Topic: Ibay permission issue

[Tejaswini]

Hi,
All my ibays are accessible by all the users even though they don't have permission to access.

To test the issue, I just created a new user. Even if this user does not have permission for ANY ibays, still it gets access to all ibays. 

Please help.

[Stefano]

please explain..

how do you setup your ibays?

is the new user member of a group?

[Tejaswini]

Thanks for quick reply.

No ibay has "Everyone" Permission.

The new user is not a member of ANY Group.

[byte]

No ibay has "Everyone" Permission.

The new user is not a member of ANY Group.

If the test ibay has "Everyone" permission set as read/write then that's no surprise that the user can have access.

Try setting up groups to restrict user access to ibays and make sure you log off user and log on user at the client end to re authenticate.

[Tejaswini]

I have NOT set "Everyone" to any ibays....Its group read and write only...Although if the user is not a member of the group he can access the ibay.

[Stefano]

ok.. did you follow byte's advice?

try to re-expand the smb.conf template and to restart smb service..

anything strange in the logs?

[piran]

Please help.

http://wiki.contribs.org/SharedFolders

[byte]

I have NOT set "Everyone" to any ibays....Its group read and write only...Although if the user is not a member of the group he can access the ibay.

Show:

db accounts show <ibayname>
db accounts show <groupname>

Where group name is the group set to ibay name.

[Tejaswini]

db accounts show accdata
    accdata=ibay
    CgiBin=disabled
    Gid=5010
    Group=accounts
    KeepVersions=disabled
    Name=accounts data
    PasswordSet=no
    PublicAccess=none
    RecycleBin=enabled
    Uid=5010
    UserAccess=wr-group-rd-group

[root@newdellsme1 ~]# db accounts show accounts
accounts=group
    Description=accounts staff
    Gid=5002
    Members=ashwinraj,girish,psekar,purohit,ravisunny,rkpurohit,swamy,veeresh
    Uid=5002

[Tejaswini]

Other than accounts group users,any other group users can access accdata ibay....

[StuC]

Are the users Windows clients with Workgroup or Domain log-on?
Can they see their home folder OK and not "admin"?

[Tejaswini]

Windows clients are members of the SME domain.

I didn't understand your 2nd Q. If I have understood your question to some extend then the user is able access his home directory. When I log in as a user it can see only it's home directory not any others.

[byte]

[root@newdellsme1 ~]# db accounts show accounts
accounts=group
    Description=accounts staff
    Gid=5002
    Members=ashwinraj,girish,psekar,purohit,ravisunny,rkpurohit,swamy,veeresh
    Uid=5002

So the user that CAN access the "accdata" is NOT in the above "members" correct ? If so that should work out of the box.  Can you log on to the console and type:

cd /home/e-smith/files/ibays/

then type:

ll -ls accdata

?

I notice you also have recycle bin enabled, there is a bug see:

Bug 1734

[Tejaswini]

[root@newdellsme1 ibays]# ll -ls accdata
total 12
4 drwxrws---   2 root  accounts 4096 Dec  8  2006 cgi-bin
4 drwxrws---  59 swamy accounts 4096 Sep 24 11:28 files
4 drwxrws---   2 root  accounts 4096 Jun 22  2007 html
[root@newdellsme1 ibays]#

[janet]

Tejaswini

As per bug 1734 try modifying and then saving accdata ibay
then again run
ll -ls accdata
show us the results

[Tejaswini]

If u dont mind...can u explain me how to modify that ibay....I din't get how to modify that...

[janet]

Tejaswini

Open server manager, click information bays, click modify next to the ibay in question, click save

No need to actually change anything, but you must click save

[Tejaswini]

I got same result.

[root@newdellsme1 ibays]# ll -ls accdata/
total 12
4 drwxrws---   2 root  accounts 4096 Dec  8  2006 cgi-bin
4 drwxrws---  59 swamy accounts 4096 Sep 25 11:18 files
4 drwxrws---   2 root  accounts 4096 Jun 22  2007 html

[janet]

Tejaswini

I would ask what do you actually mean by "access the ibays" ?

All users will be able to see all ibays, but not actually access and open files unless they are members of the group that the ibay belongs to.

Can your users actually open and save files in the ibay they should not have access to ?

Please show the complete output of
cat /etc/samba/smb.conf

After that you could do
signal-event post-upgrade
signal-event reboot

and see if access changes

[Tejaswini]

Users can access and open the files although they are not members of the group that the ibay belongs to.

Here is the output of /etc/samba/smb.conf

[homes]
comment = Home directory
browseable = no
guest ok = no
read only = no
writable = yes
printable = no
create mode = 0660
force create mode = 0660
directory mode = 0770
force directory mode = 0770
path = /home/e-smith/files/users/%S/home
   root preexec = "/usr/local/bin/generate_netlogon /home/e-smith/files/samba/netlogon/netlogon.template /home/e-smith/files/users/%U/home/netlogon.bat %U %m %a %T"
vfs objects = recycle
  recycle:exclude_dir=/tmp|/temp|/cache
  recycle:repository=Recycle Bin
  recycle:versions=False
  recycle:keeptree=True
  recycle:touch=True
  recycle:exclude=*.tmp|*.temp|*.o|*.obj|~$*

