Hi list I have a strange problem with my Samba 3.04 server running on redhat 9 with 2.4.24 kernel (with acl patch from acl.bestbits.at applied to it). Acls are working fine on my system, and my server is working fine as a Samba PDC (or so it seems). I can view and modify any permissions on the existing files that are being shared. If setfacl has been used to grant additional users permissions, then those users are also displayed, and their permissions can also be set. However, if I try to add any new users to the acl, a dialog box pops up, asking me to provide it with the username and password of a user with permissions to modify on my domain, and when I supply the username and password, the dialog responds that multiple connections to the shared resource are not allowed, and it asks me to close all other connections before trying again. I've been baffled by the problem for quite a while, and am googling the net for an answer, but I haven't found a solution yet. The strange thing is that when the user list is displayed in the acl select dialog, I get several weird lines in my samba machine log file. I'm including the log lines with this letter. I hope you can help me. Thanks Prajjwal Devkota ------------------------------------------------------------------------------------------------ Strange log lines: %m.log lines: A. domain sid conflicts? log lines: rpc_parse/parse_samr.c:init_sam_user_info21A(5988) init_sam_user_info_21A: User root has Primary Group SID S-1-5-32-544, which conflicts with the domain sid S-1-5-21-2006529868-80066561-100632871. Failing operation. B. strange gid problem log lines: rpc_server/srv_util.c:get_alias_user_groups(219) get_alias_user_groups: gid of user sam doesn't exist. Check your /etc/passwd and /etc/group files but when I type the following command at the shell, I get a normal output: id sam uid=501(sam) gid=100(users) groups=100(users) C. additional information: net groupmap list System Operators (S-1-5-32-549) -> daemon Replicators (S-1-5-32-552) -> kmem Guests (S-1-5-32-546) -> nobody Domain Guests (S-1-5-21-2006529868-80066561-100632871-514) -> nobody Domain Admins (S-1-5-21-2006529868-80066561-100632871-512) -> root Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> wheel Account Operators (S-1-5-32-548) -> wheel Domain Users (S-1-5-21-2006529868-80066561-100632871-513) -> users Backup Operators (S-1-5-32-551) -> bin Users (S-1-5-32-545) -> users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Prajjwal wrote: | I can view and modify any permissions on the existing | files that are being shared. If setfacl has been used | to grant additional users permissions, then those users | are also displayed, and their permissions can also be set. | | However, if I try to add any new users to the acl, a | dialog box pops up, asking me to provide it with the | username and password of a user with permissions to modify on | my domain, and when I supply the username and password, the | dialog responds that multiple connections to the shared | resource are not allowed, and it asks me to close all | other connections before trying again. This is a 2k -> NT interoperability bug. We spent a good bit of time on this before 3.0.0 was released. Don't rmember the bug number right now. You can recreate the exact same behavior between 2k and an nt4 standalone file server. There was no workaround except to use Samba as a PDC instead of a standalone server. Or possibly to connect to share using the IP of the Samba server instead (this causing the user enumeration to the netbios name). Hope this helps. cheers, jerry - ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "...a hundred billion castaways looking for a home." ----------- Sting -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFA7ZTCIR7qMdg1EfYRAvFtAJ9ewgjYO8zG+a8RcttmW6X4JpJsjwCg8lQE 8u3fEXoNnh/j7/klPeTalfk=K7ye -----END PGP SIGNATURE-----
Hi, I have done a migration from Samba 2 to 3.0.4; and i have a very big problem with ACL. I have a file own by a user "drif" and group "informatique" with ACL attributes and unix attributes rwxrwx--- : -rwxrwx---+ 1 drif informatique 68096 2004-07-13 11:01 fiche de migration.xls When an other user which is in "informatique" group modify this file, the new file is own by this user, but unix attribute for the user is set to read-only : -r--rwx---+ 1 jokic informatique 68096 2004-07-13 11:01 fiche de migration.xls This problem appear only with files that have ACL attribute. In my smb.conf i have set for shares "create mask = 0770" and "force create mode = 0770", and with samba 2 it was working !! Please help me with this very big problem, .. after modification users can only read there files !! Thanks a lot for your help. Regards, -- Christophe Suire <christophe.suire@adelux.fr>
