Hi all got a bit of and odd problem with ACL. Ive read up on a few bits in
the samba howto and read some threads on here about it.
Im not sure if this is a bug, something ive not done, doing wrong etc so
anyone that could shed some light on it that would be great.
Basically the windows box handles all user account processing and during
creating a script for all this it will attempt to change the permissions on
the HOME directory to the user in question
(i.e C:\>cacls Z:\Students\2005\sb05 /G sb05:F /T /E)
But I always get Access is denied. Even tho its currently owned by
administrator.
Trying the "manual" way, and the ways listed in the offical samba
howto
guide produces similar results.
The only way I can change the owner is to go into linux and use the chown
command.
After that its set to the correct user and all is well... Except by doing it
by hand kinda rains on my lovely automatic user creation script!
Samba.log file shows me no errors, as do any of the others. If there a
switch/option I need to enable?
Below is smb.conf
Im running RHES3, Samba 3.0.14a and Windows 2k3 AD in mixed Mode.
Many thanks
Ross
[global]
netbios name = DEV1
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind gid = 10000-20000
workgroup = DEV-DOMAIN
log file = /var/log/samba/samba.log
os level = 20
ldap idmap suffix = ou=auth1,dc=dev-domain,dc=stvincent,dc=ac,dc=uk
winbind enum groups = yes
# socket address = 1.2.3.4 <- Change this to match the IP address or
remove it to listen to all addresses.
password server = auth1.DEV-DOMAIN.STVINCENT.AC.UK
preferred master = no
winbind separator = +
winbind use default domain = yes
max log size = 500 <- In K
encrypt passwords = yes
dns proxy = no
realm = DEV-DOMAIN.STVINCENT.AC.UK
security = ADS
wins server = 172.16.2.254
wins proxy = no
# nt acl support = No
# Shares section
[adminshare]
comment = testshare
browseable = no
writeable = yes
guest ok = no
# valid users = Administrator
create mode = 0750
path = /home
[homes]
comment = Personal Storage Area
browseable = no
guest ok = no
writable = yes
create mode = 0750
path = /home/DEV-DOMAIN/%U
vfs object = recycle:repository=.recycle
recycle:versions=True
recycle:touch=True
recycle:keeptree=True
recycle:exclude=*.tmp|*.temp|*.o|*.obj|~$*|t*.1|t*.2|t*.3|t*.4|t*.5|t*.6|t$
recycle:exclude_dir=/tmp|/temp
recycle:noversions=*.doc|*.xls|*.ppt
fre, 27.05.2005 kl. 15.20 skrev Ross McInnes:> Hi all got a bit of and odd problem with ACL. Ive read up on a few bits in > the samba howto and read some threads on here about it. > > Im not sure if this is a bug, something ive not done, doing wrong etc so > anyone that could shed some light on it that would be great. > > Basically the windows box handles all user account processing and during > creating a script for all this it will attempt to change the permissions on > the HOME directory to the user in question > > (i.e C:\>cacls Z:\Students\2005\sb05 /G sb05:F /T /E) > > But I always get Access is denied. Even tho its currently owned by > administrator. > > Trying the "manual" way, and the ways listed in the offical samba howto > guide produces similar results.Sounds as though you don't have POSIX ACLs enabled on the Samba share mount.> The only way I can change the owner is to go into linux and use the chown > command. > > After that its set to the correct user and all is well... Except by doing it > by hand kinda rains on my lovely automatic user creation script! > > Samba.log file shows me no errors, as do any of the others. If there a > switch/option I need to enable? > > Below is smb.conf > > Im running RHES3, Samba 3.0.14a and Windows 2k3 AD in mixed Mode.[...] The OS has ACL support as standard, but it's not enabled by default. What does /etc/fstab look like for the share mount? --Tonni -- mail: tonye@billy.demon.nl http://www.billy.demon.nl Eg er bergenser og, eg, men, Trondheims-ordf?rer Marvin Wiseth: ?Bergenserne er flinke til ? gj?re mye ut av lite? (uttalte seg over 17. mai feiringen i?r, men gjelder sannsynligvis og dette mel mitt).
