Hello, A little question about ACLs; my test server is set up with XFS and has support for ACLs. I have built the latest samba cvs source with acl support and as far as I can see from the configure results, acls were detected and were compiled. Note: I am using winbind to authenticate the users. Can I set the acls permissions from a windows 2000 client? I am trying to do this for a while without success... After I set the folder's permission in windows (add any user/group from the domain), looking again from the client does not show the change I have just made in the permissions... Anyone with similar problems? The folder is chmoded 01777 and I am trying to make this change using a domain account declared as an admin user in smb.conf. Here are the results of getfacl: [root@splus001 files]# getfacl departments/ # file: departments/ # owner: root # group: root user::rwx group::rwx other::rwx I also tried reading the manpages of setfacl but without any visible success. Can anyone help me or tell me where I can find more detailed documentation on setting ACLs for Samba? Cheers Gustavo
I've been having the same problem with Windows NT 4 clients, Samba 2.2.1a, and ext2fs with the ACL patches. I can set the ACLs just fine with setfacl, and the clients honor them, but I can't set them from NT. It just silently fails. I've asked about this a few times on the list and gotten basically no response, but I'm hoping maybe it'll be fixed in 2.2.2 because it's a major annoyance. I'm running Samba 2.2.1a with winbindd from an older HEAD CVS. Setting ACLs with setfacl isn't too hard, though it's a bit of a pain. You can do things like: setfacl -m "g:DOMAIN+Programmers:rwx" foo to add a group to the ACL list for a file or directory. To set a default ACL on a directory, just add a -d before the -m. You can make changes recursively with the -R switch. Removing an entry is similar: setfacl -x "g:DOMAIN+Programmers" foo The only gotcha is that if you set UNIX permissions with chmod, they're combined with the ACL permissions to create the most restrictive interpretation. So most of the time it's best to avoid chmod and use setfacl to set those permissions, too. (For example, 'setfacl -m g::rx foo'.) Interestingly enough, I have "map hidden = yes", and my NT clients can turn the hidden bit on and off just fine, as long as they're the owner of the file they're working on, but setting ACLs doesn't work. -----Original Message----- From: Michels, Gustavo [EES/BR] [mailto:gustavo.michels@emersonenergy.com] Sent: Monday, September 17, 2001 4:29 PM To: samba@lists.samba.org Subject: Setting ACLs via Windows client Hello, A little question about ACLs; my test server is set up with XFS and has support for ACLs. I have built the latest samba cvs source with acl support and as far as I can see from the configure results, acls were detected and were compiled. Note: I am using winbind to authenticate the users. Can I set the acls permissions from a windows 2000 client? I am trying to do this for a while without success... After I set the folder's permission in windows (add any user/group from the domain), looking again from the client does not show the change I have just made in the permissions... Anyone with similar problems? The folder is chmoded 01777 and I am trying to make this change using a domain account declared as an admin user in smb.conf. Here are the results of getfacl: [root@splus001 files]# getfacl departments/ # file: departments/ # owner: root # group: root user::rwx group::rwx other::rwx I also tried reading the manpages of setfacl but without any visible success. Can anyone help me or tell me where I can find more detailed documentation on setting ACLs for Samba? Cheers Gustavo -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Hi David, Thanks for your prompt reply! Could you put here a result of a getfacl of one of your shares? Now that I have messed with chmod, I would like to know how you left all the permissions set. cheers Gustavo -----Original Message----- From: David Brodbeck [mailto:DavidB@mail.interclean.com] Sent: segunda-feira, 17 de setembro de 2001 17:46 To: Michels, Gustavo [EES/BR]; samba@lists.samba.org Subject: RE: Setting ACLs via Windows client I've been having the same problem with Windows NT 4 clients, Samba 2.2.1a, and ext2fs with the ACL patches. I can set the ACLs just fine with setfacl, and the clients honor them, but I can't set them from NT. It just silently fails. I've asked about this a few times on the list and gotten basically no response, but I'm hoping maybe it'll be fixed in 2.2.2 because it's a major annoyance. I'm running