Hi again, I have just see, that the problem is not link with the modification of the file. In fact this problem appear when Windows change ACL attribute, and i have found an other strange thing : A user "jokic" create a new text file. On the server i have : -rwxrwx---+ 1 root informatique 62 2004-07-13 14:13 Nouveau Texte seulement.txt This file as no ACL, but first strange thing is own by root !!! On a second time, user "jokic" modify the attribute of the file and add a new user "delestre" to read this one. Now i have : -r--rwx---+ 1 root informatique 62 2004-07-13 14:13 Nouveau Texte seulement.txt # file: Nouveau\040Texte\040seulement.txt # owner: root # group: informatique user::r-- user:delestre:r-x group::--- mask::rwx other::--- So the modification of the ACL attributes, add the new user with the correct right, but remove the write attribute to the primary user, and remove write and read to the primary group of the file !!! Please help me !> Hi, > > I have done a migration from Samba 2 to 3.0.4; and i have a very big > problem with ACL. > > I have a file own by a user "drif" and group "informatique" with ACL > attributes and unix attributes rwxrwx--- : > -rwxrwx---+ 1 drif informatique 68096 2004-07-13 11:01 fiche > de migration.xls > > When an other user which is in "informatique" group modify this file, > the new file is own by this user, but unix attribute for the user is > set to read-only : > -r--rwx---+ 1 jokic informatique 68096 2004-07-13 11:01 fiche > de migration.xls > > This problem appear only with files that have ACL attribute. > In my smb.conf i have set for shares "create mask = 0770" and "force > create mode = 0770", and with samba 2 it was working !! > > Please help me with this very big problem, .. after modification users > can only read there files !! > Thanks a lot for your help. > > Regards, > > -- > Christophe Suire <christophe.suire@adelux.fr> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
You should set profile acls = no from smb.conf
Here you are a tipical share:
[FOO]
profile acls = no
path = /opt/foo
write list = @aaaa, @bbb, @Administrators
create mask = 660
directory mask = 770
comment = Foo share
valid users = @aaa, @bbb, @Administrators
inherit acls = yes
map acl inherit = yes
You have to launch winbind if the PDC is another SAMBA o WINDOWS server
and do
the rights configurations on /etc/nsswitch.conf.
smb.conf
winbind trusted domains only = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
Il mar, 2004-07-13 alle 14:22, Christophe SUIRE ha scritto:
> Hi again,
>
> I have just see, that the problem is not link with the modification of
> the file. In fact this problem appear when Windows change ACL
> attribute, and i have found an other strange thing :
>
> A user "jokic" create a new text file. On the server i have :
> -rwxrwx---+ 1 root informatique 62 2004-07-13 14:13 Nouveau
> Texte seulement.txt
> This file as no ACL, but first strange thing is own by root !!!
>
> On a second time, user "jokic" modify the attribute of the file
and add
> a new user "delestre" to read this one. Now i have :
> -r--rwx---+ 1 root informatique 62 2004-07-13 14:13 Nouveau
> Texte seulement.txt
>
> # file: Nouveau\040Texte\040seulement.txt
> # owner: root
> # group: informatique
> user::r--
> user:delestre:r-x
> group::---
> mask::rwx
> other::---
>
> So the modification of the ACL attributes, add the new user with the
> correct right, but remove the write attribute to the primary user, and
> remove write and read to the primary group of the file !!!
>
> Please help me !
>
> > Hi,
> >
> > I have done a migration from Samba 2 to 3.0.4; and i have a very big
> > problem with ACL.
> >
> > I have a file own by a user "drif" and group
"informatique" with ACL
> > attributes and unix attributes rwxrwx--- :
> > -rwxrwx---+ 1 drif informatique 68096 2004-07-13 11:01 fiche
> > de migration.xls
> >
> > When an other user which is in "informatique" group modify
this file,
> > the new file is own by this user, but unix attribute for the user is
> > set to read-only :
> > -r--rwx---+ 1 jokic informatique 68096 2004-07-13 11:01 fiche
> > de migration.xls
> >
> > This problem appear only with files that have ACL attribute.
> > In my smb.conf i have set for shares "create mask = 0770"
and "force
> > create mode = 0770", and with samba 2 it was working !!
> >
> > Please help me with this very big problem, .. after modification users
> > can only read there files !!
> > Thanks a lot for your help.
