Hi everybody, i'm getting mad configuring samba to join an ADS, resolve domain users and groups and set ACLs via windows explorer on a share mounted with POSIX ACL and extended attributes. At the point where i am, i've managed to get Samba join correctly the domain with idmap_rid backend working fine. I can correctly set (add, remove, modify) file acls and extended attributes via bash, but when i try to simply add a user permission on a file or directory via the windows explorer security settings i get in the log (level 3): [2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900) switch message SMBntcreateX (pid 2339) conn 0x8353068 [2005/11/17 23:12:22, 3] smbd/dosmode.c:unix_mode(121) unix_mode(WINDOWSRegDefrag.dat) returning 0744 [2005/11/17 23:12:22, 2] smbd/open.c:open_file(372) albe opened file WINDOWSRegDefrag.dat read=No write=No (numopen=1) [2005/11/17 23:12:22, 3] smbd/process.c:process_smb(1114) Transaction 9 of length 244 [2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900) switch message SMBnttrans (pid 2339) conn 0x8353068 [2005/11/17 23:12:22, 3] smbd/ nttrans.c:call_nt_transact_set_security_desc(2081) call_nt_transact_set_security_desc: file = WINDOWSRegDefrag.dat, sent 0x4 [2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_sid_from_uid_cache (158) fetch sid from uid cache 11334 -> S-1-5-21-2707684321-3739850521-1540700870-1334 [2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache (232) fetch sid from gid cache 10512 -> S-1-5-21-2707684321-3739850521-1540700870-512 [2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179) fetch uid from cache 11334 -> S-1-5-21-2707684321-3739850521-1540700870-1334 [2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179) fetch uid from cache 11369 -> S-1-5-21-2707684321-3739850521-1540700870-1369 [2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_gid_from_cache(253) fetch gid from cache 10512 -> S-1-5-21-2707684321-3739850521-1540700870-512 [2005/11/17 23:12:22, 3] smbd/dosmode.c:unix_mode(121) unix_mode(WINDOWSRegDefrag.dat) returning 0744 [2005/11/17 23:12:22, 3] smbd/ posix_acls.c:convert_canon_ace_to_posix_perms(2585) convert_canon_ace_to_posix_perms: Too many ACE entries for file WINDOWSRegDefrag.dat to convert to posix perms. [2005/11/17 23:12:22, 3] smbd/posix_acls.c:set_nt_acl(3265) set_nt_acl: failed to convert file acl to posix permissions for file WINDOWSRegDefrag.dat. [2005/11/17 23:12:22, 3] smbd/error.c:error_packet(147) error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans) NT_STATUS_ACCESS_DENIED [2005/11/17 23:12:22, 3] smbd/process.c:process_smb(1114) Transaction 10 of length 45 [2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900) switch message SMBclose (pid 2339) conn 0x8353068 [2005/11/17 23:12:22, 3] smbd/reply.c:reply_close(3247) close fd=-1 fnum=11974 (numopen=1) [2005/11/17 23:12:22, 2] smbd/close.c:close_normal_file(270) AGBSOFT\albe closed file WINDOWSRegDefrag.dat (numopen=0) I can correctly set file permission of the classical posix elements: user, group and others. My smb.conf [global] workgroup = AGBSOFT realm = AGBSOFT.CH server string = CVS Server security = ADS client schannel = No allow trusted domains = No password server = agbsoft-nt1.agbsoft.ch log level = 3 log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No os level = 18 preferred master = No domain master = No wins server = 10.100.0.2 idmap backend = idmap_rid:AGBSOFT=10000-200000000 idmap uid = 10000-200000000 idmap gid = 10000-200000000 template shell = /bin/bash winbind use default domain = Yes winbind nested groups = Yes [prova] comment = prova path = /home/ftp valid users = "@AGBSOFT\Domain Admins" read only = No My samba 3.0.20b is compiled with ads and acl support. Kernel is a 2.6.14.2, compiled with acl and extended attributes for used filesystems. The system is running a slackware 10.2. I had to rebuild from source attr, acl, libattr, libacl to have compiling with acl support. What i'm i doing wrong? Thanks in advance for any help. I remain at disposal for any further information. Alberto
