Wilkinson, Alex
2007-Aug-06 09:40 UTC
[Samba] setfacl(1) - Can FreeBSD's ACLs contain groups from NT/AD domains ?
Hi all, I have "FreeBSD 7.0-CURRENT #1: Wed Jul 25" authenticating successfully against active directory via samba's winbindd(8). I need to manage samba shares via FreeBSD ACLs and CIFS ACLs. From my reading of setfacl(1) I should be able to set group permissions using the syntax of DOMAIN\group-name. For example: #setfacl -d -m g:"MYDOMAIN\mygroupname":rwx test However, when I do this on FreeBSD -CURRENT I get the following error: #setfacl -d -m g:"MYDOMAIN\mygroupname":rwx test setfacl: g:MYDOMAIN\mygroupname: Invalid argument>From a quick Google it looks like Linux ACLs can do the aforementioned[http://www.techtutorials.net/blogs/index.php?mode=viewuser&user_id=7]. Is anyone successfully managing there Samba shares via NT/AD groups using FreeBSD ACLs ? -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email.
Greg Byshenk
2007-Aug-06 14:10 UTC
[Samba] setfacl(1) - Can FreeBSD's ACLs contain groups from NT/AD domains ?
On Mon, Aug 06, 2007 at 05:27:50PM +0800, Wilkinson, Alex wrote:> I have "FreeBSD 7.0-CURRENT #1: Wed Jul 25" authenticating successfully against > active directory via samba's winbindd(8). I need to manage samba shares via > FreeBSD ACLs and CIFS ACLs. From my reading of setfacl(1) I should be able to > set group permissions using the syntax of DOMAIN\group-name. For example: > > #setfacl -d -m g:"MYDOMAIN\mygroupname":rwx test > > However, when I do this on FreeBSD -CURRENT I get the following error: > > #setfacl -d -m g:"MYDOMAIN\mygroupname":rwx test > setfacl: g:MYDOMAIN\mygroupname: Invalid argument > > >From a quick Google it looks like Linux ACLs can do the aforementioned > [http://www.techtutorials.net/blogs/index.php?mode=viewuser&user_id=7]. > > Is anyone successfully managing there Samba shares via NT/AD groups using > FreeBSD ACLs ?FreeBSD ACLs work, as well. sambaserver# mkdir z-test sambaserver# chown gbytest:users z-test/ sambaserver# getfacl z-test/ #file:z-test/ #owner:1361 #group:100 user::rwx group::r-x mask::r-x other::r-x sambaserver# setfacl -m u:ADDOMAIN\\gbytest:rwx,g:ADDOMAIN\\domain\ users:rx z-test/ sambaserver# getfacl z-test/ #file:z-test/ #owner:1361 #group:100 user::rwx user:gbytest:rwx group::r-x group:domain users:r-x mask::rwx other::r-x sambaserver# This is on 6-STABLE, but it has worked on CURRENT also (though I don't have a machine running now), configured using idmap_rid (and 'winbind use default domain = yes'). At some point in the past when I was testing, I saw the same sort of errors as above. This was before I set idmap_rid (and configured samba with experimental modules), so it may have been related to this change. Do the domain users/groups show up using 'id' and 'wbinfo'? -- greg byshenk - gbyshenk@byshenk.net - Leiden, NL
Seemingly Similar Threads
- Unable to connect to Samba server, but it shows on the network
- Bizarre - How did windows user setfacl for a file??
- can I configure smb.conf to always publish share files with -rw-rw-rw- permission ?
- (no subject)
- Samba 3.0.25a - FreeBSD - permissions problem?