samba - Oct 2002 - How do I permit NT Administrator to manage ACL's on s amba file server

It has been my experience that only the owner of the file and root change
change ACLS on that file.  Since you've stated that Administrator IS the
owner, maybe there's something else.  Are you getting any errors ?  Who is
the owner of the diretory that the folder resides in.  Is the Administrator
given write permissions at the share level?

My work-around for modifying ACL's was to create a hidden share that only
Domain Admins were allowed to access, then for that share I used force user
= root.  That enabled all of my domain admins to modify ACL's on all files
under that share.

I know I've asked more questions than given answers, but sometimes it helps.

Josh

-----Original Message-----
From: Bart [mailto:bartspam@aia-itp.com]
Sent: Wednesday, October 23, 2002 3:30 AM
To: samba@lists.samba.org
Subject: [Samba] How do I permit NT Administrator to manage ACL's on
samba file server


How to manage my Samba ACLs from NT ?
My administrator seemingly doesn't have the rights to change ACLs
(ownership).

And even though my administrator owns the fiels on the Samba machine it has
no rights to change ACLs or ownership.
The files are owned by "DOMAIN+Administrator" and group is
"DOMAIN+Domain
Admins".

I have added the user to smbpasswd I think (how can I check this ? And is
this needed ?).
Or di I have to give this user 'root' rights and how can I do that ?

Bart
----------------------------------------------------------------------
Aia Software B.V.                     Phone :  +31 24 371 02 30
PO Box 38025                          Fax   :  +31 24 371 02 31
6503 AA Nijmegen                      URL   :  http://www.aia-itp.com
The Netherlands
----------------------------------------------------------------------
This E-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this E-mail in error please notify
the postmaster (postmaster@aia-itp.com). The authenticity of this
message cannot, at this moment, be guaranteed by ourselves. For this
reason no legal rights may be granted should the contents differ to
the original sent message. The Aia log-file of sent messages is deemed
to be the sole, true transcript of communication unless the contrary,
other than the received message, can be proven.
----------------------------------------------------------------------

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

----- Original Message -----
From: "Konkol, Josh" <JKonkol@guidemail.com>
To: "'Bart'" <bartspam@aia-itp.com>;
<samba@lists.samba.org>
Sent: Wednesday, October 23, 2002 2:02 PM
Subject: RE: [Samba] How do I permit NT Administrator to manage ACL's on
samba file server

> It has been my experience that only the owner of the file and root change
> change ACLS on that file.  Since you've stated that Administrator IS
the
> owner, maybe there's something else.  Are you getting any errors ?  Who
is
> the owner of the diretory that the folder resides in.  Is the
Administrator
> given write permissions at the share level?
>
> My work-around for modifying ACL's was to create a hidden share that
only
> Domain Admins were allowed to access, then for that share I used force
user
> = root.  That enabled all of my domain admins to modify ACL's on all
files
> under that share.
>
> I know I've asked more questions than given answers, but sometimes it
helps.
>
><snip>
I have this same problem, I can change read/write permissions but I can't
change ownership or add a new group to the file/folder access list.

Even if I am the owner of the file I get the same message:

"Unable to save permission changes on xxx, access denied"

Is there any solution for this?

             Shaolin - IT Systems
                     WB Ltd.
.: http://www.security-forums.com

> It has been my experience that only the owner of the file and root change
> change ACLS on that file.  Since you've stated that Administrator IS
the
> owner, maybe there's something else.  Are you getting any errors ?  Who
is
> the owner of the diretory that the folder resides in.  Is the
Administrator
> given write permissions at the share level?
The file and directory are owned by DOMAIN+Administrator
I currently have the following in my share :
force user = root

Group is DOMAIN+ADMINS, user DOMAIN+Domain Admins
But, alas, this doesn't help either. Something I probably going totally
wrong down here. =/
I can create files, ownerships are set ok. But I want to use my user
"administrator" to modify ACLs.
So I can 'scopy' my files with apropriate ACLs on my Samba Ext3+ACL
share.