Samba 2.2.1a with winbindd from an older HEAD CVS. Setting ACLs with setfacl isn't too hard, though it's a bit of a pain. You can do things like: setfacl -m "g:DOMAIN+Programmers:rwx" foo to add a group to the ACL list for a file or directory. To set a default ACL on a directory, just add a -d before the -m. You can make changes recursively with the -R switch. Removing an entry is similar: setfacl -x "g:DOMAIN+Programmers" foo The only gotcha is that if you set UNIX permissions with chmod, they're combined with the ACL permissions to create the most restrictive interpretation. So most of the time it's best to avoid chmod and use setfacl to set those permissions, too. (For example, 'setfacl -m g::rx foo'.) Interestingly enough, I have "map hidden = yes", and my NT clients can turn the hidden bit on and off just fine, as long as they're the owner of the file they're working on, but setting ACLs doesn't work. -----Original Message----- From: Michels, Gustavo [EES/BR] [mailto:gustavo.michels@emersonenergy.com] Sent: Monday, September 17, 2001 4:29 PM To: samba@lists.samba.org Subject: Setting ACLs via Windows client Hello, A little question about ACLs; my test server is set up with XFS and has support for ACLs. I have built the latest samba cvs source with acl support and as far as I can see from the configure results, acls were detected and were compiled. Note: I am using winbind to authenticate the users. Can I set the acls permissions from a windows 2000 client? I am trying to do this for a while without success... After I set the folder's permission in windows (add any user/group from the domain), looking again from the client does not show the change I have just made in the permissions... Anyone with similar problems? The folder is chmoded 01777 and I am trying to make this change using a domain account declared as an admin user in smb.conf. Here are the results of getfacl: [root@splus001 files]# getfacl departments/ # file: departments/ # owner: root # group: root user::rwx group::rwx other::rwx I also tried reading the manpages of setfacl but without any visible success. Can anyone help me or tell me where I can find more detailed documentation on setting ACLs for Samba? Cheers Gustavo -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
I've been having this problem for a while as well. Using Redhat 7.1, kernel 2.4.7, ext2fs with posix ACLs, fileutils with posix ACLs, winbind. Configured PAM, copied over the necessary nsswitch files, etc. Just updated to newest CVS, branch SAMBA_2_2. I try to add an object to the ACL for a share, and when I hit Apply or OK I see this in the logs for the machine I'm trying it from: [2001/09/18 11:56:19, 0] smbd/posix_acls.c:create_canon_ace_lists(750) create_canon_ace_lists: unable to map SID S-1-5-21-4054839845-3177800500-41736 57015-21004 to uid or gid. Over and over... I ended up killing the smb daemon to stop it. Thoughts? Mack -----Original Message----- From: kill -9 [mailto:kill-9@warbeast.com] Sent: Tuesday, September 18, 2001 12:12 AM To: Michels, Gustavo [EES/BR] Cc: David Brodbeck; samba@lists.samba.org Subject: RE: Setting ACLs via Windows client I had problems with this also using ext2fs, posix acls, and any client, 2.2.1a. The permissions would fail with access denied. I did a cvs update today, and all the sudden it worked. I did however do something this time that I had never done before. I actually removed everything from the old samba install dirs and installed fresh, the copied over the relevant config files, lmhosts, etc. I have not tried from nt yet, but I did try from win98 nexus tools, which never even came close to working before. Later, Alex On Mon, 17 Sep 2001, Michels, Gustavo [EES/BR] wrote:> Date: Mon, 17 Sep 2001 21:57:47 +0100 > From: "Michels, Gustavo [EES/BR]" <gustavo.michels@emersonenergy.com> > To: David Brodbeck <DavidB@mail.interclean.com>, samba@lists.samba.org > Subject: RE: Setting ACLs via Windows client > > Hi David, > > Thanks for your prompt reply! Could you put here a result of a getfacl of > one of your shares? Now that I have messed with chmod, I would like toknow> how you left all the permissions set. > > cheers > Gustavo > > -----Original Message----- > From: David Brodbeck [mailto:DavidB@mail.interclean.com] > Sent: segunda-feira, 17 de setembro de 2001 17:46 > To: Michels, Gustavo [EES/BR]; samba@lists.samba.org > Subject: RE: Setting ACLs via Windows client > > > I've been having the same problem with Windows NT 4 clients, Samba 2.2.1a, > and ext2fs with the ACL patches. I can set the ACLs just fine withsetfacl,> and the clients honor them, but I