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
use client driver = yes

[netlogon]
comment = Network Logon Service
path = /home/e-smith/files/samba/netlogon
guest ok = yes
writable = yes
browseable = no

[print$]
comment = Printer drivers
path = /home/e-smith/files/samba/printers
guest ok = yes
browseable = yes
writable = no


[Primary]
comment = Primary i-bay


path = /home/e-smith/files/ibays/Primary
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0640


force group = shared




[accdata]
comment = accounts data


path = /home/e-smith/files/ibays/accdata/files
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0660


force group = accounts


vfs objects = recycle
  recycle:exclude_dir=/tmp|/temp|/cache
  recycle:repository=Recycle Bin
  recycle:versions=False
  recycle:keeptree=True
  recycle:touch=True
  recycle:exclude=*.tmp|*.temp|*.o|*.obj|~$*


[assmdata]
comment = assembly data


path = /home/e-smith/files/ibays/assmdata/files
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0660


force group = assembly


vfs objects = recycle
  recycle:exclude_dir=/tmp|/temp|/cache
  recycle:repository=Recycle Bin
  recycle:versions=False
  recycle:keeptree=True
  recycle:touch=True
  recycle:exclude=*.tmp|*.temp|*.o|*.obj|~$*


[common]
comment = common data


path = /home/e-smith/files/ibays/common/files
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0660


force group = shared


vfs objects = recycle
  recycle:exclude_dir=/tmp|/temp|/cache
  recycle:repository=Recycle Bin
  recycle:versions=False
  recycle:keeptree=True
  recycle:touch=True
  recycle:exclude=*.tmp|*.temp|*.o|*.obj|~$*


[comptest]
comment = data testing


path = /home/e-smith/files/ibays/comptest/files
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0660


force group = test




[designdata]
comment = design data


path = /home/e-smith/files/ibays/designdata/files
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0660


force group = design


vfs objects = recycle
  recycle:exclude_dir=/tmp|/temp|/cache
  recycle:repository=Recycle Bin
  recycle:versions=False
  recycle:keeptree=True
  recycle:touch=True
  recycle:exclude=*.tmp|*.temp|*.o|*.obj|~$*


[glpi]
comment = ibay for glpi and ocs inventory


path = /home/e-smith/files/ibays/glpi
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0660


force group = admin




[inspdata]
comment = inspection data


path = /home/e-smith/files/ibays/inspdata/files
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0660


force group = inspection


vfs objects = recycle
  recycle:exclude_dir=/tmp|/temp|/cache
  recycle:repository=Recycle Bin
  recycle:versions=False
  recycle:keeptree=True
  recycle:touch=True
  recycle:exclude=*.tmp|*.temp|*.o|*.obj|~$*


[iso9001-2000]
comment = iso


path = /home/e-smith/files/ibays/iso9001-2000/files
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0664


force group = iso9001




[processdata]
comment = processdatas


path = /home/e-smith/files/ibays/processdata/files
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0664


force group = process




[proddata]
comment = production data


path = /home/e-smith/files/ibays/proddata/files
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0664


force group = production


vfs objects = recycle
  recycle:exclude_dir=/tmp|/temp|/cache
  recycle:repository=Recycle Bin
  recycle:versions=False
  recycle:keeptree=True
  recycle:touch=True
  recycle:exclude=*.tmp|*.temp|*.o|*.obj|~$*


[progdata]
comment = program data


path = /home/e-smith/files/ibays/progdata/files
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0660


force group = programmers


vfs objects = recycle
  recycle:exclude_dir=/tmp|/temp|/cache
  recycle:repository=Recycle Bin
  recycle:versions=False
  recycle:keeptree=True
  recycle:touch=True
  recycle:exclude=*.tmp|*.temp|*.o|*.obj|~$*


[securitydata]
comment = security data


path = /home/e-smith/files/ibays/securitydata/files
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0660


force group = security


vfs objects = recycle
  recycle:exclude_dir=/tmp|/temp|/cache
  recycle:repository=Recycle Bin
  recycle:versions=False
  recycle:keeptree=True
  recycle:touch=True
  recycle:exclude=*.tmp|*.temp|*.o|*.obj|~$*


[vendordata]
comment = vendor data


path = /home/e-smith/files/ibays/vendordata/files
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0640


force group = vendor


vfs objects = recycle
  recycle:exclude_dir=/tmp|/temp|/cache
  recycle:repository=Recycle Bin
  recycle:versions=False
  recycle:keeptree=True
  recycle:touch=True
  recycle:exclude=*.tmp|*.temp|*.o|*.obj|~$*

[janet]

Tejaswini

I got same result.

I was wonderig whether access ability changed after doing the ibay modify & save.

[janet]

Tejaswini

What version sme are you running ?
Your smb.conf is missing a whole Global section (compared to my sme7.4).
Did you install the Shared Folders contrib referred to earlier in this thread ?

I think this problem should be moved to bugzilla, it's getting out of hand here.
Please open a bug there and put a link to that bug in this thread, and please summarise what has already happened in this thread, with a link back to this thread.

Also attach the output of the following commands to your bug report

/sbin/e-smith/audittools/newrpms
/sbin/e-smith/audittools/templates

Please do not post any more answers here.

[Stefano]

I'll ask the moderator to close lock this 3ad after OP posted the bugzilla reference