Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: brentonv on December 03, 2007, 10:00:14 PM
-
hi guys. i have been struggling with this for a while and i need some help. i am trying to create a particular IBAY with three levels of access. Group 1 can write, Group 2 can read and Group 3 has no access. No group can be a member of admin so the ibay access rules can only be group-write group-read because we can't use admin and we don't want everyone to read. i need to achieve something like group1-write group2-read eveyone-noaccess
I have been messing with smb.conf/ibays however it seems that samba won't accept group configuration ie:
valid users = @group1 @group2
expand-template generates errors when using the @ symbol, which from what i understand is supposed to be used to represent groups?
confused. if you can share any ideas please help
regards,
brenton
-
i need to achieve something like group1-write group2-read eveyone-noaccess
I think you mean deny access to everyone, except read access to group2 and write access to group2, unfortunately this is hard to do with ibays... Perhaps copying the template fragment and creating two copies of the same ibay (as a samba share) and allow read access to one of them to group2 and allow write access to the other one.
You will need to modify the /etc/samba/smb.conf templates sections for that. How the template system works is explained in the SME Server's Development Guide which is linked in the wiki.
-
I think this could help:
http://wiki.contribs.org/Htaccess
Allows you specify levels of access in ibays.
cheers,
shelley
-
thanks cactus. this is the ibay in question. i assume you mean the smb.conf 90ibay template. i know about templates but i can't see where i can assign different groups here. can you please explain.
[forms]
comment = NTV Forms
path = /home/e-smith/files/ibays/forms/files
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0640
-
thanks cactus. this is the ibay in question. i assume you mean the smb.conf 90ibay template. i know about templates but i can't see where i can assign different groups here. can you please explain.
AFAIK you can not specify both for one ibay... mt guess is that your best bet is to share the same file system location under two names in the samba configuration one for read and one for write access, each with it's own group.
-
In this thread a few links are mentioned that might help you http://forums.fedoraforum.org/showthread.php?t=138521
-
thanks cactus, i will give your idea a try. how about shell's HTaccess advice- maybe it can all be done from there. any thoughts?
-
thanks cactus, i will give your idea a try. how about shell's HTaccess advice- maybe it can all be done from there. any thoughts?
htaccess does not work for samba only for a httpd server, such as apache.
-
Hey there cactus i worked it out. We are not limited to the Ibay options 'Admin|Group|Everyone'. We can add or remove as many groups or users to Ibays as we want by modifying the smb.conf. Create an Ibay and make the permissions 'Write:Group|Read:Everyone and expand the following template in /etc/e-smith/templates-custom/etc/smb.conf/ibays/:
{
if ($key eq 'name of ibay')
{
$OUT .= "writable = no\n";
$OUT .= "write list = \@group1\n";
$OUT .= "valid users = \@group1 \@group2\n";
}
}
Multiple groups and users would be written like:
$OUT .= "write list = \@group1 \@group2 userA userB\n";
$OUT .= "valid users = \@group1 \@group2 \@group3 userA userB userC\n";
Edit the 'write list =' to include any group or user who should have Write access to the Ibay. Edit the 'valid users =' to include any group or user who should have Read access to the Ibay. It is important to include the Ibay owner in this list. Any user who is not in the 'valid users =' list will NOT have access to the Ibay. As the default template includes 'inherit permissions = yes', all files and folders will maintain the Ibay group permissions (this is good).
COMMENT:
# perl < 5.6.1, error : In string, @group now must be written as \@group. This is why i could not get groups working initially.
REFERENCES:
http://www.comptechdoc.org/os/linux/manual4/smbconf.html
http://perl.active-venture.com/pod/perltrap-interpolationtraps.html
regards,
brenton
-
hi cactus. i have reviewed my previous post modified it significantly as it was not fully tested. the above how-to works prefectly.
-
hi cactus. i have reviewed my previous post modified it significantly as it was not fully tested. the above how-to works prefectly.
Cheers, I was not sure if this was possible and had no time to test it, but you discovered the solution allready! Good luck with it.
If your users make use of web/ftp access to the ibay you might to make analogue changes in the configuration temoplates of the httpd.conf file as there are multiple ways of accessing the ibays.
