samba - Jun 2005 - permissions change from windows doesn't work

Hi, 

After three days of googling, searching in this list, reading parts of the 
pdf, and testing, I  surrender: please help ! 

Summary: 
I'm running 3.0.10a (binary from www.sunfreeware.com) on Solaris 
2.6 in standalone  mode (security=user). I use ACLs on files. I cannot, 
from windows (w2k, wxp pro), add  a user to the permissions of a file. 


Details: 
- The binary was compiled --with-acl-support as "smbd -b|grep ACL" 
and the  sunfreeware site confirm. 

- Solaris UFS supports ACLs. 

- I don't use winbindd 

- This is my smb.conf: 
[global] 
    workgroup = UNIX 
    server string = Samba Server 3.0 
    interfaces = x.x.x.x 
    map to guest = Bad User 
    username map = /usr/local/samba/private/users.map 
    log level = 4 
    log file = /usr/local/samba/var/log.%m 
    max log size = 500 
    deadtime = 30 
    keepalive = 0 
    dns proxy = No 
    ldap ssl = no 
    idmap uid = 10000-20000 
    idmap gid = 10000-20000 

- The users.map did not exist at the beginning, but, as the PDF 
examples have one, I  created it with: 
    root = Administrator 

- My users do exist on Solaris and are the same as the Windows users. 

- The users were added on Samba with smbpasswd -a. 

- My groups are mapped: 
    # net groupmap list | sort 
    Account Operators (S-1-5-32-548) -> -1 
    Administrators (S-1-5-32-544) -> -1 
    Backup Operators (S-1-5-32-551) -> -1 
    Domain Admins (S-1-5-21-3464024308-2102256894-3995807409-512) -> root 
    Domain Guests (S-1-5-21-3464024308-2102256894-3995807409-514) -> nobody 
    Domain Users (S-1-5-21-3464024308-2102256894-3995807409-513) -> staff 
    Engineer (S-1-5-21-3464024308-2102256894-3995807409-1305) -> engineer 
    Guests (S-1-5-32-546) -> -1 
    Inter (S-1-5-21-3464024308-2102256894-3995807409-1323) -> inter 
    Power Users (S-1-5-32-547) -> -1 
    Print Operators (S-1-5-32-550) -> -1 
    Replicators (S-1-5-32-552) -> -1 
    System Operators (S-1-5-32-549) -> -1 
    Users (S-1-5-32-545) -> -1 

- A share is defined: 
[home1] 
        path = /export/home1 
        read only = No 
        guest ok = Yes 

- A file is created on the share: 
    # touch /export/home1/test 
    # chown vincent:engineer /export/home1/test 
    # ls -l /export/home1/test 
    -rw-rw-r--   1 vincent   engineer       0 Jun 28 15:50 /export/home1/test 

- From Windows 2K, when I right-click properties, Security, I can see 
the current  permissions: 
    Engineer (SERVER_NAME\Engineer) 
    Everyone 
    Vincent Xxxxx (SERVER_NAME\Vincent) 

- Clicking on Advanced shows the permissions (respectively Special, 
Read, Special).  Click Cancel to come back to the Security tab. 

- But when I click on Add, I receive a window saying "You are logged 
with an account  that does not have access to: SERVER_NAME. Enter 
the name and password of an  account with permissions for this 
domain and click ok." 

- The equivalent test on WinNT4 (Properties, Security, Permissions, 
Add, Show users  works, Click on a user, Add, Read, Ok) works very 
well: an acl is created on the file. 


What's going on ??? I raised the debug level to 3, 4, even 10 but I
can't
catch anything  useful (to me). 