can't set them from NT. It justsilently> fails. I've asked about this a few times on the list and gotten basically > no response, but I'm hoping maybe it'll be fixed in 2.2.2 because it's a > major annoyance. I'm running Samba 2.2.1a with winbindd from an olderHEAD> CVS. > > Setting ACLs with setfacl isn't too hard, though it's a bit of a pain.You> can do things like: > > setfacl -m "g:DOMAIN+Programmers:rwx" foo > > to add a group to the ACL list for a file or directory. To set a default > ACL on a directory, just add a -d before the -m. You can make changes > recursively with the -R switch. Removing an entry is similar: > > setfacl -x "g:DOMAIN+Programmers" foo > > The only gotcha is that if you set UNIX permissions with chmod, they're > combined with the ACL permissions to create the most restrictive > interpretation. So most of the time it's best to avoid chmod and use > setfacl to set those permissions, too. (For example, 'setfacl -m g::rx > foo'.) > > Interestingly enough, I have "map hidden = yes", and my NT clients canturn> the hidden bit on and off just fine, as long as they're the owner of the > file they're working on, but setting ACLs doesn't work. > > -----Original Message----- > From: Michels, Gustavo [EES/BR] > [mailto:gustavo.michels@emersonenergy.com] > Sent: Monday, September 17, 2001 4:29 PM > To: samba@lists.samba.org > Subject: Setting ACLs via Windows client > > > Hello, > > A little question about ACLs; my test server is set up with XFS and has > support for ACLs. I have built the latest samba cvs source with aclsupport> and as far as I can see from the configure results, acls were detected and > were compiled. > > Note: I am using winbind to authenticate the users. > > Can I set the acls permissions from a windows 2000 client? I am trying todo> this for a while without success... After I set the folder's permission in > windows (add any user/group from the domain), looking again from theclient> does not show the change I have just made in the permissions... Anyonewith> similar problems? > > The folder is chmoded 01777 and I am trying to make this change using a > domain account declared as an admin user in smb.conf. > > Here are the results of getfacl: > > [root@splus001 files]# getfacl departments/ > # file: departments/ > # owner: root > # group: root > user::rwx > group::rwx > other::rwx > > I also tried reading the manpages of setfacl but without any visible > success. > > Can anyone help me or tell me where I can find more detailed documentation > on setting ACLs for Samba? > > Cheers > Gustavo > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >---------------------------------------------------------------------------- "First, they ignore you. Then they laugh at you. Then they fight you. Then you win." - Mahatma Ghandi In a world without walls and fences, who needs windows and gates? Alex West A&M Communications - Tech Guru BioControl Technology Inc., MIS Administrator kill-9@warbeast.com | kill-9@ipost.net WebPage -> www.warbeast.com/~kill-9 Visit Third Eye Digital Productions - http://www.indiana-emall.com/thirdeye Check out my band and FREE music at *** www.mp3.com/snowpants *** ---------------------------------------------------------------------------- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba **************************************************************************** This e-mail is intended only for the addressee named above and may contain confidential, proprietary or privileged information. If you are not the named addressee or the person responsible for delivering the message to the named addressee, please inform us promptly by reply e-mail, then delete the e-mail and destroy any printed copy. The contents should not be disclosed to anyone and no copies should be made. We take reasonable precautions to ensure that our emails are virus free. However we accept no responsibility for any virus transmitted by us and recommend that you subject any incoming e-mail to your own virus checking procedures.
