Hi all, The two problems I'm having with ACLs on a W2k domain are still no closer to a solution. To wit, they were: (a) Users accessing the ACL properties dialog on W2k can modify and remove existing ACLs on a given file, but they cannot add new ones (that can only be done with setfacl on the cmdline; the changes are then recognised); (b) In said ACL properties dialog, the usernames displayed are the UNIX ones, not the ones converted with the username map option. Does anyone have any more suggestions on these? I would have thought that the first problem particularly was quite critical. Should I take it to the samba-technical list? Any thoughts much appreciated. -- ANDREW FUREY <andrew@terminus.net.au> - Sysadmin/developer for Terminus. Providing online networks of Australian lawyers (http://www.ilaw.com.au) and Linux experts (http://www.linuxconsultants.com.au) for instant help! Disclaimer: http://www.terminus.net.au/disclaimer.html. GCS L+++ P++ t++
>(b) In said ACL properties dialog, the usernames displayed >are the UNIX ones, not the ones converted with the username >map option.Why not use original Windows names and take users map out of the loop? While a blank in user's name is strictly a no-no and all lower case is preferable, most *nices can deal with names longer than 8 chars, although "ls -l"-listings may appear messy. As for your (a) question, should we chase back your previous mails to find out exactly what samba version on which platform you are using, or can you discretely include that info in a mail? _____________________________________________________________ Get 25MB, POP3, Spam Filtering with LYCOS MAIL PLUS for $19.95/year. http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus
-- On Fri, 06 Dec 2002 15:24:17 Andrew Furey wrote:>>>(b) In said ACL properties dialog, the usernames displayed >>>are the UNIX ones, not the ones converted with the username >>>map option. >> >> Why not use original Windows names and take users map out of >> the loop?...................................................>However, I have just this morning worked out both of those problems. >For all the future Googlers out there who are banging their heads >against the wall as much as I have been: > IF IN DOUBT, USE WINBIND. >Setting up winbind with the nsswitch.conf stuff works perfectly >(as ar as those two problems go). > >Only problem I have now is working out how to preserve the ACLs on >files I copy from the W2k to the Samba machine. xcopy /o seems to >be it, but it comes up with "access denied" and the file is empty, >as well as having the default permissions (copying person is owner, >etc). More Googling needed...I've banged my head over it, trying to a) get the full listing of ACLs with tools in support pack b) build some Perl scripts to produce something like the output of "getfacl -R" c) apply "setfacl --restore=old.acls" The tools in support pack were too flakey to begin with. Perhaps I should have tricked the system to let me execute it as SYS in a service shell but didn't have the time to bother so much. So I distributed and delegated. Home shares are easy to assign proper ACLs, projects usually have a discernible permission pattern which can be reconstructed wholesale and when in doubt ask someone who knows or else you're migration won't be done until Xmass. It would be a tremendous help for all newbies and other migrants if someone lurking on this maillist went a step further than I did and were willing to share the experience. _____________________________________________________________ Get 25MB, POP3, Spam Filtering with LYCOS MAIL PLUS for $19.95/year. http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus
> -----Original Message----- > From: Dragan Krnic [mailto:dkrnic@lycos.com]> Home shares are easy to assign proper > ACLs, projects usually have a discernible permission pattern which > can be reconstructed wholesale and when in doubt ask someone who knows > or else you're migration won't be done until Xmass.That's pretty much what I did. It was just as well, since the original permissions turned out to have no relation to reality anyway. ;) Default ACLs are your friend, by the way. If you set the default folder ACLs to reasonable values the file ACLs pretty much take care of themselves from then on. This has been the best thing that ever happened to my company as far as data integrity goes -- departments can't inadvertantly screw up each others' files anymore.
>I'm currently looking at exactly this setup in order to migrate >some shares off an NT box. I see two basic problems here: > >1. smbclient and smbmnt/smbmount don't, apparently, > have any support for ACLs >2. smbcacls is not format-compatible with getfacls. > >I would presume the first is on the (eventual) todo list for >the samba team, but the second seems to be a short-term >solution that would work nicely.When I moved shares I used Veritas BackupExec to restore a regular NT backup to a *nix. This gave all rights to smbnull:smbnull. Since I was frustrated with NT acl commands I never came around to format conversions. A one-time manual adjustment wasn't nearly as hard as I thought it would be. _____________________________________________________________ Get 25MB, POP3, Spam Filtering with LYCOS MAIL PLUS for $19.95/year. http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus