
inherit acls = yes
inherit permissions = yes

[video2]
comment = Video2-Freigabe
path= /SERVER/VIDEO2
read only=no
#nt acl support = yes
inherit acls = yes
inherit permissions = yes

[ablage]
comment = Datei-Ablage
path= /SERVER/ABLAGE
read only=no
#nt acl support = yes
inherit acls = yes
inherit permissions = yes
 
S

stka

Guru
Beim erstellen einer Datei über Samba, gelten die Einstellungen aus der smb.conf, die Standardeinstellungen kannst du über den SWAT sehen wenn du dir die ausführliche Ansicht der smb.conf anzeigen lässt. Wenn du eine Datei über Linux anlegst, dann wir die "umask" ausgewertet die kannst du sehen wenn du das Kommando "umask" eingibst, Die umask zeigt die Rechte an, die nicht vergeben wird. ACHTUNG bei Dateien die nicht ausführbar sein müssen, wie Bilder, Musik usw. wird grundsätzlich kein x-Recht gesetzt, weil es keinen Sinn macht. Wenn du die umask Systemweit ändern willst, dann musst du das in der Datei /etc/profile ändern.
 
OP
S

Selachii

Newbie
Ok,
habe mich jetzt mal übern browser in die "SWAP" eingeloggt und die vollständige smb.conf eingesehen:
"Sind verdammt viele Optionen :???: "
Code: 
# Samba config file created using SWAT
# from UNKNOWN (192.168.178.41)
# Date: 2011/03/02 17:07:18