Hi everybody, i'm getting mad configuring samba to join an ADS, resolve domain users and groups and set ACLs via windows explorer on a share mounted with POSIX ACL and extended attributes. At the point where i am, i've managed to get Samba join correctly the domain with idmap_rid backend working fine. I can correctly set (add, remove, modify) file acls and extended attributes via bash, but when i try to simply add a user permission on a file or directory via the windows explorer security settings i get in the log (level 3): [2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900) switch message SMBntcreateX (pid 2339) conn 0x8353068 [2005/11/17 23:12:22, 3] smbd/dosmode.c:unix_mode(121) unix_mode(WINDOWSRegDefrag.dat) returning 0744 [2005/11/17 23:12:22, 2] smbd/open.c:open_file(372) albe opened file WINDOWSRegDefrag.dat read=No write=No (numopen=1) [2005/11/17 23:12:22, 3] smbd/process.c:process_smb(1114) Transaction 9 of length 244 [2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900) switch message SMBnttrans (pid 2339) conn 0x8353068 [2005/11/17 23:12:22, 3] smbd/ nttrans.c:call_nt_transact_set_security_desc(2081) call_nt_transact_set_security_desc: file = WINDOWSRegDefrag.dat, sent 0x4 [2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_sid_from_uid_cache (158) fetch sid from uid cache 11334 -> S-1-5-21-2707684321-3739850521-1540700870-1334 [2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache (232) fetch sid from gid cache 10512 -> S-1-5-21-2707684321-3739850521-1540700870-512 [2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179) fetch uid from cache 11334 -> S-1-5-21-2707684321-3739850521-1540700870-1334 [2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179) fetch uid from cache 11369 -> S-1-5-21-2707684321-3739850521-1540700870-1369 [2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_gid_from_cache(253) fetch gid from cache 10512 -> S-1-5-21-2707684321-3739850521-1540700870-512 [2005/11/17 23:12:22, 3] smbd/dosmode.c:unix_mode(121) unix_mode(WINDOWSRegDefrag.dat) returning 0744 [2005/11/17 23:12:22, 3] smbd/ posix_acls.c:convert_canon_ace_to_posix_perms(2585) convert_canon_ace_to_posix_perms: Too many ACE entries for file WINDOWSRegDefrag.dat to convert to posix perms. [2005/11/17 23:12:22, 3] smbd/posix_acls.c:set_nt_acl(3265) set_nt_acl: failed to convert file acl to posix permissions for file WINDOWSRegDefrag.dat. [2005/11/17 23:12:22, 3] smbd/error.c:error_packet(147) error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans) NT_STATUS_ACCESS_DENIED [2005/11/17 23:12:22, 3] smbd/process.c:process_smb(1114) Transaction 10 of length 45 [2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900) switch message SMBclose (pid 2339) conn 0x8353068 [2005/11/17 23:12:22, 3] smbd/reply.c:reply_close(3247) close fd=-1 fnum=11974 (numopen=1) [2005/11/17 23:12:22, 2] smbd/close.c:close_normal_file(270) AGBSOFT\albe closed file WINDOWSRegDefrag.dat (numopen=0) I can correctly set file permission of the classical posix elements: user, group and others. My smb.conf [global] workgroup = AGBSOFT realm = AGBSOFT.CH server string = CVS Server security = ADS client schannel = No allow trusted domains = No password server = agbsoft-nt1.agbsoft.ch log level = 3 log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No os level = 18 preferred master = No domain master = No wins server = 10.100.0.2 idmap backend = idmap_rid:AGBSOFT=10000-200000000 idmap uid = 10000-200000000 idmap gid = 10000-200000000 template shell = /bin/bash winbind use default domain = Yes winbind nested groups = Yes [prova] comment = prova path = /home/ftp valid users = "@AGBSOFT\Domain Admins" read only = No My samba 3.0.20b is compiled with ads and acl support. Kernel is a 2.6.14.2, compiled with acl and extended attributes for used filesystems. The system is running a slackware 10.2. I had to rebuild from source attr, acl, libattr, libacl to have compiling with acl support. What i'm i doing wrong? Thanks in advance for any help. I remain at disposal for any further information. Alberto
This is in my original message> I can correctly set (add, remove, modify) file acls and extended > attributes via bashand this is my mount /dev/hda1 on / type reiserfs (rw,acl,user_xattr) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) usbfs on /proc/bus/usb type usbfs (rw) Alberto Il giorno 19/nov/05, alle ore 19:06, Jeremy Allison ha scritto:> On Thu, Nov 17, 2005 at 11:45:16PM +0100, Albe wrote: >> Hi everybody, >> >> i'm getting mad configuring samba to join an ADS, resolve domain >> users and groups and set ACLs via windows explorer on a share mounted >> with POSIX ACL and extended attributes. >> S-1-5-21-2707684321-3739850521-1540700870-512 >> [2005/11/17 23:12:22, 3] smbd/dosmode.c:unix_mode(121) >> unix_mode(WINDOWSRegDefrag.dat) returning 0744 >> [2005/11/17 23:12:22, 3] smbd/ >> posix_acls.c:convert_canon_ace_to_posix_perms(2585) >> convert_canon_ace_to_posix_perms: Too many ACE entries for file >> WINDOWSRegDefrag.dat to convert to posix perms. > > This means your underlying file system doesn't support POSIX acls. > Check your mount flags. > > Jeremy.
