Hi there,
I have been trying to set up Samba 2.2.8 to connect to our Windows 2000
domain, and provide shares that support file permissions as a Win2K box
would, under Red Hat 8.0. To that end I recompiled the kernel (2.4.20)
with patches from acl.bestbits.org, enabling ext2 and ext3 EA and ACL
support. I set up winbind, joined the domain OK, and got name resolution
working pretty well. Everything seemed perfect until I tried to
seriously edit the file permissions from a Windows 2000 machine. I could
add other users to a folder/file and set the permissions for them
without any problems, but I did have trouble with the following:
1) If I delete Everyone, Domain Users, or Administrator from a folder's
permissions, they reappear when the settings are applied.
2) Changing settings on the Everyone, Domain Users, or Administrator
that include "subfolders and files" does not seem to work - these
permissions are removed (leaving it with "this folder only" when
applied.
After doing a bit of digging I noticed two other problems:
3) Some groups, including "Authenticated Users" and
"Administrators" did
not seem to be available on the Linux machine, either in the list
produced from wbinfo -g or to be set on a file on a share from Windows
2000.
4) Group name resolution doesn't seem to be fully working under Linux.
wbinfo will translate between a gid, a SID, and the name just fine, but
if I use ls -l on a directory that has been created via a share, the
owner is looked up correctly but not the group ("10002" instead of
"CJNTECH\whatever"). getfacl produces similar results, returning a
number for the group instead of the name. I checked, and winbind is in
the "group:" line in /etc/nsswitch.conf.
In the hope that these problems would be fixed in the latest version, I
made a backup and then upgraded to 3.0 alpha 23. After a bit of
tweaking, setting up Kerberos etc. I managed to get it back to the state
that 2.2.8 was in (joined to domain, resolving user/group names, etc.)
Problem #2 seems to have gone away, but the others are still present.
I have searched the net, but not found anything conclusive regarding
these issues. Any ideas? (Please let me know if I can provide any
further details.)
Cheers,
Paul
---------------------------------------------------------
Paul Eggleton Ph: +64-9-4154790
Software Developer Fax: +64-9-4154791
CJN Technologies Ltd. DDI: +64-9-4154795
http://www.cjntech.co.nz Email: paule@cjntech.co.nz
---------------------------------------------------------
Comments below:>1) If I delete Everyone, Domain Users, or Administrator from a folder's >permissions, they reappear when the settings are applied.These are the Unix Owner/Group/Everyone permissions, and cannot be removed. You can get the same effect as removing Everyone by denying Everyone full control. The error message windows gives you doesn't apply.>4) Group name resolution doesn't seem to be fully working under Linux. >wbinfo will translate between a gid, a SID, and the name just fine, but >if I use ls -l on a directory that has been created via a share, the >owner is looked up correctly but not the group ("10002" instead of >"CJNTECH\whatever"). getfacl produces similar results, returning a >number for the group instead of the name. I checked, and winbind is in >the "group:" line in /etc/nsswitch.conf.That's strange, on my config it works OK - does the winbind lookup work manually? wbinfo -G 10002 then wbinfo -Y SID? There should be an ACL faq somewhere for all of us ACL users! :) -Tom Dickson
Tom Dickson wrote on Wednesday, 9 April 2003 7:09 a.m.:> Comments below: > >> 1) If I delete Everyone, Domain Users, or Administrator from a >> folder's permissions, they reappear when the settings are applied. > > These are the Unix Owner/Group/Everyone permissions, and cannot be > removed. You can get the same effect as removing Everyone by denying > Everyone full control. The error message windows gives you doesn't > apply.I see. The only problem being that Windows users will find this a bit confusing. It would be useful to be able to turn this off somehow.>> 4) Group name resolution doesn't seem to be fully working under >> Linux. wbinfo will translate between a gid, a SID, and the name just >> fine, but if I use ls -l on a directory that has been created via a >> share, the owner is looked up correctly but not the group ("10002" >> instead of "CJNTECH\whatever"). getfacl produces similar results, >> returning a number for the group instead of the name. I checked, and >> winbind is in the "group:" line in /etc/nsswitch.conf. > That's strange, on my config it works OK - does the winbind lookup > work manually? wbinfo -G 10002 then wbinfo -Y SID?Yep, that works, which is the odd thing. I can only assume that something is preventing the nsswitch group setting from being used, but what that is I have no idea.> There should be an ACL faq somewhere for all of us ACL users! :)I agree. Shall I start one? :) Cheers, Paul
> > There should be an ACL faq somewhere for all of us ACL users! :) > > I agree. Shall I start one? :)Sure! -- Honza Houstek
OH PLEASE, PLEASE!! -- Christopher Barry Manager of Information Systems InfiniCon Systems http://www.infiniconsys.com -----Original Message----- From: Jan Houstek [mailto:houstek@karlin.mff.cuni.cz] Sent: Tuesday, April 08, 2003 4:52 PM To: samba mailing list Subject: Re: [Samba] RE: Win2k domain, ACLs and permissions> > There should be an ACL faq somewhere for all of us ACL users! :) > > I agree. Shall I start one? :)Sure! -- Honza Houstek -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
OK :) I've got a few ideas to get me started, but feel free to send me suggestions. Cheers, Paul Barry, Christopher wrote on Wednesday, 9 April 2003 9:11 a.m.:> OH PLEASE, PLEASE!! > > -- > Christopher Barry > Manager of Information Systems > InfiniCon Systems > http://www.infiniconsys.com > > > > -----Original Message----- > From: Jan Houstek [mailto:houstek@karlin.mff.cuni.cz] > Sent: Tuesday, April 08, 2003 4:52 PM > To: samba mailing list > Subject: Re: [Samba] RE: Win2k domain, ACLs and permissions > > >>> There should be an ACL faq somewhere for all of us ACL users! :) >> >> I agree. Shall I start one? :) > > Sure! > > -- Honza Houstek > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba
bgforum2002@yahoo.co.uk
2003-Apr-09 14:29 UTC
[Samba] RE: Win2k domain, ACLs and permissions
I had this problem with RedHat 8, it disappered after updating glibc. I seems it was a problem with glibc and not Samba.>>4) Group name resolution doesn't seem to be fully working under >> Linux. wbinfo will translate between a gid, a SID, and the name just >> fine, but if I use ls -l on a directory that has been created via a >> share, the owner is looked up correctly but not the group ("10002" >> instead of "CJNTECH\whatever"). getfacl produces similar results, >> returning a number for the group instead of the name. I checked, and >> winbind is in the "group:" line in /etc/nsswitch.conf.> That's strange, on my config it works OK - does the winbind lookup > work manually? wbinfo -G 10002 then wbinfo -Y SID?