TIA for any help, 
Pierre 


I hope this is not too long but a level 4 log gives (at the moment I click 
on the Add  button): 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2072 of length 88 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBtconX (pid 2572) conn 0x0 
[2005/06/28 16:16:02, 3] smbd/sec_ctx.c:set_sec_ctx(288) 
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 
[2005/06/28 16:16:02, 4] smbd/reply.c:reply_tcon_and_X(408) 
  Client requested device type [?????] for share [IPC$] 
[2005/06/28 16:16:02, 3] smbd/service.c:make_connection_snum(472) 
  Connect path is '/tmp' for service [IPC$] 
[2005/06/28 16:16:02, 4] rpc_server/srv_srvsvc_nt.c:get_share_security(217) 
  get_share_security: using default secdesc for IPC$ 
[2005/06/28 16:16:02, 3] lib/util_seaccess.c:se_access_check(251) 
[2005/06/28 16:16:02, 3] lib/util_seaccess.c:se_access_check(252) 
  se_access_check: user sid is S-1-5-21-3464024308-2102256894-3995807409-1310 
  se_access_check: also S-1-5-21-3464024308-2102256894-3995807409-1305 
  se_access_check: also S-1-1-0 
  se_access_check: also S-1-5-2 
  se_access_check: also S-1-5-11 
[2005/06/28 16:16:02, 3] smbd/vfs.c:vfs_init_default(203) 
  Initialising default vfs hooks 
[2005/06/28 16:16:02, 4] rpc_server/srv_srvsvc_nt.c:get_share_security(217) 
  get_share_security: using default secdesc for IPC$ 
[2005/06/28 16:16:02, 3] lib/util_seaccess.c:se_access_check(251) 
[2005/06/28 16:16:02, 3] lib/util_seaccess.c:se_access_check(252) 
  se_access_check: user sid is S-1-5-21-3464024308-2102256894-3995807409-1310 
  se_access_check: also S-1-5-21-3464024308-2102256894-3995807409-1305 
  se_access_check: also S-1-1-0 
  se_access_check: also S-1-5-2 
  se_access_check: also S-1-5-11 
[2005/06/28 16:16:02, 3] smbd/sec_ctx.c:set_sec_ctx(288) 
  setting sec ctx (155, 152) - sec_ctx_stack_ndx = 0 
[2005/06/28 16:16:02, 3] smbd/service.c:make_connection_snum(648) 
  temp (xxx.xxx.xxx.xxx) connect to service IPC$ initially as user vincent
(uid=155,
gid=152) (pid 2572) 
[2005/06/28 16:16:02, 3] smbd/sec_ctx.c:set_sec_ctx(288) 
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 
[2005/06/28 16:16:02, 3] smbd/reply.c:reply_tcon_and_X(456) 
  tconX service=IPC$  
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2073 of length 104 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBntcreateX (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 3] smbd/sec_ctx.c:set_sec_ctx(288) 
  setting sec ctx (155, 152) - sec_ctx_stack_ndx = 0 
[2005/06/28 16:16:02, 4] smbd/vfs.c:vfs_ChDir(654) 
  vfs_ChDir to /tmp 
[2005/06/28 16:16:02, 4] smbd/nttrans.c:nt_open_pipe(497) 
  nt_open_pipe: Opening pipe \lsarpc. 
[2005/06/28 16:16:02, 3] smbd/nttrans.c:nt_open_pipe(514) 
  nt_open_pipe: Known pipe lsarpc opening. 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:open_rpc_pipe_p(178) 
  Open pipe requested lsarpc (pipes_open=0) 
[2005/06/28 16:16:02, 4] 
rpc_server/srv_pipe_hnd.c:make_internal_rpc_pipe_p(278) 
  Create pipe requested lsarpc 
[2005/06/28 16:16:02, 4] 
rpc_server/srv_pipe_hnd.c:make_internal_rpc_pipe_p(370) 
  Created internal pipe lsarpc (pipes_open=0) 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:open_rpc_pipe_p(257) 
  Opened pipe lsarpc with handle 7151 (pipes_open=1) 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2074 of length 160 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBtrans (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 4] smbd/uid.c:change_to_user(194) 
  change_to_user: Skipping user change - already user 
[2005/06/28 16:16:02, 3] smbd/ipc.c:reply_trans(538) 
  trans <\PIPE\> data=72 params=0 setup=2 
[2005/06/28 16:16:02, 3] smbd/ipc.c:named_pipe(334) 
  named pipe command on <> name 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1168) 
  search for pipe pnum=7151 
[2005/06/28 16:16:02, 3] smbd/ipc.c:api_fd_reply(296) 
  Got API command 0x26 on pipe "lsarpc" (pnum 7151) 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe.c:api_pipe_bind_req(887) 
  api_pipe_bind_req: \PIPE\lsarpc -> \PIPE\lsass 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe.c:check_bind_req(762) 
  check_bind_req for \PIPE\lsarpc 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2075 of length 114 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBtrans (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 4] smbd/uid.c:change_to_user(194) 
  change_to_user: Skipping user change - already user 
[2005/06/28 16:16:02, 3] smbd/ipc.c:reply_trans(538) 