> >
> > Regards,
> >
> > --
> > Christophe Suire
<christophe.suire@adelux.fr>
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: http://lists.samba.org/mailman/listinfo/samba
> >
_______________________
Umberto Zanatta
linuxDidattica
tel: +39 (335) 54 71 385
email: umberto.z@tin.it
web: http://linuxdidattica.org
_______________________
The file server is the same as the PDC : linux / samba 3.0.4 So why i need to use winbind ? I need to use roming profile so i need to have profile acls = yes ? no ? Thanks a lot. -- Christophe Suire <christophe.suire@adelux.fr> Le 13 juil. 04, ? 14:39, Umberto Zanatta a ?crit :> You should set profile acls = no from smb.conf > > Here you are a tipical share: > > [FOO] > ??????? profile acls = no > ??????? path = /opt/foo > ??????? write list = @aaaa, @bbb, @Administrators > ??????? create mask = 660 > ??????? directory mask = 770 > ??????? comment = Foo share > ??????? valid users = @aaa, @bbb, @Administrators > ??????? inherit acls = yes > ??????? map acl inherit = yes > > You have to launch winbind if the PDC is another SAMBA o WINDOWS > server and do > the rights configurations on /etc/nsswitch.conf. > > smb.conf > ? winbind trusted domains only = yes > ?? idmap uid = 10000-20000 > ?? idmap gid = 10000-20000 > ?? winbind enum users = yes > ?? winbind enum groups = yes > > Il mar, 2004-07-13 alle 14:22, Christophe SUIRE ha scritto: > Hi again, > > I have just see, that the problem is not link with the modification of > the file. In fact this problem appear when Windows change ACL > attribute, and i have found an other strange thing : > > A user "jokic" create a new text file. On the server i have : > -rwxrwx---+ 1 root informatique 62 2004-07-13 14:13 Nouveau > Texte seulement.txt > This file as no ACL, but first strange thing is own by root !!! > > On a second time, user "jokic" modify the attribute of the file and add > a new user "delestre" to read this one. Now i have : > -r--rwx---+ 1 root informatique 62 2004-07-13 14:13 Nouveau > Texte seulement.txt > > # file: Nouveau\040Texte\040seulement.txt > # owner: root > # group: informatique > user::r-- > user:delestre:r-x > group::--- > mask::rwx > other::--- > > So the modification of the ACL attributes, add the new user with the > correct right, but remove the write attribute to the primary user, and > remove write and read to the primary group of the file !!! > > Please help me ! > > > Hi, > > > > I have done a migration from Samba 2 to 3.0.4; and i have a very big > > problem with ACL. > > > > I have a file own by a user "drif" and group "informatique" with ACL > > attributes and unix attributes rwxrwx--- : > > -rwxrwx---+ 1 drif informatique 68096 2004-07-13 11:01 fiche > > de migration.xls > > > > When an other user which is in "informatique" group modify this file, > > the new file is own by this user, but unix attribute for the user is > > set to read-only : > > -r--rwx---+ 1 jokic informatique 68096 2004-07-13 11:01 > fiche > > de migration.xls > > > > This problem appear only with files that have ACL attribute. > > In my smb.conf i have set for shares "create mask = 0770" and "force > > create mode = 0770", and with samba 2 it was working !! > > > > Please help me with this very big problem, .. after modification > users > > can only read there files !! > > Thanks a lot for your help. > > > > Regards, > > > > -- > > Christophe Suire <christophe.suire@adelux.fr> > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > _______________________ > Umberto Zanatta > linuxDidattica > > tel: +39 (335) 54 71 385 > email: umberto.z@tin.it > web: http://linuxdidattica.org > _______________________ > >
Ok it works !! Thanks a lot ! Permissions are set correctly but i steel have a strange thing .. User which are "Domains admins" like root, when they create a new file, it's own by root. -- Christophe Suire <christophe.suire@adelux.fr> Le 13 juil. 04, ? 14:56, Umberto Zanatta a ?crit :> Il mar, 2004-07-13 alle 14:46, Christophe SUIRE ha scritto: > The file server is the same as the PDC : linux / samba 3.0.4 > So why i need to use winbind ? > > You don't. > > > I need to use roming profile so i need to have profile acls = yes ? no > ? > > Actually, you're working in domain mode; I had same problem, and now > the permissions are > working. > > > > Thanks a lot. > > _______________________ > Umberto Zanatta > linuxDidattica > > tel: +39 (335) 54 71 385 > email: umberto.z@tin.it > web: http://linuxdidattica.org > _______________________ > >