samba - Feb 2004 - Problems with changing security setting on shared folders via Win2k

Hi List,

I'm using Samba 3.0.1 as PDC and Openldap 2.1.23 as backend on a Suse 8.2 
System, both are build from scratch.
Nearly everything is fine, expect I'm not able to change the security 
setting of subfolders on my shares via my Win2k box.

More details:
Changing the security setting of my top level shares (created in smb.conf) 
works fine with the SRVMGR, but everytime I try to change (e.g. add a 
Domain User to a share) the security setting of a subfolder, with my Win2K 
box I get an Error: "The security settings of folder <name> could not
be
saved. Access denied". Maybe it's not the exact error message because I
use
a german Windows 2k.
I tried it as Administrator and as normal Domain User. Creating and 
deleting a folder  works fine. Another strange thing is that I get no 
information about the actual settings. No checkbox (full control, change, 
execte and so on) is selected. If someone wants to take a look at it I can 
send a screenshot of the settings.

Has anyone a clue for me how to fix this?

---------------------
Some settings of my smb.conf
[global]
	workgroup = ZBH
	netbios name =VESUVIO
	server string = ZBH_Master
	map to guest = Bad User
	passdb backend = ldapsam:ldap://ldap:389 (changed the real FQDN)
	pam password change = Yes
	passwd program = /usr/bin/smbpasswd %u
	encrypt passwords = yes
	security = users
	lanman auth = Yes
	ntlm auth = Yes
	domain logons = Yes
	os level = 65
	preferred master = Yes
	domain master = Yes
	wins support = Yes
	veto files = /*.eml/*.nws/riched20.dll/msblast.exe/*.{*}/
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE 
IPTOS_LOWDELAY TCP_NODELAY
	[...]

[public]
       comment ="place for usefull things"
       path = /samba/public
       force group = users
       read only = no
       guest ok = yes
       browseable = yes

------------------

Best regards,

Erik Pagel

I'm assuming you're running w/o ACL support.  Samba tries as best as
possible to map UNIX owner/group/other permissions to Windows ACL's,
however, the only way to have multiple users assigned permissions to a
file or folder is to have ACL support on your filesystem.  I don't know
if SuSE 8.2 comes with ACL support by default in the kernel, but you
might try to see first if 'which getfacl' returns anything (meaning you
at least have the tools installed) and then mount -o remount,acl
<whateverfilesystem> and see whether you can use setfacl to set ACL
permissions on the filesystem.  If so, make sure you add acl to the list
of options for that filesystem in /etc/fstab.  If that's the case, grab
the samba3 source RPM and add --with-acl-support to the SPEC file and
rebuild the RPM with rpmbuild.  What you're wanting to do works great if
you've got ACL support on the filesystem.

Clint
 
--
Clint Sharp
Systems Administrator, AT&T Wireless International IT
Desk: 425-580-1900    Mobile: 206-369-7394

> -----Original Message-----
> From: samba-bounces+clint=typhoon.org@lists.samba.org 
> [mailto:samba-bounces+clint=typhoon.org@lists.samba.org] On 
> Behalf Of newssysman@zbh.uni-hamburg.de
> Sent: Tuesday, February 24, 2004 1:30 AM
> To: Samba
> Subject: [Samba] Problems with changing security setting on 
> shared foldersvia Win2k
> 
> 
> Hi List,
> 
> I'm using Samba 3.0.1 as PDC and Openldap 2.1.23 as backend 
> on a Suse 8.2 
> System, both are build from scratch.
> Nearly everything is fine, expect I'm not able to change the security 
> setting of subfolders on my shares via my Win2k box.
> 
> More details:
> Changing the security setting of my top level shares (created 
> in smb.conf) 
> works fine with the SRVMGR, but everytime I try to change (e.g. add a 
> Domain User to a share) the security setting of a subfolder, 
> with my Win2K 
> box I get an Error: "The security settings of folder <name> 
> could not be 
> saved. Access denied". Maybe it's not the exact error message 
> because I use 
> a german Windows 2k.
> I tried it as Administrator and as normal Domain User. Creating and 
> deleting a folder  works fine. Another strange thing is that I get no 
> information about the actual settings. No checkbox (full 
> control, change, 
> execte and so on) is selected. If someone wants to take a 
> look at it I can 
> send a screenshot of the settings.
> 
> Has anyone a clue for me how to fix this?
> 
> ---------------------
> Some settings of my smb.conf
> [global]
> 	workgroup = ZBH
> 	netbios name =VESUVIO
> 	server string = ZBH_Master
> 	map to guest = Bad User
> 	passdb backend = ldapsam:ldap://ldap:389 (changed the real FQDN)
> 	pam password change = Yes
> 	passwd program = /usr/bin/smbpasswd %u
> 	encrypt passwords = yes
> 	security = users
> 	lanman auth = Yes
> 	ntlm auth = Yes
> 	domain logons = Yes
> 	os level = 65
> 	preferred master = Yes
> 	domain master = Yes
> 	wins support = Yes
> 	veto files = /*.eml/*.nws/riched20.dll/msblast.exe/*.{*}/
> 	socket options = TCP_NODELAY SO_RCVBUF=8192 
> SO_SNDBUF=8192 SO_KEEPALIVE 
> IPTOS_LOWDELAY TCP_NODELAY
> 	[...]
> 
> [public]
>        comment ="place for usefull things"
>        path = /samba/public
>        force group = users
>        read only = no
>        guest ok = yes
>        browseable = yes
> 
> ------------------
> 
> Best regards,
> 
> Erik Pagel
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>