  trans <\PIPE\> data=26 params=0 setup=2 
[2005/06/28 16:16:02, 3] smbd/ipc.c:named_pipe(334) 
  named pipe command on <> name 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1168) 
  search for pipe pnum=7151 
[2005/06/28 16:16:02, 3] smbd/ipc.c:api_fd_reply(296) 
  Got API command 0x26 on pipe "lsarpc" (pnum 7151) 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 0 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe.c:api_rpcTNP(1531) 
  api_rpcTNP: lsarpc op 0x0 - unknown 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 0 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2076 of length 45 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBclose (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 4] smbd/uid.c:change_to_user(194) 
  change_to_user: Skipping user change - already user 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1168) 
  search for pipe pnum=7151 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:close_rpc_pipe_hnd(1081) 
  closed pipe name lsarpc pnum=7151 (pipes_open=0) 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2077 of length 104 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBntcreateX (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 4] smbd/uid.c:change_to_user(194) 
  change_to_user: Skipping user change - already user 
[2005/06/28 16:16:02, 4] smbd/nttrans.c:nt_open_pipe(497) 
  nt_open_pipe: Opening pipe \winreg. 
[2005/06/28 16:16:02, 3] smbd/nttrans.c:nt_open_pipe(514) 
  nt_open_pipe: Known pipe winreg opening. 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:open_rpc_pipe_p(178) 
  Open pipe requested winreg (pipes_open=0) 
[2005/06/28 16:16:02, 4] 
rpc_server/srv_pipe_hnd.c:make_internal_rpc_pipe_p(278) 
  Create pipe requested winreg 
[2005/06/28 16:16:02, 4] 
rpc_server/srv_pipe_hnd.c:make_internal_rpc_pipe_p(370) 
  Created internal pipe winreg (pipes_open=0) 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:open_rpc_pipe_p(257) 
  Opened pipe winreg with handle 7152 (pipes_open=1) 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2078 of length 160 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBtrans (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 4] smbd/uid.c:change_to_user(194) 
  change_to_user: Skipping user change - already user 
[2005/06/28 16:16:02, 3] smbd/ipc.c:reply_trans(538) 
  trans <\PIPE\> data=72 params=0 setup=2 
[2005/06/28 16:16:02, 3] smbd/ipc.c:named_pipe(334) 
  named pipe command on <> name 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1168) 
  search for pipe pnum=7152 
[2005/06/28 16:16:02, 3] smbd/ipc.c:api_fd_reply(296) 
  Got API command 0x26 on pipe "winreg" (pnum 7152) 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe.c:api_pipe_bind_req(887) 
  api_pipe_bind_req: \PIPE\winreg -> \PIPE\winreg 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe.c:check_bind_req(762) 
  check_bind_req for \PIPE\winreg 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2079 of length 124 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBtrans (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 4] smbd/uid.c:change_to_user(194) 
  change_to_user: Skipping user change - already user 
[2005/06/28 16:16:02, 3] smbd/ipc.c:reply_trans(538) 
  trans <\PIPE\> data=36 params=0 setup=2 
[2005/06/28 16:16:02, 3] smbd/ipc.c:named_pipe(334) 
  named pipe command on <> name 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1168) 
  search for pipe pnum=7152 
[2005/06/28 16:16:02, 3] smbd/ipc.c:api_fd_reply(296) 
  Got API command 0x26 on pipe "winreg" (pnum 7152) 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 0 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe.c:api_rpcTNP(1531) 
  api_rpcTNP: winreg op 0x2 - api_rpcTNP: rpc command: REG_OPEN_HKLM 
[2005/06/28 16:16:02, 4] rpc_server/srv_lsa_hnd.c:create_policy_hnd(142) 
  Opened policy hnd[1] [000] 00 00 00 00 61 00 00 00  00 00 00 00 A2 5B C1 42  
....a... .....[.B 
  [010] 0C 0A 00 00                                       ....  
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 0 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2080 of length 256 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBtrans (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 4] smbd/uid.c:change_to_user(194) 
  change_to_user: Skipping user change - already user 
[2005/06/28 16:16:02, 3] smbd/ipc.c:reply_trans(538) 
  trans <\PIPE\> data=168 params=0 setup=2 
