on Thu, May 13, 2004 at 10:56:37AM +0200, Jens Benecke (jens@spamfreemail.de) wrote:
> Hi,
>
> we have a Samba server whose shares are mounted by Windows (2000) machines
> and Linux machines. We mount the SMB shares with fstab lines like
>
> //getserver1/GET-Gruppe /smb/get-gruppe smbfs
> uid=benecke,gid=benecke,credentials=/home/benecke/.smb-login,rw,ip=getserver1,noauto,user
> 0 0
>
> In Windows 2000, we can view the file permissions (with names and IDs) on
> SMB shares although the respective accounts don't exist locally. (e.g.
> Group "users"). In Linux, all we see is "rwxr-xr-x" and the user/group
> specified above (or root) as the owner.
There's an _awful_ lot of lying back and forth between Samba and legacy
MS Windows clients, particularly about file ownership and permissions.
The technical term is mapping[1]. Which means that the correspondence
between what you see from a client accessing a Samba share, and what the
local GNU/Linux filesystem reports, may have little if any relationship.
In general, a share's rights are the intersection of permissions it has
between Samba rights and the local filesystem rights. If the user is
granted read-only access, then underlying GNU/Linux write permission
doesn't matter. If the client has _write_ access defined in the share,
but the files are read-only in GNU/Linux, then access is effectively
read-only.
See the Samba HOWTO collection sections on security, which discuss this
better than I'm able to.
$BROWSER /usr/share/doc/samba-doc/htmldocs/index.html
> Is there a way to
> - display the correct permissions at least for the user whose credentials
> are used for mounting the SMB share?
> - display the user _names_ of the users how they appear on the server?
I'm not sure quite what you mean by this, but accessing the share as
that user should show their view of things.
> We are trying to avoid NFS for security reasons and because of the
> needed reconfiguration _and_ because it would require syncing
> UIDs/GIDs between our Linux machines, which is close to impossible
> because we are running different distributions (Debian and SuSE) and
> different machines have different groups of accounts.
NIS or LDAP would help here, I believe. But that's gross igorance
talking.
Peace.
--------------------
Notes:
1. Does this make my duly appointed President a mapper?
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Information is not power after all: Old-fashioned power is power. If you
aren't big industry or government, you have very little power. Once they've
hacked the electronic voting system, you'll have no power at all.
- Robert X. Cringely
Attachment:
signature.asc
Description: Digital signature