"Alex Brett" <alex.brett@brettcomputers.co.uk> wrote on 27/01/02 09:03:20:
We currently do not have the correct permissions on the file shares as most of them were originally setup by Tiny who installed the server and they just set Everyone Full Control. We have been going through fixing it but not got very far! He wants Win2K because we are having problems with Win2K Workstations connecting properly on to the network - it might just be a policy thing rather than a server thing - i'm not sure.
Be clever with linux permissions - use features like SGUID (chmod 2xxx folder) and also your smb.conf settings for the share: force group = pupils This will mean that you can then assign permissions to selected groups with considerable ease. Check that the users are also members of additional groups as appropriate. Hey presto. RE: hiding shares from view ... Make sure the shares on the linux box (apart from netlogon) are marked browseable = no They do not then show in the output of net view or the windows explorer etc. netlogon is a special case, which must be left browseable, or all your clever policy thingies wont be found correctly. Incidentally, you do not *have* to put them in netlogon. You can make a new share, whose name *can* end in a $, leaving the share effectively hidden. You then need to update the registry on the work stations to do a *manual* download of the policy (look in the default machine settings via policy editor, after electing to view the registry). Ensure this holds the UNC path to the config.pol file (including the file name), e.g. \\server\hidden$\config.pol. Leave error checking on until you have got it working. If you need more info, I can probably go more into chapter and verse. Andrew Ray ***********************************************************************- ********* E-Mail Address: aray@computerpark.co.uk Tel: +44 (0) 1536 417155 Fax: +44 (0) 1536 417566 Computer Park Ltd Broughton Grange Headlands Kettering Northamptonshire NN15 6XA ***********************************************************************- *********
On Mon, 28 Jan 2002, Andrew RAY wrote:
We currently do not have the correct permissions on the file shares as most of them were originally setup by Tiny who installed the server and they just set Everyone Full Control. We have been going through fixing it but not got very far! He wants Win2K because we are having problems with Win2K Workstations connecting properly on to the network - it might just be a policy thing rather than a server thing - i'm not sure. Be clever with linux permissions - use features like SGUID (chmod 2xxx folder) and also your smb.conf settings for the share: force group = pupils
Just to expand on this point (because SGID folders might not mean much to many people reading this): If you change the permissions on a folder so that the SGID bit is set, then the folder's group will become "sticky": anything created within that folder will be owned by the folder's own group instead of the group of the creating user. For example: An ordinary folder: [root]# mkdir nonsticky [root]# chgrp pupils nonsticky [root]# chmod g+w nonsticky [root]# ls -ld nonsticky drwxrwxr-x 2 root pupils 48 Jan 28 11:10 nonsticky/ [root]# su mcb30 [mcb30]$ cd nonsticky [mcb30]$ touch test [mcb30]$ ls -l -rw-rw-r-- 1 mcb30 mcb30 0 Jan 28 11:14 test A sticky folder: [root]# mkdir sticky [root]# chgrp pupils sticky [root]# chmod g+w sticky [root]# chmod g+s sticky # Make it sticky [root]# ls -ld sticky drwxrwxr-x 2 root pupils 48 Jan 28 11:10 sticky/ [root]# su mcb30 [mcb30]$ cd sticky [mcb30]$ touch test [mcb30]$ ls -l -rw-rw-r-- 1 mcb30 pupils 0 Jan 28 11:14 test Note that with the sticky folder any other member of pupils is then able to edit the file I have created. HTH, Michael
"Alex Brett" <alex.brett@brettcomputers.co.uk> wrote on 27/01/02 09:03:20:
We currently do not have the correct permissions on the file shares as most of them were originally setup by Tiny who installed the server and they just set Everyone Full Control. We have been going through fixing it but not got very far! He wants Win2K because we are having problems with Win2K Workstations connecting properly on to the network - it might just be a policy thing rather than a server thing - i'm not sure.
Be clever with linux permissions - use features like SGUID (chmod 2xxx folder) and also your smb.conf settings for the share:
force group = pupils
This will mean that you can then assign permissions to selected groups with considerable ease. Check that the users are also members of additional groups as appropriate. Hey presto.
Won't the force group override whatever the group settings are for that user? Effectivly making any user who can access the share a member of the group...
RE: hiding shares from view ...
Make sure the shares on the linux box (apart from netlogon) are marked
browseable = no
They do not then show in the output of net view or the windows explorer etc.
One thing which would be useful would be to have a share which only shows up when the combination of "valid users" and "allow hosts" would allow access. But is otherwise invisible. A bit like the way in which user shares work. But there dosn't appear to be an obvious way to do this. -- Mark Evans St. Peter's CofE High School Phone: +44 1392 204764 X109 Fax: +44 1392 204763
On Mon, 28 Jan 2002, Mark Evans wrote:
Be clever with linux permissions - use features like SGUID (chmod 2xxx folder) and also your smb.conf settings for the share:
force group = pupils
This will mean that you can then assign permissions to selected groups with considerable ease. Check that the users are also members of additional groups as appropriate. Hey presto.
Won't the force group override whatever the group settings are for that user? Effectivly making any user who can access the share a member of the group...
That all depends on how you look at things. If your user belongs to more than one group, then his/her global rights become the union of the rights across those groups. Should a folder be set to belong to one of the groups of which your user is a member, the rights appropriate to that group prevail. ...if you see what I mean! In a school, I usually have groups as follows: users (everyone belongs to this). pupils (pupils, admins and staff belong to this) staff (staff and admins belong to this) admin (admins alone belong to this) Such a structure makes it easy to choose which group is SGID'd for any given purpose. Again, I don't want to burden the list with heavy detail, but I am more than happy to explain more, if more information is required.
RE: hiding shares from view ... Make sure the shares on the linux box (apart from netlogon) are marked browseable = no They do not then show in the output of net view or the windows explorer etc.
One thing which would be useful would be to have a share which only shows up when the combination of "valid users" and "allow hosts" would allow access. But is otherwise invisible. A bit like the way in which user shares work.
But there dosn't appear to be an obvious way to do this.
How right you are, if you let users access files via the network neighbourhood, but if you use scripting sensibly, or arrange batch files to map drives for you, something like: net use p: \\server\yourshare($) /y will result in a successful drive mapping where the user's rights and "allow hosts" intersect to allow access. You can probably make your batch /script even better by placing a tell-tale flag file in place in the given share and do a: if not exist \\server\yourshare($)\flag-file.txt goto FAIL net use p: \\server\yourshare($) /y goto CONTINUE :FAIL echo Helpful message to user telling them there's something they cannot see (always great with heads)! :CONTINUE echo Normal conclusion of batch-file (Sorry about the gotos - another M$ strength!) In this way, the network neighbourhood largely becomes an irrelevance - but you *do* have to be clever with scripting/batches. I have smb.conf examples and plenty of batches if anybody wants more ... Andrew -- Email:aray@computerpark.co.uk> Tel: +44 1536 417155 Fax: +44 1536 417566 Computer Park Ltd Broughton Grange Headlands Kettering Northamptonshire NN15 6XA
Again, I don't want to burden the list with heavy detail, but I am more than happy to explain more, if more information is required.
I'd like examples of your smb.conf, and a couple of useful batch files. I have to do this stuff, and I know I could get better! Thanks -- Matt __________________________________________________ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com
participants (5)
-
Andrew RAY -
Andrew Ray
-
Mark Evans -
Matt Johnson -
Michael Brown