[2005/06/28 16:16:02, 3] smbd/ipc.c:named_pipe(334) 
  named pipe command on <> name 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1168) 
  search for pipe pnum=7152 
[2005/06/28 16:16:02, 3] smbd/ipc.c:api_fd_reply(296) 
  Got API command 0x26 on pipe "winreg" (pnum 7152) 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 0 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe.c:api_rpcTNP(1531) 
  api_rpcTNP: winreg op 0xf - api_rpcTNP: rpc command: REG_OPEN_ENTRY 
[2005/06/28 16:16:02, 4] 
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) 
  Found policy hnd[0] [000] 00 00 00 00 61 00 00 00  00 00 00 00 A2 5B C1 42  
....a... .....[.B 
  [010] 0C 0A 00 00                                       ....  
[2005/06/28 16:16:02, 4] rpc_server/srv_lsa_hnd.c:create_policy_hnd(142) 
  Opened policy hnd[2] [000] 00 00 00 00 62 00 00 00  00 00 00 00 A2 5B C1 42  
....b... .....[.B 
  [010] 0C 0A 00 00                                       ....  
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 96 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2081 of length 204 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBtrans (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 4] smbd/uid.c:change_to_user(194) 
  change_to_user: Skipping user change - already user 
[2005/06/28 16:16:02, 3] smbd/ipc.c:reply_trans(538) 
  trans <\PIPE\> data=116 params=0 setup=2 
[2005/06/28 16:16:02, 3] smbd/ipc.c:named_pipe(334) 
  named pipe command on <> name 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1168) 
  search for pipe pnum=7152 
[2005/06/28 16:16:02, 3] smbd/ipc.c:api_fd_reply(296) 
  Got API command 0x26 on pipe "winreg" (pnum 7152) 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 0 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe.c:api_rpcTNP(1531) 
  api_rpcTNP: winreg op 0x11 - api_rpcTNP: rpc command: REG_INFO 
[2005/06/28 16:16:02, 4] 
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) 
  Found policy hnd[0] [000] 00 00 00 00 62 00 00 00  00 00 00 00 A2 5B C1 42  
....b... .....[.B 
  [010] 0C 0A 00 00                                       ....  
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 536 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2082 of length 216 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBtrans (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 4] smbd/uid.c:change_to_user(194) 
  change_to_user: Skipping user change - already user 
[2005/06/28 16:16:02, 3] smbd/ipc.c:reply_trans(538) 
  trans <\PIPE\> data=128 params=0 setup=2 
[2005/06/28 16:16:02, 3] smbd/ipc.c:named_pipe(334) 
  named pipe command on <> name 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1168) 
  search for pipe pnum=7152 
[2005/06/28 16:16:02, 3] smbd/ipc.c:api_fd_reply(296) 
  Got API command 0x26 on pipe "winreg" (pnum 7152) 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 0 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe.c:api_rpcTNP(1531) 
  api_rpcTNP: winreg op 0x11 - api_rpcTNP: rpc command: REG_INFO 
[2005/06/28 16:16:02, 4] 
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) 
  Found policy hnd[0] [000] 00 00 00 00 62 00 00 00  00 00 00 00 A2 5B C1 42  
....b... .....[.B 
  [010] 0C 0A 00 00                                       ....  
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 536 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2083 of length 132 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBtrans (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 4] smbd/uid.c:change_to_user(194) 
  change_to_user: Skipping user change - already user 
[2005/06/28 16:16:02, 3] smbd/ipc.c:reply_trans(538) 
  trans <\PIPE\> data=44 params=0 setup=2 
[2005/06/28 16:16:02, 3] smbd/ipc.c:named_pipe(334) 
  named pipe command on <> name 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1168) 
  search for pipe pnum=7152 
[2005/06/28 16:16:02, 3] smbd/ipc.c:api_fd_reply(296) 
  Got API command 0x26 on pipe "winreg" (pnum 7152) 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 0 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe.c:api_rpcTNP(1531) 
  api_rpcTNP: winreg op 0x5 - api_rpcTNP: rpc command: REG_CLOSE 
[2005/06/28 16:16:02, 4] 
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) 
  Found policy hnd[0] [000] 00 00 00 00 62 00 00 00  00 00 00 00 A2 5B C1 42  
....b... .....[.B 
  [010] 0C 0A 00 00                                       ....  
[2005/06/28 16:16:02, 4] 
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) 