Heh ok im now very very confused. Ill re state my problem, and then can someone tell me if its an ACL issue or not :) Basically I have a w2k3 domain, and samba 3.0.14a Member service. Samba is basically a FileStore. Its all configured fine (i.e I can log onto the w2k3 domain, and map my home drive to samba nps) User accounts have to be managed/create on windows (since doing it on the *nix machine just doesn?t work, cant set homedir, if its enabled etc) Problem is that the script that does the user account creation needs to change the permissions on the home directory it just created. That?s when I get a permission denied error. That?s using cacls.exe or using the GUI. Even tho administrator is the owner, he cannot change the grp or add another user etc. getfacl/setfacl -rw-r--r-- 1 root root 0 May 27 13:23 crap [root@dev1 2005]# getfacl crap # file: crap # owner: root # group: root user::rw- group::r-- other::r-- [root@dev1 2005]# setfacl -m crap -R group:students:rwx setfacl: Option -m: Invalid argument near character 1 If I chown Administrator:"Domain Users" crap I can see the file, but as stated before, cannot change the permissions. Is this an ACL/FileSystem issue? Or something else? Many thanks Ross -----Original Message----- From: samba-bounces+sysrm=stvincent.ac.uk@lists.samba.org [mailto:samba-bounces+sysrm=stvincent.ac.uk@lists.samba.org] On Behalf Of Tony Earnshaw Sent: 27 May 2005 21:37 To: samba@lists.samba.org Subject: Re: [Samba] Samba and Windows ACL Issue fre, 27.05.2005 kl. 17.46 skrev John H Terpstra:> The fstab below shows that your file systems are NOT mounted with ACLsupport.> To gain ACL support you need: > 1. A the ACL and EA functionality in the Linux kernel 2. To mount the > file systems with ACL and XATTR support 3. Samba compiled and linked > with the ACL and XATTR libraries > > An example fstab entry to mount a file system with ACL and XATTR > support is given here: > > LABEL=/export/1 /export/1 ext3 defaults,acl,user_xattr 1 2Yea! Furthermore, Ross will have to reboot the server after using vi, since an unmount/mount will not be possible. --Tonni -- mail: tonye@billy.demon.nl http://www.billy.demon.nl Eg er bergenser og, eg, men, Trondheims-ordf?rer Marvin Wiseth: ?Bergenserne er flinke til ? gj?re mye ut av lite? (uttalte seg over 17. mai feiringen i?r, men gjelder sannsynligvis og dette mel mitt). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Hi, No reboot required. Just a mount -o remount /export/1 Best regards, Bruno Guerreiro -----Original Message----- From: Ross McInnes [mailto:sysrm@stvincent.ac.uk] Sent: ter?a-feira, 31 de Maio de 2005 11:47 To: samba@lists.samba.org Subject: RE: [Samba] Samba and Windows ACL Issue Heh ok im now very very confused. Ill re state my problem, and then can someone tell me if its an ACL issue or not :) Basically I have a w2k3 domain, and samba 3.0.14a Member service. Samba is basically a FileStore. Its all configured fine (i.e I can log onto the w2k3 domain, and map my home drive to samba nps) User accounts have to be managed/create on windows (since doing it on the *nix machine just doesn't work, cant set homedir, if its enabled etc) Problem is that the script that does the user account creation needs to change the permissions on the home directory it just created. That's when I get a permission denied error. That's using cacls.exe or using the GUI. Even tho administrator is the owner, he cannot change the grp or add another user etc. getfacl/setfacl -rw-r--r-- 1 root root 0 May 27 13:23 crap [root@dev1 2005]# getfacl crap # file: crap # owner: root # group: root user::rw- group::r-- other::r-- [root@dev1 2005]# setfacl -m crap -R group:students:rwx setfacl: Option -m: Invalid argument near character 1 If I chown Administrator:"Domain Users" crap I can see the file, but as stated before, cannot change the permissions. Is this an ACL/FileSystem issue? Or something else? Many thanks Ross -----Original Message----- From: samba-bounces+sysrm=stvincent.ac.uk@lists.samba.org [mailto:samba-bounces+sysrm=stvincent.ac.uk@lists.samba.org] On Behalf Of Tony Earnshaw Sent: 27 May 2005 21:37 To: samba@lists.samba.org Subject: Re: [Samba] Samba and Windows ACL Issue fre, 27.05.2005 kl. 17.46 skrev John H Terpstra:> The fstab below shows that your file systems are NOT mounted with ACLsupport.