Hi, I set up a samba 3.0.26a as an ads-member of a windows 2003 Small Business Server. Every windows user in the domain can read and write their files, everyone's happy. My Problem is, that I cannot set up security groups in the AD. When I try, I do not get an error message, but my changes are being silently ignored. I cannot set rights exceeding read,write, execute and owner. E.g. I cannot remove the group 'everyone' from the file access list. When I do and confirm I do not get an error message, but when I review the settings, nothing has changed, 'everyone' is still in the list. It is the same when I try to set or unset full access to files - no error message, but no success. I tried different settings concerning heritage, but that did not help. There are some other postings in the mailing list that sound quite similar, related to versions >3.0.25. Maybe there is a bug in these versions? My smb.conf: http://www.pastebin.ca/753491 Regards Martin
This problem is really annoying, I cannot use security groups but I need to do that. Please tell me if you need more information. I am using Samba since 2001 and never had that kind of trouble. The system is an ubuntu 7.10 server with an amd64-kernel. I am ready to offer any available information, including log (I do not see error/failure/warning-messages when using log level 4) and any configurations. Thank you in advance! Martin Martin Hauptmann schrieb:> Hi, > > I set up a samba 3.0.26a as an ads-member of a windows 2003 Small > Business Server. > Every windows user in the domain can read and write their files, > everyone's happy. > My Problem is, that I cannot set up security groups in the AD. When I > try, I do not get an error message, but my changes are being silently > ignored. > I cannot set rights exceeding read,write, execute and owner. > E.g. I cannot remove the group 'everyone' from the file access list. > When I do and confirm I do not get an error message, but when I review > the settings, nothing has changed, 'everyone' is still in the list. > It is the same when I try to set or unset full access to files - no > error message, but no success. > I tried different settings concerning heritage, but that did not help. > > There are some other postings in the mailing list that sound quite > similar, related to versions >3.0.25. Maybe there is a bug in these > versions? > > My smb.conf: http://www.pastebin.ca/753491 > > Regards > > Martin >
Martin Hauptmann wrote:> Hi, > > I set up a samba 3.0.26a as an ads-member of a windows 2003 Small > Business Server. > Every windows user in the domain can read and write their files, > everyone's happy. > My Problem is, that I cannot set up security groups in the AD. When I > try, I do not get an error message, but my changes are being silently > ignored. > I cannot set rights exceeding read,write, execute and owner. > E.g. I cannot remove the group 'everyone' from the file access list. > When I do and confirm I do not get an error message, but when I review > the settings, nothing has changed, 'everyone' is still in the list. > It is the same when I try to set or unset full access to files - no > error message, but no success. > I tried different settings concerning heritage, but that did not help. > > There are some other postings in the mailing list that sound quite > similar, related to versions >3.0.25. Maybe there is a bug in these > versions? > > My smb.conf: http://www.pastebin.ca/753491 > > Regards > > Martin >Did you perhaps change anything in ADS? I have found that one should NEVER change the spelling of a record, or drag a user or group somewhere else. Doing so totally screws up winbind. To fix it, I suggest that you create a new OU with groups and users in the OU, ensure everything works, then set the security policy of the OU and finally delete the old dud users and groups. Only delete the users and groups afterwards, to ensure that the GUIDs won't get re-used for the new records. I actually never delete records - I have a special OU called 'trash' and I drag and drop trashed users and groups there - to prevent GUID re-use and consequent side effects. I don't know whether that is strictly necessary, but I was losing a lot of hair at one point so I became paranoid about never changing *anything* in ADS once created, and it really seems to work better this way. Cheers, Herman
I can see, change and set any permissions with getfacl/setfacl. I can see these permissions in Windows but cannot change some of the properties. For example I cannot set full access rights for other groups even if I am the owner of the directory/file. The changes are being silently ignored. I can (un)check the properties and accept the changes, but these changes do not take place when I review the properties in windows or getfacl. Martin Jordan Keyes schrieb:> Martin, > > What command exactly are you trying to run to remove the permissions for the > group "Everyone"? > > > Jordan > > -----Original Message----- > From: samba-bounces+jordan.keyes=foamdesign.com@lists.samba.org > [mailto:samba-bounces+jordan.keyes=foamdesign.com@lists.samba.org] On Behalf > Of Martin Hauptmann > Sent: Tuesday, October 30, 2007 12:03 PM > To: samba@lists.samba.org > Subject: Re: [Samba] can't remove groups in AD > > This problem is really annoying, I cannot use security groups but I need > to do that. > > Please tell me if you need more information. I am using Samba since 2001 > and never had that kind of trouble. > > The system is an ubuntu 7.10 server with an amd64-kernel. > > I am ready to offer any available information, including log (I do not > see error/failure/warning-messages when using log level 4) and any > configurations. > > Thank you in advance! > > Martin > > > Martin Hauptmann schrieb: > >> Hi, >> >> I set up a samba 3.0.26a as an ads-member of a windows 2003 Small >> Business Server. >> Every windows user in the domain can read and write their files, >> everyone's happy. >> My Problem is, that I cannot set up security groups in the AD. When I >> try, I do not get an error message, but my changes are being silently >> ignored. >> I cannot set rights exceeding read,write, execute and owner. >> E.g. I cannot remove the group 'everyone' from the file access list. >> When I do and confirm I do not get an error message, but when I review >> the settings, nothing has changed, 'everyone' is still in the list. >> It is the same when I try to set or unset full access to files - no >> error message, but no success. >> I tried different settings concerning heritage, but that did not help. >> >> There are some other postings in the mailing list that sound quite >> similar, related to versions >3.0.25. Maybe there is a bug in these >> versions? >> >> My smb.conf: http://www.pastebin.ca/753491 >> >> Regards >> >> Martin >> >> > >
Seemingly Similar Threads
- any tricks re using " eql(5.5)", but where 5.5 is a decimal not float?
- when will "TODO" comment/rake support come out?
- Cheapest Rails Hosting where they give you full access to Apache (to load modules etc)???
- Why does ActiveRecord allow perception of success when updating an ID, however it doesn't really work(i.e. no change in database)?
- how does Mocha compare in terms of classical vs mock-based testing, and stubbing???