  Found policy hnd[0] [000] 00 00 00 00 62 00 00 00  00 00 00 00 A2 5B C1 42  
....b... .....[.B 
  [010] 0C 0A 00 00                                       ....  
[2005/06/28 16:16:02, 3] rpc_server/srv_lsa_hnd.c:close_policy_hnd(200) 
  Closed policy 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 0 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2084 of length 132 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBtrans (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 4] smbd/uid.c:change_to_user(194) 
  change_to_user: Skipping user change - already user 
[2005/06/28 16:16:02, 3] smbd/ipc.c:reply_trans(538) 
  trans <\PIPE\> data=44 params=0 setup=2 
[2005/06/28 16:16:02, 3] smbd/ipc.c:named_pipe(334) 
  named pipe command on <> name 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1168) 
  search for pipe pnum=7152 
[2005/06/28 16:16:02, 3] smbd/ipc.c:api_fd_reply(296) 
  Got API command 0x26 on pipe "winreg" (pnum 7152) 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 0 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe.c:api_rpcTNP(1531) 
  api_rpcTNP: winreg op 0x5 - api_rpcTNP: rpc command: REG_CLOSE 
[2005/06/28 16:16:02, 4] 
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) 
  Found policy hnd[0] [000] 00 00 00 00 61 00 00 00  00 00 00 00 A2 5B C1 42  
....a... .....[.B 
  [010] 0C 0A 00 00                                       ....  
[2005/06/28 16:16:02, 4] 
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) 
  Found policy hnd[0] [000] 00 00 00 00 61 00 00 00  00 00 00 00 A2 5B C1 42  
....a... .....[.B 
  [010] 0C 0A 00 00                                       ....  
[2005/06/28 16:16:02, 3] rpc_server/srv_lsa_hnd.c:close_policy_hnd(200) 
  Closed policy 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 0 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2085 of length 45 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBclose (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 4] smbd/uid.c:change_to_user(194) 
  change_to_user: Skipping user change - already user 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1168) 
  search for pipe pnum=7152 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:close_rpc_pipe_hnd(1081) 
  closed pipe name winreg pnum=7152 (pipes_open=0) 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2086 of length 104 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBntcreateX (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 4] smbd/uid.c:change_to_user(194) 
  change_to_user: Skipping user change - already user 
[2005/06/28 16:16:02, 4] smbd/nttrans.c:nt_open_pipe(497) 
  nt_open_pipe: Opening pipe \lsarpc. 
[2005/06/28 16:16:02, 3] smbd/nttrans.c:nt_open_pipe(514) 
  nt_open_pipe: Known pipe lsarpc opening. 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:open_rpc_pipe_p(178) 
  Open pipe requested lsarpc (pipes_open=0) 
[2005/06/28 16:16:02, 4] 
rpc_server/srv_pipe_hnd.c:make_internal_rpc_pipe_p(278) 
  Create pipe requested lsarpc 
[2005/06/28 16:16:02, 4] 
rpc_server/srv_pipe_hnd.c:make_internal_rpc_pipe_p(370) 
  Created internal pipe lsarpc (pipes_open=0) 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:open_rpc_pipe_p(257) 
  Opened pipe lsarpc with handle 7153 (pipes_open=1) 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2087 of length 160 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBtrans (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 4] smbd/uid.c:change_to_user(194) 
  change_to_user: Skipping user change - already user 
[2005/06/28 16:16:02, 3] smbd/ipc.c:reply_trans(538) 
  trans <\PIPE\> data=72 params=0 setup=2 
[2005/06/28 16:16:02, 3] smbd/ipc.c:named_pipe(334) 
  named pipe command on <> name 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1168) 
  search for pipe pnum=7153 
[2005/06/28 16:16:02, 3] smbd/ipc.c:api_fd_reply(296) 
  Got API command 0x26 on pipe "lsarpc" (pnum 7153) 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe.c:api_pipe_bind_req(887) 
  api_pipe_bind_req: \PIPE\lsarpc -> \PIPE\lsass 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe.c:check_bind_req(762) 
  check_bind_req for \PIPE\lsarpc 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2088 of length 176 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBtrans (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 4] smbd/uid.c:change_to_user(194) 
  change_to_user: Skipping user change - already user 
[2005/06/28 16:16:02, 3] smbd/ipc.c:reply_trans(538) 