-
I think I would approach this a different way.
I would create a symlink using Midnight Commander that links one existing ibay folder structure into a second ibay. Then I would assign different group permissions to both ibays using server-manager in the "normal" way.
Hope this helps. David
-
Hi brentonv
I stumbled upon your thread - you have no idea how pleased I am!
I need to do exactly the same thing. Only, I'm not as advanced with template manipulation as you are.
Would you please explain, step for step, (sorry), where I put your segment:
{
if ($key eq 'name of ibay')
{
$OUT .= "writable = no\n";
$OUT .= "write list = \@group1\n";
$OUT .= "valid users = \@group1 \@group2\n";
}
}
Multiple groups and users would be written like:
Quote
$OUT .= "write list = \@group1 \@group2 userA userB\n";
$OUT .= "valid users = \@group3 userC\n";
This is for a school, which I am assisting during end-of-year vac.
Thanks
-
Sme Server uses templates (/etc/e-smith/templates/) for default configuration and these templates can be customised by copying the original template file and path from /etc/e-smith/templates/ and placing it into /etc/e-smith/templates-custom/ and then modify the relevant files. So if we wanted to modify the samba "Server Name" would create /etc/e-smith/templates-custom/etc/smb.conf/11serverString and edit '11serverString'. If you take a close look at the original templates you will soon learn how the delelopers have broken everything down.
To modify the Ibays part of smb.conf we would create /etc/e-smith/templates-custom/etc/smb.conf/ibays/ and in here we would create a file and we'll call it '20writable' to remain consistent with the original templates. We then edit the file '20writable' to our specific needs and when this template is expanded it overrides the original '20writable' template with our new settings. NEVER modify the original templates because if we ever mess anything up we rely on them to restore the default configuration.
So if we create '20writable' and enter this text (change what ever is in BOLD):
{
if ($key eq 'name of ibay')
{
$OUT .= "writable = no\n";
$OUT .= "write list = \@staff \@students1\n";
$OUT .= "valid users = \@staff \@students1 \@students2\n";
}
}
into /etc/e-smith/templates/etc/smb.conf/ibays/20writable and as root do 'expand-template /etc/smb.conf' and then 'service smb restart' and we will have updated samba with our new settings. You can confirm your changes by comparing your etc/samba/smb.conf file before and after. If you mess anything up, just delete your custom template and do again 'expand-template /etc/smb.conf' and 'service smb restart' and eveything will be back to normal.
The above example gives Write access to groups staff and student1 and Read access to group student2. I hope that was simple enough?
regards,
brenton
-
Thanks, brentonv
The above example gives Write access to groups staff and student1 and Read access to group student2. I hope that was simple enough?
Yes, simple enough so that even I can figure out what's potting :grin:
You actually have no idea just how useful this will be in our case - many fail to realize how complicated rights & permissions can be in a school environment, if the admin really cares to get things right.
As I understand it - anyone please correct me if I'm wrong - rsync, tar, etc, cannot backup extended acl's (at the moment), therefore a redundant AFFA server would not have the extended acl's - I'm under correction.
Although I've installed the extended ACL rpm, I'm not utilizing it's functionality just yet. Your custom templating of smb.conf ensures extra control without extending acl's. Thus a redundant AFFA server can be "instantly" available without fiddling first with extended acl's.
Have a good one.
-
Has anyone thought of opening a NFR for this code ? Thanks.
-
Since I think that this is a very common scenario and we are affected I have opened Bug 4398 (http://bugs.contribs.org/show_bug.cgi?id=4398)
-
I think I would approach this a different way.
I would create a symlink using Midnight Commander that links one existing ibay folder structure into a second ibay. Then I would assign different group permissions to both ibays using server-manager in the "normal" way.
Hope this helps. David
I've tried this every way I can think of, but all I get is "Access denied". So I changed the permissions on the directories, but that makes them world readable. The answer is probably in this bug comment:
"The POSIX permission model does not allow for two such groups. Each file and
directory in the filesystem only has one group associated with it."
