samba - Jul 2002 - Samba + OpenLDAP + ACL patch on Linux 2.4.18 problems.

Hi, all.

I compiled Samba 2.2.5 (on Linux) with these optinos:

            --with-smbmount --with-acl-support --with-ldapsam 

The compilation went fine and everything seems to be working except for
the ACL part.

I've applied the ACL patch for Linux 2.4.18 (from acl.bestbits.at) and
installed all the tools to go with it.  That part works:

        root@madrid# getfacl /tmp
        getfacl: Removing leading '/' from absolute path names
        # file: tmp
        # owner: root
        # group: root
        user::rwx
        group::rwx
        other::rwx

Now, when starting Samba and logging in with a user that owns
/tmp/file-a, I would expect to be able to add groups and users to that
file's ACL as I would do in NT normally.

However, when I try to add users and/or groups, I get an error dialog
that says "Access Denied" (this is Windows NT Workspation, SP6).

After some looking into, it seems that Samba is still only honoring the
traditional owner-group-other Unix permissions, and is not aware of the
ACLs.  I draw this conclusion from the fact that this file:

        root@madrid# getfacl /tmp/testing-acls/b-file
        getfacl: Removing leading '/' from absolute path names
        # file: tmp/testing-acls/b-file
        # owner: administrator
        # group: tty
        user::rw-
        group::r-x
        group:tty:r-x
        group:pri:r-x
        mask::rwx
        other::---

in the NT Security Tab window shows only "administrator",
"Everybody"
and "tty" as having permissions to the file.  The group
"pri" isn't even
mentioned.

hi,

have checked that your smbd is properly linked against libacl?

ldd /usr/sbin/smbd should show you something like:

ldd /usr/sbin/smbd 
        libacl.so.1 => /lib/libacl.so.1 (0x40017000)
			...
        libldap.so.2 => /usr/lib/libldap.so.2 (0x40180000)
        liblber.so.2 => /usr/lib/liblber.so.2 (0x401af000)
			...
        libattr.so.1 => /lib/libattr.so.1 (0x402de000)
			...

and maybe you should check again if configure finds your acl-environment

thus config.log should contain
	...
	checking sys/acl.h usability... yes
	checking sys/acl.h presence... yes
	checking for sys/acl.h... yes
	...
	checking whether to support ACLs... checking for acl_get_file in -lacl... yes
	checking for ACL support... yes
	Using posix ACLs
	...

hth,

guenther 


On Thu, Jul 18, 2002 at 04:59:06PM -0400, Erik Enge
wrote:
> Hi, all.
> 
> I compiled Samba 2.2.5 (on Linux) with these optinos:
> 
>             --with-smbmount --with-acl-support --with-ldapsam 
> 
> The compilation went fine and everything seems to be working except for
> the ACL part.
> 
> I've applied the ACL patch for Linux 2.4.18 (from acl.bestbits.at) and
> installed all the tools to go with it.  That part works:
> 
>         root@madrid# getfacl /tmp
>         getfacl: Removing leading '/' from absolute path names
>         # file: tmp
>         # owner: root
>         # group: root
>         user::rwx
>         group::rwx
>         other::rwx
> 
> Now, when starting Samba and logging in with a user that owns
> /tmp/file-a, I would expect to be able to add groups and users to that
> file's ACL as I would do in NT normally.
> 
> However, when I try to add users and/or groups, I get an error dialog
> that says "Access Denied" (this is Windows NT Workspation, SP6).
> 
> After some looking into, it seems that Samba is still only honoring the
> traditional owner-group-other Unix permissions, and is not aware of the
> ACLs.  I draw this conclusion from the fact that this file:
> 
>         root@madrid# getfacl /tmp/testing-acls/b-file
>         getfacl: Removing leading '/' from absolute path names
>         # file: tmp/testing-acls/b-file
>         # owner: administrator
>         # group: tty
>         user::rw-
>         group::r-x
>         group:tty:r-x
>         group:pri:r-x
>         mask::rwx
>         other::---
> 
> in the NT Security Tab window shows only "administrator",
"Everybody"
> and "tty" as having permissions to the file.  The group
"pri" isn't even
> mentioned.
> 
> >From a post earlier on this list?, I gather that it's my setup that
> there is something wrong with (since that person indicates being able to
> "add the domain user "aps" to the file's ACL from a
WinXP box" - I can't
> add or remove anything).  And here is my question - after a long
> explanation - what's wrong with my config that makes Samba not honor
the
> ACLs?  Or, have I gone wrong somewhere else?
> 
> I include here my smb.conf:
> 
> # [start smb.conf]
> [global]
>      encrypt passwords = yes
>      security = user
> 
>      netbios name = smbserver
>      comment = Red Hat Samba Server
>      workgroup = smbgroup
> 
>      ldap admin dn = "cn=Manager,dc=a,dc=b"
>      ldap suffix = "dc=a,dc=b"
>      ldap ssl = off
>                                            
>      logon drive = U:
>      logon path = \\%N\profiles\%g
> 
>      domain master = yes
>      domain logons = yes
>      preferred master = yes
>      os level = 255
> 
>      wins support = yes
> 
>      public = yes
>      browsable = yes
>      writeable = no
>    
>      map hidden = no
>      map archive = no
>      map system = no
> 
> [netlogon]
>      path = /share/sys/samba/samba-2.2.5/netlogon
>      locking = no
>      read only = yes
> 
> [profiles]
>      path = /share/sys/samba/samba-2.2.5/profiles
>      read only = no
>      writeable = yes
>      create mask = 0600
>      directory mask = 0700
> 
> [homes]
>      guest ok = no
>      read only = no
> 
> [tmp]
>      comment = temporary files 
>      path = /tmp
>      read only = no
>      admin users = administrator
> # [end smb.conf]
> 
> As an apropos, would it be useful - when I get this up and running - if
> I wrote an Howto or something similar on how to set up a Linux Samba box
> with OpenLDAP and ACLs?  Unless, of course, I have missed some
> documentation out there explaining exactly this.
> 
> Thanks in advance,
> 
> Erik Enge,
> Software Engineer,
> Professional Reviews Inc.
> 
> ? <URL:http://lists.samba.org/pipermail/samba/2002-July/075900.html>
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
-- 
Guenther Deschner                          guenther.deschner@suse.de
SuSE Linux Solutions AG                              GnuPG: 8EE11688
Berliner Str. 27                      phone:  +49 (0) 30 / 430944778
D-13507 Berlin                           fax:  +49 (0) 30 / 43732804
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20020718/d2406b74/attachment.bin

On Thu, 2002-07-18 at 17:22, Thomas Klettke wrote:
> On Thu, 2002-07-18 at 15:59, Erik Enge wrote:
> > Hi, all.
> > 
> > I compiled Samba 2.2.5 (on Linux) with these optinos:
> > 
> >             --with-smbmount --with-acl-support --with-ldapsam 
> > 
> > The compilation went fine and everything seems to be working except
for
> > the ACL part.
> > 
> > I've applied the ACL patch for Linux 2.4.18 (from acl.bestbits.at)
and
> > installed all the tools to go with it.  That part works:
> > 
> Erik, you have to tell samba to use the acls, add this to your smb.conf:
> 
> nt acl support = yes
> 
> 
> Thomas
>