[global]
	dos charset = CP850
	unix charset = UTF-8
	display charset = LOCALE
	workgroup = BUERO
	realm = 
	netbios name = DEBIAN-SERVER
	netbios aliases = 
	netbios scope = 
	server string = Samba 3.5.6
	interfaces = 
	bind interfaces only = No
	security = USER
	auth methods = 
	encrypt passwords = Yes
	update encrypted = No
	client schannel = Auto
	server schannel = Auto
	allow trusted domains = Yes
	map to guest = Never
	null passwords = No
	obey pam restrictions = No
	password server = *
	smb passwd file = /etc/samba/smbpasswd
	private dir = /etc/samba
	passdb backend = tdbsam
	algorithmic rid base = 1000
	root directory = 
	guest account = nobody
	enable privileges = Yes
	pam password change = No
	passwd program = 
	passwd chat = *new*password* %n\n *new*password* %n\n *changed*
	passwd chat debug = No
	passwd chat timeout = 2
	check password script = 
	username map = 
	password level = 0
	username level = 0
	unix password sync = No
	restrict anonymous = 0
	lanman auth = No
	ntlm auth = Yes
	client NTLMv2 auth = No
	client lanman auth = No
	client plaintext auth = No
	preload modules = 
	dedicated keytab file = 
	kerberos method = default
	map untrusted to domain = No
	log level = 0
	syslog = 1
	syslog only = No
	log file = 
	max log size = 5000
	debug timestamp = Yes
	debug prefix timestamp = No
	debug hires timestamp = Yes
	debug pid = No
	debug uid = No
	debug class = No
	enable core files = Yes
	smb ports = 445 139
	large readwrite = Yes
	max protocol = NT1
	min protocol = CORE
	min receivefile size = 0
	read raw = Yes
	write raw = Yes
	disable netbios = No
	reset on zero vc = No
	acl compatibility = auto
	defer sharing violations = Yes
	nt pipe support = Yes
	nt status support = Yes
	announce version = 4.9
	announce as = NT
	max mux = 50
	max xmit = 16644
	name resolve order = lmhosts wins host bcast
	max ttl = 259200
	max wins ttl = 518400
	min wins ttl = 21600
	time server = No
	unix extensions = Yes
	use spnego = Yes
	client signing = auto
	server signing = No
	client use spnego = Yes
	client ldap sasl wrapping = plain
	enable asu support = No
	svcctl list = 
	deadtime = 0
	getwd cache = Yes
	keepalive = 300
	lpq cache time = 30
	max smbd processes = 0
	paranoid server security = Yes
	max disk size = 0
	max open files = 16384
	socket options = TCP_NODELAY
	use mmap = Yes
	hostname lookups = No
	name cache timeout = 660
	ctdbd socket = 
	cluster addresses = 
	clustering = No
	ctdb timeout = 0
	load printers = Yes
	printcap cache time = 750
	printcap name = 
	cups server = 
	cups encrypt = No
	cups connection timeout = 30
	iprint server = 
	disable spoolss = No
	addport command = 
	enumports command = 
	addprinter command = 
	deleteprinter command = 
	show add printer wizard = Yes
	os2 driver map = 
	mangling method = hash2
	mangle prefix = 1
	max stat cache size = 256
	stat cache = Yes
	machine password timeout = 604800
	add user script = 
	rename user script = 
	delete user script = 
	add group script = 
	delete group script = 
	add user to group script = 
	delete user from group script = 
	set primary group script = 
	add machine script = 
	shutdown script = 
	abort shutdown script = 
	username map script = 
	logon script = 
	logon path = \\%N\%U\profile
	logon drive = 
	logon home = \\%N\%U
	domain logons = No
	init logon delayed hosts = 
	init logon delay = 100
	os level = 20
	lm announce = Auto
	lm interval = 60
	preferred master = No
	local master = Yes
	domain master = Auto
	browse list = Yes
	enhanced browsing = Yes
	dns proxy = Yes
	wins proxy = No
	wins server = 
	wins support = No
	wins hook = 
	kernel oplocks = Yes
	lock spin time = 200
	oplock break wait time = 0
	ldap admin dn = 
	ldap delete dn = No
	ldap group suffix = 
	ldap idmap suffix = 
	ldap machine suffix = 
	ldap passwd sync = no
	ldap replication sleep = 1000
	ldap suffix = 
	ldap ssl = start tls
	ldap ssl ads = No
	ldap deref = auto
	ldap follow referral = Auto
	ldap timeout = 15
	ldap connection timeout = 2
	ldap page size = 1024
	ldap user suffix = 
	ldap debug level = 0
	ldap debug threshold = 10
	eventlog list = 
	add share command = 
	change share command = 
	delete share command = 
	preload = 
	lock directory = /var/run/samba
	state directory = /var/lib/samba
	cache directory = /var/cache/samba
	pid directory = /var/run/samba
	utmp directory = 
	wtmp directory = 
	utmp = No
	default service = 
	message command = 
	get quota command = 
	set quota command = 
	remote announce = 
	remote browse sync = 
	socket address = 0.0.0.0
	nmbd bind explicit broadcast = Yes
	homedir map = auto.home
	afs username map = 
	afs token lifetime = 604800
	log nt token command = 
	time offset = 0
	NIS homedir = No
	registry shares = No
	usershare allow guests = No
	usershare max shares = 100
	usershare owner only = Yes
	usershare path = /var/lib/samba/usershares
	usershare prefix allow list = 
	usershare prefix deny list = 
	usershare template share = 
	panic action = 
	perfcount module = 
	host msdfs = Yes
	passdb expand explicit = No
	idmap backend = tdb
	idmap alloc backend = 
	idmap cache time = 604800
	idmap negative cache time = 120
	idmap uid = 
	idmap gid = 
	template homedir = /home/%D/%U
	template shell = /bin/false
	winbind separator = \
	winbind cache time = 300
	winbind reconnect delay = 30
	winbind enum users = No
	winbind enum groups = No
	winbind use default domain = No
	winbind trusted domains only = No
	winbind nested groups = Yes
	winbind expand groups = 1
	winbind nss info = template
	winbind refresh tickets = No
	winbind offline logon = No
	winbind normalize names = No
	winbind rpc only = No
	create krb5 conf = Yes
	comment = 
	path = 
	username = 
	invalid users = 
	valid users = 
	admin users = 
	read list = 
	write list = 
	printer admin = 
	force user = 
	force group = 
	read only = Yes
	acl check permissions = Yes
	acl group control = No
	acl map full control = Yes
	create mask = 0744
	force create mode = 00
	security mask = 0777
	force security mode = 00
	directory mask = 0755
	force directory mode = 00
	directory security mask = 0777
	force directory security mode = 00
	force unknown acl user = No
	inherit permissions = No
	inherit acls = No
	inherit owner = No
	guest only = No
	administrative share = No
	guest ok = No
	only user = No
	hosts allow = 
	hosts deny = 
	allocation roundup size = 1048576
	aio read size = 0
	aio write size = 0
	aio write behind = 
	ea support = No
	nt acl support = Yes
	profile acls = No
	map acl inherit = No
	afs share = No
	smb encrypt = auto
	block size = 1024
	change notify = Yes
	directory name cache size = 100
	kernel change notify = Yes
	max connections = 0
	min print space = 0
	strict allocate = No
	strict sync = No
	sync always = No
	use sendfile = No
	write cache size = 0
	max reported print jobs = 0
	max print jobs = 1000
	printable = No
	printing = cups
	cups options = 
	print command = 
	lpq command = %p
	lprm command = 
	lppause command = 
	lpresume command = 
	queuepause command = 
	queueresume command = 
	printer name = 
	use client driver = No
	default devmode = Yes
	force printername = No
	printjob username = %U
	default case = lower
	case sensitive = Auto
	preserve case = Yes
	short preserve case = Yes
	mangling char = ~
	hide dot files = Yes
	hide special files = No
	hide unreadable = No
	hide unwriteable files = No
	delete veto files = No
	veto files = 
	hide files = 
	veto oplock files = 
	map archive = Yes
	map hidden = No
	map system = No
	map readonly = yes
	mangled names = Yes
	store dos attributes = No
	dmapi support = No
	browseable = Yes
	access based share enum = No
	blocking locks = Yes
	csc policy = manual
	fake oplocks = No
	locking = Yes
	oplocks = Yes
	level2 oplocks = Yes
	oplock contention limit = 2
	posix locking = Yes
	strict locking = Auto
	share modes = Yes
	dfree cache time = 0
	dfree command = 
	copy = 
	preexec = 
	preexec close = No
	postexec = 
	root preexec = 
	root preexec close = No
	root postexec = 
	available = Yes
	volume = 
	fstype = NTFS
	set directory = No
	wide links = No
	follow symlinks = Yes
	dont descend = 
	magic script = 
	magic output = 
	delete readonly = No
	dos filemode = No
	dos filetimes = Yes
	dos filetime resolution = No
	fake directory create times = No
	vfs objects = 
	msdfs root = No
	msdfs proxy = 