  trans <\PIPE\> data=88 params=0 setup=2 
[2005/06/28 16:16:02, 3] smbd/ipc.c:named_pipe(334) 
  named pipe command on <> name 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1168) 
  search for pipe pnum=7153 
[2005/06/28 16:16:02, 3] smbd/ipc.c:api_fd_reply(296) 
  Got API command 0x26 on pipe "lsarpc" (pnum 7153) 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 0 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe.c:api_rpcTNP(1531) 
  api_rpcTNP: lsarpc op 0x2c - api_rpcTNP: rpc command: LSA_OPENPOLICY2 
[2005/06/28 16:16:02, 3] lib/util_seaccess.c:se_access_check(251) 
[2005/06/28 16:16:02, 3] lib/util_seaccess.c:se_access_check(252) 
  se_access_check: user sid is S-1-5-21-3464024308-2102256894-3995807409-1310 
  se_access_check: also S-1-5-21-3464024308-2102256894-3995807409-1305 
  se_access_check: also S-1-1-0 
  se_access_check: also S-1-5-2 
  se_access_check: also S-1-5-11 
[2005/06/28 16:16:02, 4] rpc_server/srv_lsa_hnd.c:create_policy_hnd(142) 
  Opened policy hnd[1] [000] 00 00 00 00 63 00 00 00  00 00 00 00 A2 5B C1 42  
....c... .....[.B 
  [010] 0C 0A 00 00                                       ....  
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 820 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2089 of length 134 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBtrans (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 4] smbd/uid.c:change_to_user(194) 
  change_to_user: Skipping user change - already user 
[2005/06/28 16:16:02, 3] smbd/ipc.c:reply_trans(538) 
  trans <\PIPE\> data=46 params=0 setup=2 
[2005/06/28 16:16:02, 3] smbd/ipc.c:named_pipe(334) 
  named pipe command on <> name 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1168) 
  search for pipe pnum=7153 
[2005/06/28 16:16:02, 3] smbd/ipc.c:api_fd_reply(296) 
  Got API command 0x26 on pipe "lsarpc" (pnum 7153) 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 0 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe.c:api_rpcTNP(1531) 
  api_rpcTNP: lsarpc op 0x7 - api_rpcTNP: rpc command: 
LSA_QUERYINFOPOLICY 
[2005/06/28 16:16:02, 4] 
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) 
  Found policy hnd[0] [000] 00 00 00 00 63 00 00 00  00 00 00 00 A2 5B C1 42  
....c... .....[.B 
  [010] 0C 0A 00 00                                       ....  
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 512 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2090 of length 132 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBtrans (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 4] smbd/uid.c:change_to_user(194) 
  change_to_user: Skipping user change - already user 
[2005/06/28 16:16:02, 3] smbd/ipc.c:reply_trans(538) 
  trans <\PIPE\> data=44 params=0 setup=2 
[2005/06/28 16:16:02, 3] smbd/ipc.c:named_pipe(334) 
  named pipe command on <> name 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1168) 
  search for pipe pnum=7153 
[2005/06/28 16:16:02, 3] smbd/ipc.c:api_fd_reply(296) 
  Got API command 0x26 on pipe "lsarpc" (pnum 7153) 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 0 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe.c:api_rpcTNP(1531) 
  api_rpcTNP: lsarpc op 0x0 - api_rpcTNP: rpc command: LSA_CLOSE 
[2005/06/28 16:16:02, 4] 
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) 
  Found policy hnd[0] [000] 00 00 00 00 63 00 00 00  00 00 00 00 A2 5B C1 42  
....c... .....[.B 
  [010] 0C 0A 00 00                                       ....  
[2005/06/28 16:16:02, 4] 
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) 
  Found policy hnd[0] [000] 00 00 00 00 63 00 00 00  00 00 00 00 A2 5B C1 42  
....c... .....[.B 
  [010] 0C 0A 00 00                                       ....  
[2005/06/28 16:16:02, 3] rpc_server/srv_lsa_hnd.c:close_policy_hnd(200) 
  Closed policy 
[2005/06/28 16:16:02, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(542) 
  free_pipe_context: destroying talloc pool of size 0 
[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
  Transaction 2091 of length 45 
[2005/06/28 16:16:02, 3] smbd/process.c:switch_message(886) 
  switch message SMBclose (pid 2572) conn 0x2ecf70 
[2005/06/28 16:16:02, 4] smbd/uid.c:change_to_user(194) 
  change_to_user: Skipping user change - already user 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1168) 
  search for pipe pnum=7153 
[2005/06/28 16:16:02, 4] rpc_server/srv_pipe_hnd.c:close_rpc_pipe_hnd(1081) 
  closed pipe name lsarpc pnum=7153 (pipes_open=0)