On Mon, 17 Sep 2001, Michels, Gustavo [EES/BR] wrote:> A little question about ACLs; my test server is set up with XFS and has > support for ACLs. I have built the latest samba cvs source with acl support > and as far as I can see from the configure results, acls were detected and > were compiled.<snip>> Can anyone help me or tell me where I can find more detailed documentation > on setting ACLs for Samba?Okay, I'm not certain I understand you're environment completely BUT I am fully able to set the ACL's on files (and dirs) from NT4.0/Win2k from the owner account. ie it isn't enough to have write access to the file you must be the owner. Try this share /tmp via samba (only temporarily this is generally a bad idea. [root@router /tmp]# touch acledfile [root@router /tmp]# chown DOMAIN+USER1:DOMAIN+Domain\ Admins acledfile [root@router /tmp]# chmod 0660 acledfile [root@router /tmp]# getfacl acledfile # file: acledfile # owner: DOMAIN+USER1 # group: DOMAIN+Domain Admins user::rw- group::rw- group:DOMAIN+Domain Admins:rw- mask::rw- other::--- Then from the NT4.0/Win2k machine (logged in as USER) try to modify the ACL's. it DOES work. View the ACL, [root@router /tmp]# getfacl acledfile # file: acledfile # owner: DOMAIN+USER1 # group: DOMAIN+Domain Admins user::rw- user:DOMAIN+USER3:rwx group::rw- group:DOMAIN+Domain Admins:rw- mask::rw- other::--- Then just change the owner to a different user note the is the _only_ change you make [root@router /tmp]# chown DOMAIN+USER2:DOMAIN+Domain\ Admins acledfile [root@router /tmp]# getfacl acledfile # file: acledfile # owner: DOMAIN+USER2 # group: DOMAIN+Domain Admins user::rw- user:DOMAIN+USER3:rwx group::rw- group:DOMAIN+Domain Admins:rw- mask::rw- other::--- Now again on the NT4.0/Win2k workstation try to modify the ACL, it will fail. This is to be expected Does that kinda, clarify what you can do with ACL's ??? Yours Tony. /* * "The significant problems we face cannot be solved at the * same level of thinking we were at when we created them." * --Albert Einstein */
What version of Samba are you using? It doesn't work for me from NT4, with Samba 2.2.1a, even on files I own. No error message appears, but when you check the permissions again they're unchanged. I get the following error in the log: [2001/09/19 09:33:22, 0] smbd/posix_acls.c:create_canon_ace_lists(747) create_canon_ace_lists: unable to map SID S-1-5-21-86195882-1589917278-758854815-1203 to uid or gid. I'm wondering if this is a problem with my winbindd configuration, since I'm using Samba and winbindd from diferent branches. If it is, it'll probably correct itself when I upgrade to 2.2.2. -----Original Message----- From: Anthony J. Breeds-Taurima [mailto:tony@cantech.net.au] Sent: Tuesday, September 18, 2001 11:38 PM To: Michels, Gustavo [EES/BR] Cc: samba@lists.samba.org Subject: Re: Setting ACLs via Windows client On Mon, 17 Sep 2001, Michels, Gustavo [EES/BR] wrote:> A little question about ACLs; my test server is set up with XFS and has > support for ACLs. I have built the latest samba cvs source with aclsupport> and as far as I can see from the configure results, acls were detected and > were compiled.<snip>> Can anyone help me or tell me where I can find more detailed documentation > on setting ACLs for Samba?Okay, I'm not certain I understand you're environment completely BUT I am fully able to set the ACL's on files (and dirs) from NT4.0/Win2k from the owner account. ie it isn't enough to have write access to the file you must be the owner. Try this share /tmp via samba (only temporarily this is generally a bad idea. [root@router /tmp]# touch acledfile [root@router /tmp]# chown DOMAIN+USER1:DOMAIN+Domain\ Admins acledfile [root@router /tmp]# chmod 0660 acledfile [root@router /tmp]# getfacl acledfile # file: acledfile # owner: DOMAIN+USER1 # group: DOMAIN+Domain Admins user::rw- group::rw- group:DOMAIN+Domain Admins:rw- mask::rw- other::--- Then from the NT4.0/Win2k machine (logged in as USER) try to modify the ACL's. it DOES work. View the ACL, [root@router /tmp]# getfacl acledfile # file: acledfile # owner: DOMAIN+USER1 # group: DOMAIN+Domain Admins user::rw- user:DOMAIN+USER3:rwx group::rw- group:DOMAIN+Domain Admins:rw- mask::rw- other::--- Then just change the owner to a different user note the is the _only_ change you make [root@router /tmp]# chown DOMAIN+USER2:DOMAIN+Domain\ Admins acledfile [root@router /tmp]# getfacl acledfile # file: acledfile # owner: DOMAIN+USER2 # group: DOMAIN+Domain Admins user::rw- user:DOMAIN+USER3:rwx group::rw- group:DOMAIN+Domain Admins:rw- mask::rw- other::--- Now again on the NT4.0/Win2k workstation try to modify the ACL, it will fail. This is to be expected Does that kinda, clarify what you can do with ACL's ??? Yours Tony. /* * "The significant problems we face cannot be solved at the * same level of thinking we were at when we created them." * --Albert Einstein */ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Hi,> > [2001/09/19 09:33:22, 0] > smbd/posix_acls.c:create_canon_ace_lists(747) > > create_canon_ace_lists: unable to map SID > > S-1-5-21-86195882-1589917278-758854815-1203 to uid or gid. > > The set_nt_acl call bails out if smbd finds a SID in the security > descriptor it is unable to resolve to a uid/gid. > > > I'm wondering if this is a problem with my winbindd configuration, > > since I'm using Samba and winbindd from diferent branches. > If it is, > > it'll probably correct itself when I upgrade to 2.2.2. > > That would be me first guess.Same problem here: [2001/09/20 09:29:31, 0] smbd/posix_acls.c:create_canon_ace_lists(750) create_canon_ace_lists: unable to map SID S-1-5-21-1251350007-2636732721-41205 0243-1000 to uid or gid. I am using smbd and winbind from the same source, SAMBA_2_2 tag. Is there any tool so I can test looking up SIDs? I can send you a higher debug level, if needed. cheers Gustavo
