Ken D'Ambrosio
2002-Jul-24 13:51 UTC
[Samba] ACLs on client Samba machines with Samba PDC.
I've got a Samba box (2.2.5a) as a member of a Samba domain. Both the PDC and client are running 2.4.18 with XFS and ACLs compiled in. Problem: on the client, I can -NOT- modify the ACLs for files from Windows. (Note that I can modify the stock Unix permissions, but not the extended users/permissions that ACL support offers.) If I try, they just vanish when I click "OK". However, if I remove the client from the domain, and set it up by itself with "security = user", it works fine. Am I doing something dumb, or is this an oversight/glitch/bug? Thanks! Ken D'Ambrosio Sr. SysAdmin, Xanoptix, Inc.
As no one has replied I'll give my two cents worth. I have two questions: 1. Did you compile Samba using --with-acl-support ? 2. Do you have nt acl support = yes in your smb.conf ? Josh -----Original Message----- From: Ken D'Ambrosio [mailto:kend@employees.org] Sent: Wednesday, July 24, 2002 3:49 PM To: samba@lists.samba.org Subject: [Samba] ACLs on client Samba machines with Samba PDC. I've got a Samba box (2.2.5a) as a member of a Samba domain. Both the PDC and client are running 2.4.18 with XFS and ACLs compiled in. Problem: on the client, I can -NOT- modify the ACLs for files from Windows. (Note that I can modify the stock Unix permissions, but not the extended users/permissions that ACL support offers.) If I try, they just vanish when I click "OK". However, if I remove the client from the domain, and set it up by itself with "security = user", it works fine. Am I doing something dumb, or is this an oversight/glitch/bug? Thanks! Ken D'Ambrosio Sr. SysAdmin, Xanoptix, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | Message: 3 | Date: Wed, 24 Jul 2002 13:49:09 -0700 (PDT) | From: "Ken D'Ambrosio" <kend@employees.org> | To: samba@lists.samba.org | Subject: [Samba] ACLs on client Samba machines with Samba PDC. | | I've got a Samba box (2.2.5a) as a member of a Samba domain. Both the PDC | and client are running 2.4.18 with XFS and ACLs compiled in. Problem: on | the client, I can -NOT- modify the ACLs for files from Windows. (Note | that I can modify the stock Unix permissions, but not the extended | users/permissions that ACL support offers.) If I try, they just vanish | when I click "OK". However, if I remove the client from the domain, and | set it up by itself with "security = user", it works fine. | I've been banging my head against this one for a while, since I was trying to test ACLs on my member server (my desktop) before putting 2.2.5 on our production server. As it turns out, they work fine on the production server, but not on my desktop member server ... It turns out that on member servers, you can apply ACLs using the "machine domain" (but for some reason, I only get groups, and not users here?), but not the domain it is a member of. You will probably notice that the permissions visible in the security properties box list the users/groups on the "machine domain" instead of the domain (in my case, BGMILNE-MDK83\bgmilne instead of CAE\bgmilne). In the logs you will see that when you try and add ACLs with users from the domain, samba fails to map the SID+RID from the domain to a uid. This may require winbind-type functionality, or it may just be a bug (and one worth fixing soon!). | Am I doing something dumb, or is this an oversight/glitch/bug? Seems like a bug, but I'm not sure it can work without winbind (and thus a Windows DC) or with 2.2. Hopefully it works in HEAD, and hopefully 3.0 will be out soon. Just FYI, I am running 2.2.5 with LDAP on the DC, and 2.2.5 without LDAP on the member server. I hope ACLs work on an LDAP BDC, since we'll be putting one in next week ... Buchan - -- |----------------Registered Linux User #182071-----------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9P+0hrJK6UGDSBKcRAn8ZAKCRYKtiEHWc2HbFFdWlTZzgcOaKvwCgw2cK zpnqnot0LfvCv2HuiNUVZFc=BGrf -----END PGP SIGNATURE-----
Jim McDonough
2002-Jul-25 07:00 UTC
[Samba] Re: ACLs on client Samba machines with Samba PDC.
Buchan Milne wrote:>In the logs you will see that when you try and add ACLs with users from >the domain, samba fails to map the SID+RID from the domain to a uid. >This may require winbind-type functionality, or it may just be a bug >(and one worth fixing soon!).That's the key...you need winbind. And you need HEAD as the PDC. So the answer is that it will work in 3.0... ---------------------------- Jim McDonough IBM Linux Technology Center Samba Team 6 Minuteman Drive Scarborough, ME 04074 USA jmcd@us.ibm.com jmcd@samba.org Phone: (207) 885-5565 IBM tie-line: 776-9984
Jim McDonough
2002-Jul-25 07:18 UTC
[Samba] Re: ACLs on client Samba machines with Samba PDC.
Buchan Milne wrote:>So is head stable enough for production? And will there be a new alpha >sometime soon?No, I'd not say it's stable enough for production...but alpha 18 was just released within the last week or so. ---------------------------- Jim McDonough IBM Linux Technology Center Samba Team 6 Minuteman Drive Scarborough, ME 04074 USA jmcd@us.ibm.com jmcd@samba.org Phone: (207) 885-5565 IBM tie-line: 776-9984