Hello, I have winbind set up and working with Linux 2.2.20acl, as far as I can tell everything works except for "Taking Ownership" and modification of permissions by group members. I have a user ( we'll call him "user" ) who is in the DOMAIN+Employees group ( this groups has full control over FILE.doc ). If I try to change permissions from a Windows 2k client, I get an error on the windows side : -- Unable to save permission changes on FILE.doc Access is denied. -- and this is in the log.smbd : -- [2002/07/24 19:13:49, 2] smbd/open.c:open_file(217) user opened file FILE.doc read=Yes write=No (numopen=1) [2002/07/24 19:13:49, 2] smbd/posix_acls.c:set_canon_ace_list(1731) set_canon_ace_list: sys_acl_set_file failed for file FILE.doc (Operation not permitted). [2002/07/24 19:13:49, 2] smbd/close.c:close_normal_file(208) domain+user closed file FILE.doc (numopen=0) -- If I try to "Take Ownership" of the file, I get an equally generic error on the windows side, and this in the log.smbd : -- [2002/07/24 19:17:36, 2] smbd/open.c:open_file(217) dkelley opened file Engineering/Database/GIS CONFIGURATION ISSUES.doc read=Yes write=No (numopen=1) [2002/07/24 19:17:36, 2] smbd/close.c:close_normal_file(208) vectiv+dkelley closed file Engineering/Database/GIS CONFIGURATION ISSUES.doc (numopen=0) -- Any help would be much appreciated :) Thanks, Rob
> I have winbind set up and working with Linux 2.2.20acl, as far as > I can tell everything works except for "Taking Ownership" and > modification of permissions by group members.same problem here with 2.4.18+xfs+acl> I have a user ( we'll call him "user" ) who is in the DOMAIN+Employees group > ( this groups has full control over FILE.doc ).i think only the owner of a file can change permissions - or am i wrong? samba will show "full access" if rwx> If I try to change permissions from a Windows 2k client, I get an error on > the windows side : > > -- > Unable to save permission changes on FILE.doc > Access is denied. > -- > > and this is in the log.smbd : > > -- > [2002/07/24 19:13:49, 2] smbd/open.c:open_file(217) > user opened file FILE.doc read=Yes write=No (numopen=1) > [2002/07/24 19:13:49, 2] smbd/posix_acls.c:set_canon_ace_list(1731) > set_canon_ace_list: sys_acl_set_file failed for file FILE.doc (Operation not permitted). > [2002/07/24 19:13:49, 2] smbd/close.c:close_normal_file(208) > domain+user closed file FILE.doc (numopen=0) > -- > > If I try to "Take Ownership" of the file, I get an equally generic error > on the windows side, and this in the log.smbd : > > -- > [2002/07/24 19:17:36, 2] smbd/open.c:open_file(217) > dkelley opened file Engineering/Database/GIS CONFIGURATION ISSUES.doc read=Yes write=No (numopen=1) > [2002/07/24 19:17:36, 2] smbd/close.c:close_normal_file(208) > vectiv+dkelley closed file Engineering/Database/GIS CONFIGURATION ISSUES.doc (numopen=0) > -- > > Any help would be much appreciated :)i wonder if this is possible? i think the right of "changing ACLs" is dependant on who created the file which might lead to chaos within a directory many users do access.
I'm confused, what does taking ownership really gain us here? Most cases where more than one person needs access to a folder, you use groups. When one person leaves, if permissions are setup correctly, the other memebers of the group still have access to the file/folders. The only case where I think you might have a folder where only ONE person has rights is in their home folder, but I think the admin _should_ be involved with handing out access to those files. I guess if you're using quotas you would need to keep accurate track of who owns what file/folder. Don't know anything about them so I can't help much here. The only purpose for take ownership in the M$ NT world is because there is no root account which always has rights. Am I totally off base here ?? Josh -----Original Message----- From: Rob Helmer [mailto:robert@namodn.com] Sent: Wednesday, July 24, 2002 10:14 PM To: samba@lists.samba.org Subject: Re: [Samba] taking ownership Hi Sven, On Thu, Jul 25, 2002 at 04:31:57AM +0200, Sven K?hler wrote:> i wonder if this is possible? > i think the right of "changing ACLs" is dependant on who created the > file which might lead to chaos within a directory many users do access. >I did some reading on it ( howtos, archives from the -devel list ) and it appears that this feature is not implemented in Samba. Changing ownership is something only root can do on Unix systems, whereas NT systems allow this kind of behavior ( the "Take Ownership" bit doesn't seem to mean anything in Posix ACLs either ). So, I guess people will have to go through the administrator to make these changes ( "for reasons of security" sounds good :) ). If anyone has any additional info that'd be great, it actually would be a nice feature to have because it allows people to take ownership when users leave the company without having to get the administrator involved, and I'm sure some of them expect it to be there. It's not really a showstopper for me. However, I am not sure if an Administrator logged onto a Windows box can change ownership of files ( maybe if they are mapped to the root user ? ), I could see that being an issue. I'll have to test that :) Thanks, Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | Message: 1 | From: Samba <Samba@guidemail.com> | To: 'Rob Helmer' <robert@namodn.com>, samba@lists.samba.org | Subject: RE: [Samba] taking ownership | Date: Thu, 25 Jul 2002 06:46:53 -0500 | | I'm confused, what does taking ownership really gain us here? | | Most cases where more than one person needs access to a folder, you use | groups. When one person leaves, if permissions are setup correctly, the | other memebers of the group still have access to the file/folders. | | The only case where I think you might have a folder where only ONE person | has rights is in their home folder, but I think the admin _should_ be | involved with handing out access to those files. | | I guess if you're using quotas you would need to keep accurate track of who | owns what file/folder. Don't know anything about them so I can't help much | here. | | The only purpose for take ownership in the M$ NT world is because there is | no root account which always has rights. | | Am I totally off base here ?? | There is one thing that is currently not possible, and that is to allow more than one person (but not everyone, and only on selected files) to change the permissions on the files. Say you have one project, with two members who should be able to decide who sees what files. There is no way to allow for this. You either have to set them as "admin users", thus giving them full control to all files in the share. Samba and ACLs still puts a bit more overhead on the real admin (the one with root, or at least "admin user"), since he has to spend time changing ACLs or ownership of files. Most (all?) other features of ACLs can be handled with complex groups and standard unix permissions (though it's not fun), but this one can't, and it can't be done with Posix ACLs AFAIK. Buchan - -- |----------------Registered Linux User #182071-----------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9QByArJK6UGDSBKcRAiBbAJ0UpdxzE5nb6Z95xOl+PE2kjkFKiACgmRh3 WLUrXv0klarE6L9jbJeCpJc=AfkM -----END PGP SIGNATURE-----