On Thu, 20 Sep 2001, Michels, Gustavo [EES/BR] wrote:> [2001/09/20 09:29:31, 0] smbd/posix_acls.c:create_canon_ace_lists(750) > create_canon_ace_lists: unable to map SID > S-1-5-21-1251350007-2636732721-41205 > 0243-1000 to uid or gid. > > I am using smbd and winbind from the same source, SAMBA_2_2 tag. Is there > any tool so I can test looking up SIDs?wbinfo -h will tell you wnat you need to know. cheers, jerry --------------------------------------------------------------------- www.samba.org SAMBA Team jerry_at_samba.org www.plainjoe.org jerry_at_plainjoe.org --"I never saved anything for the swim back." Ethan Hawk in Gattaca--
Hi, :-)> On Thu, 20 Sep 2001, Michels, Gustavo [EES/BR] wrote: > > > [2001/09/20 09:29:31, 0] > smbd/posix_acls.c:create_canon_ace_lists(750) > > create_canon_ace_lists: unable to map SID > > S-1-5-21-1251350007-2636732721-41205 > > 0243-1000 to uid or gid. > > > > I am using smbd and winbind from the same source, SAMBA_2_2 > tag. Is there > > any tool so I can test looking up SIDs? > > wbinfo -h will tell you wnat you need to know.Take a look: [root@splus001 var]# wbinfo -s S-1-5-21-1751526032-1943025958-924725345-500 EERDBR001+Administrator 1 [root@splus001 var]# wbinfo -s S-1-5-21-1251350007-2636732721-412050243-1000 8 [root@splus001 var]# Weird, huh? I wonder why smbd is complainting about this SID when setting ACLs... cheers Gustavo
Hi,> On Thu, 20 Sep 2001, Michels, Gustavo [EES/BR] wrote: > > > [root@splus001 var]# wbinfo -s > S-1-5-21-1251350007-2636732721-412050243-1000 > > 8 > > This should report a username. Any chance of running this on the DC? > There's a sid2name tool for NT somewhere (maybe at nbugtraq.com).Results for sid2user: C:\Temp\sid>sid2user \\eebrspnt001 5 21 1751526032 1943025958 924725345 500 Name is Administrator Domain is EERDBR001 Type of SID is SidTypeUser C:\Temp\sid>sid2user \\eebrspnt001 5 21 1251350007 2636732721 412050243 1000 LookupSidName failed - no such account Weird... :-) cheers Gustavo
On Thu, 20 Sep 2001, Michels, Gustavo [EES/BR] wrote:> C:\Temp\sid>sid2user \\eebrspnt001 5 21 1251350007 2636732721 412050243 1000 > > LookupSidName failed - no such accountProbably an account that was deleted and left in an ACL. cheers, jerry --------------------------------------------------------------------- www.samba.org SAMBA Team jerry_at_samba.org www.plainjoe.org jerry_at_plainjoe.org --"I never saved anything for the swim back." Ethan Hawk in Gattaca--
Hi,> On Thu, 20 Sep 2001, Michels, Gustavo [EES/BR] wrote: > > > C:\Temp\sid>sid2user \\eebrspnt001 5 21 1251350007 > 2636732721 412050243 1000 > > > > LookupSidName failed - no such account > > Probably an account that was deleted and left in an ACL.Maybe this? [root@splus001 var]# wbinfo -s S-1-5-21-1251350007-2636732721-412050243-1000 8 [root@splus001 printers]# wbinfo -n Everyone S-0-0 8 What do you think? cheers Gustavo
On Thu, 20 Sep 2001, Michels, Gustavo [EES/BR] wrote:> Maybe this? > > [root@splus001 var]# wbinfo -s S-1-5-21-1251350007-2636732721-412050243-1000 > 8 > [root@splus001 printers]# wbinfo -n Everyone > S-0-0 8 > > What do you think?Nope. Everyone is a BUILTIN account. Do any of the ACL entries show up as "Unknown Account" in the security dialog on the NT client.
Hi,> > [root@splus001 var]# wbinfo -s > S-1-5-21-1251350007-2636732721-412050243-1000 > > 8 > > [root@splus001 printers]# wbinfo -n Everyone > > S-0-0 8 > > > > What do you think? > > Nope. Everyone is a BUILTIN account. Do any of the ACL > entries show up > as "Unknown Account" in the security dialog on the NT client.No... The entries in the security tab are the Administrator, the Domain Admin group and Everyone. Before doing any acl settings, I first chown admin:domain admin group for that folder, that's why they appear in the security tab. Any changes I make (with the folder owner, the administrator) in the list are saved but not reflected as I try to access the share with an allowed user (by the acl). cheers Gustavo