Hi again,

FYI here are some links talking about the same problem (but no answer):
<http://lists.samba.org/archive/samba/2003-October/075334.html>
<http://lists.samba.org/archive/samba/2003-November/002488.html>
<http://www.mcse.ms/message436146.html>

Note that on WinNT4 I can partially add permissions to a file: I see the users 
when I click on "Show users" and I can use them but I cannot see the
groups
that are available on the Samba server.

Note also that I see exactly the same when I try to connect a W2K to another 
W2K (both standalone computers): although I'm connected to the share with 
a username of the server, from the client I cannot change the permissions on 
any file of the server !!!

So I have a basic question now: Is it simply possible, from a W2K/XP, to 
change the permissions of a file on a share of a standalone server, i.e. 
without both computers being member of a domain ? I can see a possible 
commercial reason (from who you know) for this not being allowed, but is 
there also a technical reason ? Note that some of the above links show the 
same behavior within a domain... so I'm lost.

Thanks for any help,
Pierre

On 28 Jun 2005 at 17:35, Pierre Dehaen wrote:
> Hi, 
> 
> After three days of googling, searching in this list, reading parts of the 
> pdf, and testing, I  surrender: please help ! 
> 
> Summary: 
> I'm running 3.0.10a (binary from www.sunfreeware.com) on Solaris 
> 2.6 in standalone  mode (security=user). I use ACLs on files. I cannot, 
> from windows (w2k, wxp pro), add  a user to the permissions of a file. 
> 
> 
> Details: 
> - The binary was compiled --with-acl-support as "smbd -b|grep
ACL"
> and the  sunfreeware site confirm. 
> 
> - Solaris UFS supports ACLs. 
> 
> - I don't use winbindd 
> 
> - This is my smb.conf: 
> [global] 
>     workgroup = UNIX 
>     server string = Samba Server 3.0 
>     interfaces = x.x.x.x 
>     map to guest = Bad User 
>     username map = /usr/local/samba/private/users.map 
>     log level = 4 
>     log file = /usr/local/samba/var/log.%m 
>     max log size = 500 
>     deadtime = 30 
>     keepalive = 0 
>     dns proxy = No 
>     ldap ssl = no 
>     idmap uid = 10000-20000 
>     idmap gid = 10000-20000 
> 
> - The users.map did not exist at the beginning, but, as the PDF 
> examples have one, I  created it with: 
>     root = Administrator 
> 
> - My users do exist on Solaris and are the same as the Windows users. 
> 
> - The users were added on Samba with smbpasswd -a. 
> 
> - My groups are mapped: 
>     # net groupmap list | sort 
>     Account Operators (S-1-5-32-548) -> -1 
>     Administrators (S-1-5-32-544) -> -1 
>     Backup Operators (S-1-5-32-551) -> -1 
>     Domain Admins (S-1-5-21-3464024308-2102256894-3995807409-512) ->
root
>     Domain Guests (S-1-5-21-3464024308-2102256894-3995807409-514) ->
nobody
>     Domain Users (S-1-5-21-3464024308-2102256894-3995807409-513) ->
staff
>     Engineer (S-1-5-21-3464024308-2102256894-3995807409-1305) ->
engineer
>     Guests (S-1-5-32-546) -> -1 
>     Inter (S-1-5-21-3464024308-2102256894-3995807409-1323) -> inter 
>     Power Users (S-1-5-32-547) -> -1 
>     Print Operators (S-1-5-32-550) -> -1 
>     Replicators (S-1-5-32-552) -> -1 
>     System Operators (S-1-5-32-549) -> -1 
>     Users (S-1-5-32-545) -> -1 
> 
> - A share is defined: 
> [home1] 
>         path = /export/home1 
>         read only = No 
>         guest ok = Yes 
> 
> - A file is created on the share: 
>     # touch /export/home1/test 
>     # chown vincent:engineer /export/home1/test 
>     # ls -l /export/home1/test 
>     -rw-rw-r--   1 vincent   engineer       0 Jun 28 15:50
/export/home1/test
> 
> - From Windows 2K, when I right-click properties, Security, I can see 
> the current  permissions: 
>     Engineer (SERVER_NAME\Engineer) 
>     Everyone 
>     Vincent Xxxxx (SERVER_NAME\Vincent) 
> 
> - Clicking on Advanced shows the permissions (respectively Special, 
> Read, Special).  Click Cancel to come back to the Security tab. 
> 
> - But when I click on Add, I receive a window saying "You are logged 
> with an account  that does not have access to: SERVER_NAME. Enter 
> the name and password of an  account with permissions for this 
> domain and click ok." 
> 
> - The equivalent test on WinNT4 (Properties, Security, Permissions, 
> Add, Show users  works, Click on a user, Add, Read, Ok) works very 
> well: an acl is created on the file. 
> 
> 
> What's going on ??? I raised the debug level to 3, 4, even 10 but I
can't
> catch anything  useful (to me). 
> 
> TIA for any help, 
> Pierre 
> 
> 
> I hope this is not too long but a level 4 log gives (at the moment I click 
> on the Add  button): 
> [2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
>   Transaction 2072 of length 88 
> [cut - see original message for details]

