CIFS on VMS, multi-user share per user security setup question
- From: Rich Jordan <jordan@xxxxxxxxxxx>
- Date: Wed, 30 Jan 2008 15:03:44 -0800 (PST)
We're working with a test installation of CIFS on an Alpha V8.3 test
box. Its turning out to be quite difficult getting what seems like
basic security going. Samba is in PDC mode running its own domain
using local authentication (local UAF accounts with associated tdbsam
password database. The PC client logging in is in a separate windows
AD domain, and 'connects as another user' to log in to the samba
provided shares. We are not using "home" shares per user; these are
common shares, though some users have full access while others should
be read/write with no delete/control ability.
We create a shared directory and share. Several test accounts (user1,
user2, user3, user4, user5) are setup and entered into the password
database. user5 is in the 'administrators' group (so defined by
creating a resource identifier called 'administrators' and using the
NET RPC GROUP ADDMEM to stick user5 in it).
The VMS directory is owned by a UIC group different from any of the
user UICs so access should be controller by the ACL on the directory
and its subsidiary files.
The initial ACEs set IDENTIFIER=administrator, access=read+write
+execute+delete+control (and a option=default ACE to force that on any
subsidiary files/directories).
user5 was able to connect, and create a file, but was then unable to
rename or delete it. Without the ACL in place, user5 was not even
able to connect to the share, so I know its being read and having
effect.
When I added new sets of ACEs for the CIFS identifiers of each of the
other users, (CIFS$U_username) some read+write+execute, others with
full access, both access and option=default with the same access, the
same symptom appeared. The other accounts could now connect to the
share, and create files, but could not rename or delete files they or
any other account had created. It doesn't seem to matter if the ACEs
are specifying the delete+control options or not.
Another item is attempting to modify the security profile from the
peecee side. I can bring up security properties but (so far, with any
account) the attempt to modify anything fails saying I don't have the
required access. Thats even with a file owned by the account, in a
directory owned by the account, with both UIC and ACE granting full
(and control) access, or just UIC or ACE based full access. Nothing
works.
Finally, is the security properties of a file or directory accessed
through samba supposed to show numeric IDs instead of names for
access? The owner of the file shows up as a name "user3 (DOMAIN
\user3)" but all other ACE provided access rules show up as
"-2147418078 (Unix User\-2147418078)" with the numbers depending on
the CIFS$U_username identifiers in the ACEs.
I've only plowed through about 1/3 of the samba docs so far. The ACLs
on the share should provide full access to the owner of a file, but
its obviously not working as expected. The VMS specific docs for
Samba are very incomplete and honestly pretty disorganized; I haven't
found any detail security setup info that translates well from the
unixy docs to VMS yet.
I'm going to go through real diagnostics with file audits enabled,
samba logging turned up higher, etc, but in the meantime I'm hoping
someone else might have had to set up reasonable per-user access
security in CIFS or Samba before and maybe has some wisdom to share on
the best way to do it.
.
- Follow-Ups:
- Re: CIFS on VMS, multi-user share per user security setup question
- From: Rich Jordan
- Re: CIFS on VMS, multi-user share per user security setup question
- Prev by Date: Re: Anyone interested in building a vms-like OS?
- Next by Date: Re: M$IE; was: DSPP Integrity remanufactured h/w...
- Previous by thread: Restricting Access to TCP/IP and DECnet
- Next by thread: Re: CIFS on VMS, multi-user share per user security setup question
- Index(es):
Relevant Pages
|
