Rick Segeberg
2003-Feb-20 00:29 UTC
[Samba] managing acl's via windows in samba 3.0 alpha 21
I've been trying to get the acl functionality (from windows) to work now
for several days and have not found a solution. I've spent many hours
Googling the web, and searching the samba list archives.
If someone else has this working (in the 3.0 alpha code), I would
appreciate seeing your config files, if you wouldn't mind.
Goal: to be able to add user/group permissions to files and/or
directories using windows.
Environment:
Red Hat 8.0 (kernel version 2.4.19 w/ acl support built in)
File system: ext3 mounted default,acl from fstab
Samba 3.0 alpha 21 (compiled: --with-ads --with-acl-support
--with-winbind --with-smbmount)
Windows 2000 ADS (native)
I've successfully joined the ads domain and can access files etc. with
no problems from my windows workstation logged into the domain. I've
got acl's working on the linux side (meaning I can successfully add
multiple user and group permissions to a file or directory using
setfacl. However, when I try to add a user to a file or directory from
windows, I get the following error:
"Unable to save permission changes on file <name>. Access
denied."
log.winbindd shows:
[2003/02/19 16:50:53, 1]
nsswitch/winbindd_sid.c:winbindd_sid_to_uid(140)
Could not get uid for sid ..........
Also, users that I've added from the linux side (using setfacl) do not
show up on the list when I view the file's security properties.
I'm at a loss and can't seem to find anything to point me in the right
direction.
****** smb.conf ********
[global]
workgroup = MYDMN
netbios name = LINTEST
realm = MYDOMAIN.ORG
ads server = 10.1.30.39
server string = %L running Samba %v
security = ADS
password server = postoffice
passwd program = /usr/bin/passwd %u
encrypt passwords = yes
unix password sync = Yes
log file = /var/log/samba/log.%m
preferred master = No
local master = No
#added 1/31/03
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain master = No
dns proxy = no
ldap ssl = no
# Winbind stuff
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = No
template homedir = /home/%U
template shell = /bin/bash
#Extras
time server = yes
[homes]
guest ok = no
read only = no
[users]
path=/users
guest ok = no
read only = no
###ACL stuff
# admin users = rick
# security mask = 0777
nt acl support = yes
# inherit acls = yes
# force user = root
**************************************************
The items in the [users] section that are rem'd out, are things I've
tried, but didn't seem to make a difference.
BTW: I've tried making the file owned by root and by the user trying to
make the change.
Thanks for any help you can offer.
Rick Segeberg
Provo Site Manager, IT Department
The Waterford Institute
rick.segeberg@waterford.org
*************************************
This email may contain privileged or confidential material intended for the
named recipient only.
If you are not the named recipient, delete this message and all attachments.
Any review, copying, printing, disclosure or other use is prohibited.
We reserve the right to monitor email sent through our network.
*************************************
On Wed, Feb 19, 2003 at 05:29:43PM -0700, Rick Segeberg said:> > I've successfully joined the ads domain and can access files etc. with > no problems from my windows workstation logged into the domain. I've > got acl's working on the linux side (meaning I can successfully add > multiple user and group permissions to a file or directory using > setfacl. However, when I try to add a user to a file or directory from > windows, I get the following error: > > "Unable to save permission changes on file <name>. Access denied."Does the account you are trying to change the ACLs from have sufficient permission to do so? Log in as root on the desktop and see what error you get, if any. -- Adam Smith Information Technology Officer SAGE Automation Ltd. adam.smith@sageautomation.com http://www.sageautomation.com
Rick Segeberg
2003-Feb-20 16:56 UTC
[Samba] managing acl's via windows in samba 3.0 alpha 21
I tried your suggestion, but that didn't work either. Yes the account I've been using has sufficient rights to make the changes. Just to make sure, I performed the same operation on the ads server itself with no problems. Also, I tried using the force user = root option which theoretically would allow me to do anything on the linux box - also didn't work. Rick Segeberg Provo Site Manager, IT Department The Waterford Institute rick.segeberg@waterford.org -----Original Message----- From: Adam Smith [mailto:adam.smith@sageautomation.com] Sent: Thursday, February 20, 2003 5:02 AM Cc: samba@lists.samba.org Subject: Re: [Samba] managing acl's via windows in samba 3.0 alpha 21 On Wed, Feb 19, 2003 at 05:29:43PM -0700, Rick Segeberg said:> > I've successfully joined the ads domain and can access files etc. with > no problems from my windows workstation logged into the domain. I've > got acl's working on the linux side (meaning I can successfully add > multiple user and group permissions to a file or directory using > setfacl. However, when I try to add a user to a file or directoryfrom> windows, I get the following error: > > "Unable to save permission changes on file <name>. Access denied."Does the account you are trying to change the ACLs from have sufficient permission to do so? Log in as root on the desktop and see what error you get, if any. -- Adam Smith Information Technology Officer SAGE Automation Ltd. adam.smith@sageautomation.com http://www.sageautomation.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba ************************************* This email may contain privileged or confidential material intended for the named recipient only. If you are not the named recipient, delete this message and all attachments. Any review, copying, printing, disclosure or other use is prohibited. We reserve the right to monitor email sent through our network. *************************************