> To gain ACL support you need: > 1. A the ACL and EA functionality in the Linux kernel 2. To mount the > file systems with ACL and XATTR support 3. Samba compiled and linked > with the ACL and XATTR libraries > > An example fstab entry to mount a file system with ACL and XATTR > support is given here: > > LABEL=/export/1 /export/1 ext3 defaults,acl,user_xattr 1 2Yea! Furthermore, Ross will have to reboot the server after using vi, since an unmount/mount will not be possible. --Tonni -- mail: tonye@billy.demon.nl http://www.billy.demon.nl Eg er bergenser og, eg, men, Trondheims-ordf?rer Marvin Wiseth: ?Bergenserne er flinke til ? gj?re mye ut av lite? (uttalte seg over 17. mai feiringen i?r, men gjelder sannsynligvis og dette mel mitt). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Hi all again. Thanks for the replies etc but the issue isnt actually an ACL one. (of sorts) I can change permissions on the users/group already assigned to the directory/file, i.e if its already owned by Administrator and Domain Admins, but I cannot replace them. i.e as Administrator I cannot remove the user administrator and put in ross instead, which is what I need to do. Or even add ross to it. Ive tried doing the net -S Server -UAdministrator rpc rights grant 'DEV-DOMAIN\Administrator' SeTakeOwnershipPrivilege to no avail. Is this a support function? As john had pointed out on a *nix system root can do anything. To prove this, on my current production system I logged on to a share as root, I could change permissions etc nps. This system however uses standard passwd/smbpasswd and not the AD im trying to implement. Any more thoughts or sugestions gratefully received, else it may be that I have to look at a pure windows environment :/ Cheers Ross
tor, 02.06.2005 kl. 11.08 skrev Ross McInnes:> I think acl's are working. But it doesn?t work from windows. I also get an > error message with setfacl. > > Is there an easy way to tell if ACL is enabled in the kernel? I know ive put > in the right syntax in /etc/fstabYou're running RHEL3. RHAS3 has native POSIX ACL support, so RHEL3 should have, too.> And samba is compiled with acl support.Do 'ldd /path/to/smbd-binary'. You should see both: libattr.so.1 => /lib/libattr.so.1 (0x00387000) and libacl.so.1 => /lib/libacl.so.1 (0x00716000) or suchlike. what does 'mount' show you for the partition for which you think you have ACL support? E.g., on my test rig: /dev/hda10 on /m type ext3 (rw,acl,user_xattr) --Tonni -- mail: tonye@billy.demon.nl http://www.billy.demon.nl
tor, 02.06.2005 kl. 12.34 skrev Ross McInnes:> [root@dev1 FixUserPerms]# ldd /usr/local/samba/sbin/smbd | grep attr > libattr.so.1 => /lib/libattr.so.1 (0xb74ec000) > [root@dev1 FixUserPerms]# ldd /usr/local/samba/sbin/smbd | grep acl > libacl.so.1 => /lib/libacl.so.1 (0xb74e6000) > > > /dev/sdb1 on /export/1 type ext3 (rw,acl,user_xattr) > /dev/sdc1 on /export/2 type ext3 (rw,acl,user_xattr) > > > Is what I get :/ Still cannot add another user to a file/directorycd /lib/modules/2.4.21-20.EL/kernel/fs/ext3 grep -i acl ext3.o Binary file ext3.o matches or strings ext3.o | less search for acl: system.posix_acl_access system.posix_acl_default ext3_xattr_set_acl Please do at least CC the samba list. I'd far rather answer there, and others can help you - not just me. --Tonni -- mail: tonye@billy.demon.nl http://www.billy.demon.nl