But alas, I can only set it from my root account. Sniff .....

So I thought, I'll try to add user DOMAIN+Administrator to the root users.
But, well that didn't work (didn't think it would, but well, wild
guesses
never hurt anyone .. except for my users .. hehe)

Help .... it even scared me, level 10 debug.

[2002/10/20 05:27:08, 0] nmbd/nmbd.c:terminate(59)
Got SIGTERM: going down...
standard input is not a socket, assuming -D option
[2002/10/22 08:46:09, 2] nmbd/nmbd.c:main(832)
Becoming a daemon.
[2002/10/22 08:46:09, 8] lib/util.c:fcntl_lock(1304)
fcntl_lock 4 13 0 1 0
[2002/10/22 08:46:10, 3] lib/util.c:fcntl_lock(1315)
fcntl_lock: fcntl lock gave errno 11 (Resource temporarily unavailable)
[2002/10/22 08:46:10, 3] lib/util.c:fcntl_lock(1336)
fcntl_lock: lock failed at offset 0 count 1 op 13 type 0 (Resource
temporarily unavailable)
[2002/10/22 08:46:10, 0] lib/pidfile.c:pidfile_create(85)
ERROR: nmbd is already running. File /usr/local/samba/var/locks/nmbd.pid
exists and process id 31816 is running.

Seems sometinhg is wrong with nmbd ..... hmm .....

Bart
>
> My work-around for modifying ACL's was to create a hidden share that
only
> Domain Admins were allowed to access, then for that share I used force
user
> = root.  That enabled all of my domain admins to modify ACL's on all
files
> under that share.
>
> I know I've asked more questions than given answers, but sometimes it
helps.
>
> Josh
>
> -----Original Message-----
> From: Bart [mailto:bartspam@aia-itp.com]
> Sent: Wednesday, October 23, 2002 3:30 AM
> To: samba@lists.samba.org
> Subject: [Samba] How do I permit NT Administrator to manage ACL's on
> samba file server
>
>
> How to manage my Samba ACLs from NT ?
> My administrator seemingly doesn't have the rights to change ACLs
> (ownership).
>
> And even though my administrator owns the fiels on the Samba machine it
has
> no rights to change ACLs or ownership.
> The files are owned by "DOMAIN+Administrator" and group is
"DOMAIN+Domain
> Admins".
>
> I have added the user to smbpasswd I think (how can I check this ? And is
> this needed ?).
> Or di I have to give this user 'root' rights and how can I do that
?
>
> Bart
> ----------------------------------------------------------------------
> Aia Software B.V.                     Phone :  +31 24 371 02 30
> PO Box 38025                          Fax   :  +31 24 371 02 31
> 6503 AA Nijmegen                      URL   :  http://www.aia-itp.com
> The Netherlands
> ----------------------------------------------------------------------
> This E-mail and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this E-mail in error please notify
> the postmaster (postmaster@aia-itp.com). The authenticity of this
> message cannot, at this moment, be guaranteed by ourselves. For this
> reason no legal rights may be granted should the contents differ to
> the original sent message. The Aia log-file of sent messages is deemed
> to be the sole, true transcript of communication unless the contrary,
> other than the received message, can be proven.
> ----------------------------------------------------------------------
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

When you're connected to the share does it show you connected as root?
Try running smbstatus to find out.  

Also, you say that new files are created with the correct permissions, if
you are using force user = root, then all new files should belong to root
NOT domain+administrator.

Do you have nt acl support = yes in your Global Section?