My samba 3.0.20b is compiled with ads and acl support. Kernel is a 2.6.14.2 <http://2.6.14.2>, compiled with acl and extended attributes for used filesystems. The system is running a slackware 10.2. I had to rebuild from source attr, acl, libattr, libacl to have compiling with acl support. plus /[root@ariannadb EHD]# smbd -b | grep ACL HAVE_SYS_ACL_H HAVE_POSIX_ACLS [root@ariannadb EHD]# / I doublechecked that. I also found out that the groups created by the idmap_rid backend do not reflect entirely the real groups in the Active Directory domain. Thanks for the help. Regards, Alberto updatemyself . wrote:> hai... > > Look like that u need to rebuild samba... > with "--with-acl-support" option > download src rpm ...... install it.. > then edit it... before building ur samba RPM > > if u want more.. help.. feel free to contact... > > regards > jerrrynikki > > On 11/18/05, *Albe* <k3rmit@libero.it <mailto:k3rmit@libero.it>> wrote: > > Hi everybody, > > i'm getting mad configuring samba to join an ADS, resolve domain > users and groups and set ACLs via windows explorer on a share mounted > with POSIX ACL and extended attributes. > > At the point where i am, i've managed to get Samba join correctly the > domain with idmap_rid backend working fine. > > I can correctly set (add, remove, modify) file acls and extended > attributes via bash, but when i try to simply add a user permission > on a file or directory via the windows explorer security settings i > get in the log (level 3): > > [2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900) > switch message SMBntcreateX (pid 2339) conn 0x8353068 > [2005/11/17 23:12:22, 3] smbd/dosmode.c:unix_mode(121) > unix_mode( WINDOWSRegDefrag.dat) returning 0744 > [2005/11/17 23:12:22, 2] smbd/open.c:open_file(372) > albe opened file WINDOWSRegDefrag.dat read=No write=No (numopen=1) > [2005/11/17 23:12:22, 3] smbd/process.c:process_smb(1114) > Transaction 9 of length 244 > [2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900) > switch message SMBnttrans (pid 2339) conn 0x8353068 > [2005/11/17 23:12:22, 3] smbd/ > nttrans.c:call_nt_transact_set_security_desc (2081) > call_nt_transact_set_security_desc: file = WINDOWSRegDefrag.dat, > sent 0x4 > [2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_sid_from_uid_cache > (158) > fetch sid from uid cache 11334 -> > S-1-5-21-2707684321-3739850521-1540700870-1334 > [2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache > (232) > fetch sid from gid cache 10512 -> > S-1-5-21-2707684321-3739850521-1540700870-512 > [2005/11/17 23:12:22, 3] > passdb/lookup_sid.c:fetch_uid_from_cache(179) > fetch uid from cache 11334 -> > S-1-5-21-2707684321-3739850521-1540700870-1334 > [2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179) > fetch uid from cache 11369 -> > S-1-5-21-2707684321-3739850521-1540700870-1369 > [2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_gid_from_cache(253) > fetch gid from cache 10512 -> > S-1-5-21-2707684321-3739850521-1540700870-512 > [2005/11/17 23:12:22, 3] smbd/dosmode.c:unix_mode(121) > unix_mode(WINDOWSRegDefrag.dat) returning 0744 > [2005/11/17 23:12:22, 3] smbd/ > posix_acls.c:convert_canon_ace_to_posix_perms(2585) > convert_canon_ace_to_posix_perms: Too many ACE entries for file > WINDOWSRegDefrag.dat to convert to posix perms. > [2005/11/17 23:12:22, 3] smbd/posix_acls.c:set_nt_acl(3265) > set_nt_acl: failed to convert file acl to posix permissions for > file WINDOWSRegDefrag.dat. > [2005/11/17 23:12:22, 3] smbd/error.c:error_packet(147) > error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans) > NT_STATUS_ACCESS_DENIED > [2005/11/17 23:12:22, 3] smbd/process.c:process_smb(1114) > Transaction 10 of length 45 > [2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900) > switch message SMBclose (pid 2339) conn 0x8353068 > [2005/11/17 23:12:22, 3] smbd/reply.c:reply_close(3247) > close fd=-1 fnum=11974 (numopen=1) > [2005/11/17 23:12:22, 2] smbd/close.c:close_normal_file(270) > AGBSOFT\albe closed file WINDOWSRegDefrag.dat (numopen=0) > > I can correctly set file permission of the classical posix elements: > user, group and others. > > > My smb.conf > > [global] > workgroup = AGBSOFT > realm = AGBSOFT.CH > server string = CVS Server > security = ADS > client schannel = No > allow trusted domains = No > password server = agbsoft-nt1.agbsoft.ch > <http://agbsoft-nt1.agbsoft.ch> > log level = 3 > log file = /var/log/samba/%m.log > max log size = 0 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > load printers = No > os level = 18 > preferred master = No > domain master = No > wins server = 10.100.0.2 <http://10.100.0.2> > idmap backend = idmap_rid:AGBSOFT=10000-200000000 > idmap uid = 10000-200000000 > idmap gid = 10000-200000000 > template shell = /bin/bash > winbind use default domain = Yes > winbind nested groups = Yes > > [prova] > comment = prova > path = /home/ftp > valid users = "@AGBSOFT\Domain Admins" > read only = No > > My samba 3.0.20b is compiled with ads and acl support. Kernel is a > 2.6.14.2 <http://2.6.14.2>, compiled with acl and extended > attributes for used > filesystems. > The system is running a slackware 10.2. I had to rebuild from source > attr, acl, libattr, libacl to have compiling with acl support. > > What i'm i doing wrong? > > Thanks in advance for any help. > > I remain at disposal for any further information. > > > > Alberto > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > >