Konkol, Josh
2002-Oct-23 13:04 UTC
[Samba] How do I permit NT Administrator to manage ACL's on s amba file server
It has been my experience that only the owner of the file and root change change ACLS on that file. Since you've stated that Administrator IS the owner, maybe there's something else. Are you getting any errors ? Who is the owner of the diretory that the folder resides in. Is the Administrator given write permissions at the share level? My work-around for modifying ACL's was to create a hidden share that only Domain Admins were allowed to access, then for that share I used force user = root. That enabled all of my domain admins to modify ACL's on all files under that share. I know I've asked more questions than given answers, but sometimes it helps. Josh -----Original Message----- From: Bart [mailto:bartspam@aia-itp.com] Sent: Wednesday, October 23, 2002 3:30 AM To: samba@lists.samba.org Subject: [Samba] How do I permit NT Administrator to manage ACL's on samba file server How to manage my Samba ACLs from NT ? My administrator seemingly doesn't have the rights to change ACLs (ownership). And even though my administrator owns the fiels on the Samba machine it has no rights to change ACLs or ownership. The files are owned by "DOMAIN+Administrator" and group is "DOMAIN+Domain Admins". I have added the user to smbpasswd I think (how can I check this ? And is this needed ?). Or di I have to give this user 'root' rights and how can I do that ? Bart ---------------------------------------------------------------------- Aia Software B.V. Phone : +31 24 371 02 30 PO Box 38025 Fax : +31 24 371 02 31 6503 AA Nijmegen URL : http://www.aia-itp.com The Netherlands ---------------------------------------------------------------------- This E-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the postmaster (postmaster@aia-itp.com). The authenticity of this message cannot, at this moment, be guaranteed by ourselves. For this reason no legal rights may be granted should the contents differ to the original sent message. The Aia log-file of sent messages is deemed to be the sole, true transcript of communication unless the contrary, other than the received message, can be proven. ---------------------------------------------------------------------- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Gareth Davies
2002-Oct-23 13:34 UTC
[Samba] How do I permit NT Administrator to manage ACL's on samba file server
----- Original Message ----- From: "Konkol, Josh" <JKonkol@guidemail.com> To: "'Bart'" <bartspam@aia-itp.com>; <samba@lists.samba.org> Sent: Wednesday, October 23, 2002 2:02 PM Subject: RE: [Samba] How do I permit NT Administrator to manage ACL's on samba file server> It has been my experience that only the owner of the file and root change > change ACLS on that file. Since you've stated that Administrator IS the > owner, maybe there's something else. Are you getting any errors ? Who is > the owner of the diretory that the folder resides in. Is theAdministrator> given write permissions at the share level? > > My work-around for modifying ACL's was to create a hidden share that only > Domain Admins were allowed to access, then for that share I used forceuser> = root. That enabled all of my domain admins to modify ACL's on all files > under that share. > > I know I've asked more questions than given answers, but sometimes ithelps.> ><snip>I have this same problem, I can change read/write permissions but I can't change ownership or add a new group to the file/folder access list. Even if I am the owner of the file I get the same message: "Unable to save permission changes on xxx, access denied" Is there any solution for this? Shaolin - IT Systems WB Ltd. .: http://www.security-forums.com
Bart Fest
2002-Oct-23 14:43 UTC
[Samba] How do I permit NT Administrator to manage ACL's on samba file server
> It has been my experience that only the owner of the file and root change > change ACLS on that file. Since you've stated that Administrator IS the > owner, maybe there's something else. Are you getting any errors ? Who is > the owner of the diretory that the folder resides in. Is theAdministrator> given write permissions at the share level?The file and directory are owned by DOMAIN+Administrator I currently have the following in my share : force user = root Group is DOMAIN+ADMINS, user DOMAIN+Domain Admins But, alas, this doesn't help either. Something I probably going totally wrong down here. =/ I can create files, ownerships are set ok. But I want to use my user "administrator" to modify ACLs. So I can 'scopy' my files with apropriate ACLs on my Samba Ext3+ACL share. But alas, I can only set it from my root account. Sniff ..... So I thought, I'll try to add user DOMAIN+Administrator to the root users. But, well that didn't work (didn't think it would, but well, wild guesses never hurt anyone .. except for my users .. hehe) Help .... it even scared me, level 10 debug. [2002/10/20 05:27:08, 0] nmbd/nmbd.c:terminate(59) Got SIGTERM: going down... standard input is not a socket, assuming -D option [2002/10/22 08:46:09, 2] nmbd/nmbd.c:main(832) Becoming a daemon. [2002/10/22 08:46:09, 8] lib/util.c:fcntl_lock(1304) fcntl_lock 4 13 0 1 0 [2002/10/22 08:46:10, 3] lib/util.c:fcntl_lock(1315) fcntl_lock: fcntl lock gave errno 11 (Resource temporarily unavailable) [2002/10/22 08:46:10, 3] lib/util.c:fcntl_lock(1336) fcntl_lock: lock failed at offset 0 count 1 op 13 type 0 (Resource temporarily unavailable) [2002/10/22 08:46:10, 0] lib/pidfile.c:pidfile_create(85) ERROR: nmbd is already running. File /usr/local/samba/var/locks/nmbd.pid exists and process id 31816 is running. Seems sometinhg is wrong with nmbd ..... hmm ..... Bart> > My work-around for modifying ACL's was to create a hidden share that only > Domain Admins were allowed to access, then for that share I used forceuser> = root. That enabled all of my domain admins to modify ACL's on all files > under that share. > > I know I've asked more questions than given answers, but sometimes ithelps.> > Josh > > -----Original Message----- > From: Bart [mailto:bartspam@aia-itp.com] > Sent: Wednesday, October 23, 2002 3:30 AM > To: samba@lists.samba.org > Subject: [Samba] How do I permit NT Administrator to manage ACL's on > samba file server > > > How to manage my Samba ACLs from NT ? > My administrator seemingly doesn't have the rights to change ACLs > (ownership). > > And even though my administrator owns the fiels on the Samba machine ithas> no rights to change ACLs or ownership. > The files are owned by "DOMAIN+Administrator" and group is "DOMAIN+Domain > Admins". > > I have added the user to smbpasswd I think (how can I check this ? And is > this needed ?). > Or di I have to give this user 'root' rights and how can I do that ? > > Bart > ---------------------------------------------------------------------- > Aia Software B.V. Phone : +31 24 371 02 30 > PO Box 38025 Fax : +31 24 371 02 31 > 6503 AA Nijmegen URL : http://www.aia-itp.com > The Netherlands > ---------------------------------------------------------------------- > This E-mail and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this E-mail in error please notify > the postmaster (postmaster@aia-itp.com). The authenticity of this > message cannot, at this moment, be guaranteed by ourselves. For this > reason no legal rights may be granted should the contents differ to > the original sent message. The Aia log-file of sent messages is deemed > to be the sole, true transcript of communication unless the contrary, > other than the received message, can be proven. > ---------------------------------------------------------------------- > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
Konkol, Josh
2002-Oct-23 14:51 UTC
[Samba] How do I permit NT Administrator to manage ACL's on s amba file server
When you're connected to the share does it show you connected as root? Try running smbstatus to find out. Also, you say that new files are created with the correct permissions, if you are using force user = root, then all new files should belong to root NOT domain+administrator. Do you have nt acl support = yes in your Global Section? Just throwing out ideas to help Josh -----Original Message----- From: Bart Fest [mailto:b.fest@aia-itp.com] Sent: Wednesday, October 23, 2002 9:42 AM To: Konkol, Josh; samba@lists.samba.org Subject: Re: [Samba] How do I permit NT Administrator to manage ACL's on samba file server> It has been my experience that only the owner of the file and root change > change ACLS on that file. Since you've stated that Administrator IS the > owner, maybe there's something else. Are you getting any errors ? Who is > the owner of the diretory that the folder resides in. Is theAdministrator> given write permissions at the share level?The file and directory are owned by DOMAIN+Administrator I currently have the following in my share : force user = root Group is DOMAIN+ADMINS, user DOMAIN+Domain Admins But, alas, this doesn't help either. Something I probably going totally wrong down here. =/ I can create files, ownerships are set ok. But I want to use my user "administrator" to modify ACLs. So I can 'scopy' my files with apropriate ACLs on my Samba Ext3+ACL share. But alas, I can only set it from my root account. Sniff ..... So I thought, I'll try to add user DOMAIN+Administrator to the root users. But, well that didn't work (didn't think it would, but well, wild guesses never hurt anyone .. except for my users .. hehe) Help .... it even scared me, level 10 debug. [2002/10/20 05:27:08, 0] nmbd/nmbd.c:terminate(59) Got SIGTERM: going down... standard input is not a socket, assuming -D option [2002/10/22 08:46:09, 2] nmbd/nmbd.c:main(832) Becoming a daemon. [2002/10/22 08:46:09, 8] lib/util.c:fcntl_lock(1304) fcntl_lock 4 13 0 1 0 [2002/10/22 08:46:10, 3] lib/util.c:fcntl_lock(1315) fcntl_lock: fcntl lock gave errno 11 (Resource temporarily unavailable) [2002/10/22 08:46:10, 3] lib/util.c:fcntl_lock(1336) fcntl_lock: lock failed at offset 0 count 1 op 13 type 0 (Resource temporarily unavailable) [2002/10/22 08:46:10, 0] lib/pidfile.c:pidfile_create(85) ERROR: nmbd is already running. File /usr/local/samba/var/locks/nmbd.pid exists and process id 31816 is running. Seems sometinhg is wrong with nmbd ..... hmm ..... Bart> > My work-around for modifying ACL's was to create a hidden share that only > Domain Admins were allowed to access, then for that share I used forceuser> = root. That enabled all of my domain admins to modify ACL's on all files > under that share. > > I know I've asked more questions than given answers, but sometimes ithelps.> > Josh > > -----Original Message----- > From: Bart [mailto:bartspam@aia-itp.com] > Sent: Wednesday, October 23, 2002 3:30 AM > To: samba@lists.samba.org > Subject: [Samba] How do I permit NT Administrator to manage ACL's on > samba file server > > > How to manage my Samba ACLs from NT ? > My administrator seemingly doesn't have the rights to change ACLs > (ownership). > > And even though my administrator owns the fiels on the Samba machine ithas> no rights to change ACLs or ownership. > The files are owned by "DOMAIN+Administrator" and group is "DOMAIN+Domain > Admins". > > I have added the user to smbpasswd I think (how can I check this ? And is > this needed ?). > Or di I have to give this user 'root' rights and how can I do that ? > > Bart > ---------------------------------------------------------------------- > Aia Software B.V. Phone : +31 24 371 02 30 > PO Box 38025 Fax : +31 24 371 02 31 > 6503 AA Nijmegen URL : http://www.aia-itp.com > The Netherlands > ---------------------------------------------------------------------- > This E-mail and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this E-mail in error please notify > the postmaster (postmaster@aia-itp.com). The authenticity of this > message cannot, at this moment, be guaranteed by ourselves. For this > reason no legal rights may be granted should the contents differ to > the original sent message. The Aia log-file of sent messages is deemed > to be the sole, true transcript of communication unless the contrary, > other than the received message, can be proven. > ---------------------------------------------------------------------- > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >