samba - Jul 2009 - Samba using Server 2k3 DC for auth and ACL permissions

Hi, 

i have a samba server setup on debian to use a server 2k3 AD for auth. 

This works perfectly fine 

what doesnt work, is ACL permissions. 

I have the drives mounted as acl, acl is settable and readable on both
windows and debian; 

# getfacl web/ 
# file: web/ 
# owner: root 
# group: root 
user::rwx 
user:600:rwx 
user:602:r-x 
group::r-x 
group:605:rwx 
mask::rwx 
other::--- 
default:user::rwx 
default:user:600:rwx 
default:user:602:r-x 
default:group::r-x 
default:group:605:rwx 
default:mask::rwx 
default:other::--- 

These values were set using the permissions editor in windows 

the problem i have is that the permissions do nothing 

if i set a users from the domain to have full control of a folder, they
still cant access it, only users listed in the smb.conf file for that share
have access regardless of the acl permissions set, so im thinking im missing
something config wise 

smb.conf 

[global] 
        security = ADS 
        encrypt passwords = yes 
        wins support = yes 
        workgroup = MY 
        realm = MY.DOMAIN 
        winbind enum users = Yes 
        winbind enum groups = Yes 
        winbind separator = + 
        idmap uid = 10000-30000 
        idmap gid = 10000-30000 
        template shell = /bin/bash 
        log level = 3 
        log file = /var/log/samba.log 
        password server = wencodc 
        map acl inherit = yes 
        acl group inherit = yes 
        acls group control = yes 

[Admin] 
        path = /media/Shared/ 
        read only = no 
        create mode = 0700 
        directory mode = 0700 
        nt acl support = yes 
        acl map full control = yes 
        admin users = @MY+fileserveradmin 
        valid users = @"MY+Domain Users" 
        browseable = true 

Any help greatly appreciated, ive exhausted google on this to no avail. 

-Pete
-- 
View this message in context:
http://www.nabble.com/Samba-using-Server-2k3-DC-for-auth-and-ACL-permissions-tp24675249p24675249.html
Sent from the Samba - General mailing list archive at Nabble.com.

Blotto wrote:
> only users listed in the smb.conf file for that share
> have access regardless of the acl permissions set
>   
Maybe I'm not reading this right, but I think that is how it is supposed 
to work.

When you define which users can access a share that is checked when they 
attempt to connect, file system ACLs will only come in to play after the 
user has been granted access to the share.
> [Admin] 
>         path = /media/Shared/ 
>         read only = no 
>         create mode = 0700 
>         directory mode = 0700 
>         nt acl support = yes 
>         acl map full control = yes 
>         admin users = @MY+fileserveradmin 
>         valid users = @"MY+Domain Users" 
>         browseable = true 
>   
So are you trying to grant Fred (for example) access to the files, even 
though he isn't a member of "MY\Domain Users" (probably a bad
example
since all users are likely to be in that group)?

*Michael Heydon - IT Administrator *
michaelh at jaswin.com.au <mailto:michaelh at jaswin.com.au>

>These values were set using the permissions editor in windows 
>
>the problem i have is that the permissions do nothing 
>
>if i set a users from the domain to have full control of a folder, they
>still cant access it, only users listed in the smb.conf file for that
>share have access regardless of the acl permissions set, so im thinking im
>missing something config wise
Hi,

it's the same as with Windows - you need two different sets of ACLs. One to
access the share and one for the filesystem the share refers to.

If you're watching the filesystem ACLs cloesely, the "web/"
directory is owned by user "root" and group"root". In
addition User "600" and group "605" have full and user
"602" only read access.

Does any of these IDs match your "@MY+fileserveradmin" and
@"MY+Domain Users". But perhaps it's only because you missed the
samba-share-option "write list", which grants read/ write access to
users/ group per share.

If it doesn't help, increase the "debug level" to 2 or 3 and check
the logfiles.

Cheers, 

Christian

==========================================================Christian Rost
roCon - Informationstechnologie
Glatzer Weg 4

44534 L?nen

fon: +49 (0) 2306 910 658
fax: +49 (0) 2306 910 664
url: http://www.rocon-it.de