[musik]
	comment = Musik-Freigabe
	path = /SERVER/MUSIK
	read only = No
	inherit permissions = Yes
	inherit acls = Yes

[video1]
	comment = Video1-Freigabe
	path = /SERVER/VIDEO1
	read only = No
	create mask = 0660
	directory mask = 0770
	inherit permissions = Yes
	inherit acls = Yes
	map archive = No

[video2]
	comment = Video2-Freigabe
	path = /SERVER/VIDEO2
	read only = No
	inherit permissions = Yes
	inherit acls = Yes

[video3]
	comment = Video3-Freigabe
	path = /SERVER/VIDEO3
	read only = No
	inherit permissions = Yes
	inherit acls = Yes

[ablage]
	comment = Datei-Ablage
	path = /SERVER/ABLAGE
	read only = No
	inherit permissions = Yes
	inherit acls = Yes

[software]
	comment = Software-Freigabe
	path = /SOFTWARE
	read only = No
	inherit permissions = Yes
	inherit acls = Yes

Welche von den vielen Einstellungsmöglichkeiten benötige ich für folgendes einfaches Szenario:
1. Win7-Rechner sollen die Freigaben als Netzwerklaufwerke einbinden und dort entsprechend ihrer gesetzten Linux-Rechte drauf schreiben bzw. lesen können
(für jeden Benutzer wurde ein entsprechendes smb-passwort unter linux erstellt)
2. Die Rechte der unter Windows erstellten Dateien sollten mit denen der Linux-Default-ACL übereinstimmen/ vertretbar sein.
3. Über NFS greifen einige Streaming clients (Audio, Video) auf die Dateien zu.
 
OP
S

Selachii

Newbie
Ok, ich stelle meine Frage etwas präziser:
1. Wie kann ich erreichen das die über samba erstellten Dateien für niemanden ausführbar sind?
2. Wie kann ich erreichen das unter samba erstellte Ordner für die Gruppe "others" nicht ausführbar sind?

Zu Frage (1):
Wieso greift hier nicht "create mask = 0660" ???

Antwort zu Frage (2) selbst gefunden:
"directory mask = 0770" hinzufügen
 
S

spoensche

Moderator
Teammitglied
In den ACL´s ist das x- Attribut gesetzt und in deiner smb.conf wird von diesen geerbt (inherit acls)
 
Du musst dich einloggen oder registrieren, um hier zu antworten.
Oben