-
So if we create '20writable' and enter this text (change what ever is in BOLD):
Ok, thanks. I created the file in MidnightCommander:
{
if ($key eq 'ged-files')
{
$OUT .= "writable = no\n";
$OUT .= "write list = \@teachers\n";
$OUT .= "valid users = \@teachers \@ged\n";
}
}
Edit: I just found out the hard way that you have to have a LF at the end of the file. Without it the result is:
[root@mef-server ibays]# expand-template /etc/smb.conf
WARNING in /etc/e-smith/templates-custom//etc/smb.conf/ibays/writable: Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/esmith/templates.pm line 579.
WARNING in /etc/e-smith/templates-custom//etc/smb.conf/ibays/writable: ERROR: Cannot process template /etc/e-smith/templates-custom//etc/smb.conf/ibays/writable:
at /etc/e-smith/templates//etc/smb.conf/90ibays line 9
WARNING in /etc/e-smith/templates//etc/smb.conf/90ibays: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/smb.conf/90ibays line 9.
WARNING in /etc/e-smith/templates-custom//etc/smb.conf/ibays/writable: Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/esmith/templates.pm line 579.
WARNING in /etc/e-smith/templates-custom//etc/smb.conf/ibays/writable: ERROR: Cannot process template /etc/e-smith/templates-custom//etc/smb.conf/ibays/writable:
at /etc/e-smith/templates//etc/smb.conf/90ibays line 9
WARNING in /etc/e-smith/templates//etc/smb.conf/90ibays: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/smb.conf/90ibays line 9.
WARNING in /etc/e-smith/templates-custom//etc/smb.conf/ibays/writable: Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/esmith/templates.pm line 579.
WARNING in /etc/e-smith/templates-custom//etc/smb.conf/ibays/writable: ERROR: Cannot process template /etc/e-smith/templates-custom//etc/smb.conf/ibays/writable:
at /etc/e-smith/templates//etc/smb.conf/90ibays line 9
WARNING in /etc/e-smith/templates//etc/smb.conf/90ibays: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/smb.conf/90ibays line 9.
WARNING in /etc/e-smith/templates-custom//etc/smb.conf/ibays/writable: Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/esmith/templates.pm line 579.
WARNING in /etc/e-smith/templates-custom//etc/smb.conf/ibays/writable: ERROR: Cannot process template /etc/e-smith/templates-custom//etc/smb.conf/ibays/writable:
at /etc/e-smith/templates//etc/smb.conf/90ibays line 9
WARNING in /etc/e-smith/templates//etc/smb.conf/90ibays: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/smb.conf/90ibays line 9.
WARNING in /etc/e-smith/templates-custom//etc/smb.conf/ibays/writable: Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/esmith/templates.pm line 579.
WARNING in /etc/e-smith/templates-custom//etc/smb.conf/ibays/writable: ERROR: Cannot process template /etc/e-smith/templates-custom//etc/smb.conf/ibays/writable:
at /etc/e-smith/templates//etc/smb.conf/90ibays line 9
WARNING in /etc/e-smith/templates//etc/smb.conf/90ibays: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/smb.conf/90ibays line 9.
WARNING in /etc/e-smith/templates-custom//etc/smb.conf/ibays/writable: Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/esmith/templates.pm line 579.
WARNING in /etc/e-smith/templates-custom//etc/smb.conf/ibays/writable: ERROR: Cannot process template /etc/e-smith/templates-custom//etc/smb.conf/ibays/writable:
at /etc/e-smith/templates//etc/smb.conf/90ibays line 9
WARNING in /etc/e-smith/templates//etc/smb.conf/90ibays: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/smb.conf/90ibays line 9.
WARNING: Template processing succeeded for //etc/samba/smb.conf: 6 fragments generated warnings
at /sbin/e-smith/expand-template line 45
It's now working the way it should. Thanks again to all who helped.
I still believe that this is a common scenario. Best security practice is to keep the admin password in a safe place. As it is now it seems impossible to delegate authority to users to maintain non-public shares. (I think most of the target audience of SME would not be capable of implementing templates like this.
Perhaps we could have an option in server manager to modify samba access to shares?
Should I do something about the bug I raised?
-
How about adding this to the wiki as a "how-to"