Just throwing out ideas to help

Josh

-----Original Message-----
From: Bart Fest [mailto:b.fest@aia-itp.com]
Sent: Wednesday, October 23, 2002 9:42 AM
To: Konkol, Josh; samba@lists.samba.org
Subject: Re: [Samba] How do I permit NT Administrator to manage ACL's on
samba file server

> It has been my experience that only the owner of the file and root change
> change ACLS on that file.  Since you've stated that Administrator IS
the
> owner, maybe there's something else.  Are you getting any errors ?  Who
is
> the owner of the diretory that the folder resides in.  Is the
Administrator
> given write permissions at the share level?
The file and directory are owned by DOMAIN+Administrator
I currently have the following in my share :
force user = root

Group is DOMAIN+ADMINS, user DOMAIN+Domain Admins
But, alas, this doesn't help either. Something I probably going totally
wrong down here. =/
I can create files, ownerships are set ok. But I want to use my user
"administrator" to modify ACLs.
So I can 'scopy' my files with apropriate ACLs on my Samba Ext3+ACL
share.

But alas, I can only set it from my root account. Sniff .....

So I thought, I'll try to add user DOMAIN+Administrator to the root users.
But, well that didn't work (didn't think it would, but well, wild
guesses
never hurt anyone .. except for my users .. hehe)

Help .... it even scared me, level 10 debug.

[2002/10/20 05:27:08, 0] nmbd/nmbd.c:terminate(59)
Got SIGTERM: going down...
standard input is not a socket, assuming -D option
[2002/10/22 08:46:09, 2] nmbd/nmbd.c:main(832)
Becoming a daemon.
[2002/10/22 08:46:09, 8] lib/util.c:fcntl_lock(1304)
fcntl_lock 4 13 0 1 0
[2002/10/22 08:46:10, 3] lib/util.c:fcntl_lock(1315)
fcntl_lock: fcntl lock gave errno 11 (Resource temporarily unavailable)
[2002/10/22 08:46:10, 3] lib/util.c:fcntl_lock(1336)
fcntl_lock: lock failed at offset 0 count 1 op 13 type 0 (Resource
temporarily unavailable)
[2002/10/22 08:46:10, 0] lib/pidfile.c:pidfile_create(85)
ERROR: nmbd is already running. File /usr/local/samba/var/locks/nmbd.pid
exists and process id 31816 is running.

Seems sometinhg is wrong with nmbd ..... hmm .....

Bart
>
> My work-around for modifying ACL's was to create a hidden share that
only
> Domain Admins were allowed to access, then for that share I used force
user
> = root.  That enabled all of my domain admins to modify ACL's on all
files
> under that share.
>
> I know I've asked more questions than given answers, but sometimes it
helps.
>
> Josh
>
> -----Original Message-----
> From: Bart [mailto:bartspam@aia-itp.com]
> Sent: Wednesday, October 23, 2002 3:30 AM
> To: samba@lists.samba.org
> Subject: [Samba] How do I permit NT Administrator to manage ACL's on
> samba file server
>
>
> How to manage my Samba ACLs from NT ?
> My administrator seemingly doesn't have the rights to change ACLs
> (ownership).
>
> And even though my administrator owns the fiels on the Samba machine it
has
> no rights to change ACLs or ownership.
> The files are owned by "DOMAIN+Administrator" and group is
"DOMAIN+Domain
> Admins".
>
> I have added the user to smbpasswd I think (how can I check this ? And is
> this needed ?).
> Or di I have to give this user 'root' rights and how can I do that
?
>
> Bart
> ----------------------------------------------------------------------
> Aia Software B.V.                     Phone :  +31 24 371 02 30
> PO Box 38025                          Fax   :  +31 24 371 02 31
> 6503 AA Nijmegen                      URL   :  http://www.aia-itp.com
> The Netherlands
> ----------------------------------------------------------------------
> This E-mail and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this E-mail in error please notify
> the postmaster (postmaster@aia-itp.com). The authenticity of this
> message cannot, at this moment, be guaranteed by ourselves. For this
> reason no legal rights may be granted should the contents differ to
> the original sent message. The Aia log-file of sent messages is deemed
> to be the sole, true transcript of communication unless the contrary,
> other than the received message, can be proven.
> ----------------------------------------------------------------------
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>