Hi,

I make a second try with my problem. Maybe this time I'll be more lucky ?

You'll find hereafter my two previous unanswered mails about the problem.

Regards,
Pierre

On 28 Jun 2005 at 17:35, Pierre Dehaen wrote:
> Hi, 
> 
> After three days of googling, searching in this list, reading parts of the 
> pdf, and testing, I  surrender: please help ! 
> 
> Summary: 
> I'm running 3.0.10a (binary from www.sunfreeware.com) on Solaris 
> 2.6 in standalone  mode (security=user). I use ACLs on files. I cannot, 
> from windows (w2k, wxp pro), add  a user to the permissions of a file. 
> 
> 
> Details: 
> - The binary was compiled --with-acl-support as "smbd -b|grep
ACL"
> and the  sunfreeware site confirm. 
> 
> - Solaris UFS supports ACLs. 
> 
> - I don't use winbindd 
> 
> - This is my smb.conf: 
> [global] 
>     workgroup = UNIX 
>     server string = Samba Server 3.0 
>     interfaces = x.x.x.x 
>     map to guest = Bad User 
>     username map = /usr/local/samba/private/users.map 
>     log level = 4 
>     log file = /usr/local/samba/var/log.%m 
>     max log size = 500 
>     deadtime = 30 
>     keepalive = 0 
>     dns proxy = No 
>     ldap ssl = no 
>     idmap uid = 10000-20000 
>     idmap gid = 10000-20000 
> 
> - The users.map did not exist at the beginning, but, as the PDF 
> examples have one, I  created it with: 
>     root = Administrator 
> 
> - My users do exist on Solaris and are the same as the Windows users. 
> 
> - The users were added on Samba with smbpasswd -a. 
> 
> - My groups are mapped: 
>     # net groupmap list | sort 
>     Account Operators (S-1-5-32-548) -> -1 
>     Administrators (S-1-5-32-544) -> -1 
>     Backup Operators (S-1-5-32-551) -> -1 
>     Domain Admins (S-1-5-21-3464024308-2102256894-3995807409-512) ->
root
>     Domain Guests (S-1-5-21-3464024308-2102256894-3995807409-514) ->
nobody
>     Domain Users (S-1-5-21-3464024308-2102256894-3995807409-513) ->
staff
>     Engineer (S-1-5-21-3464024308-2102256894-3995807409-1305) ->
engineer
>     Guests (S-1-5-32-546) -> -1 
>     Inter (S-1-5-21-3464024308-2102256894-3995807409-1323) -> inter 
>     Power Users (S-1-5-32-547) -> -1 
>     Print Operators (S-1-5-32-550) -> -1 
>     Replicators (S-1-5-32-552) -> -1 
>     System Operators (S-1-5-32-549) -> -1 
>     Users (S-1-5-32-545) -> -1 
> 
> - A share is defined: 
> [home1] 
>         path = /export/home1 
>         read only = No 
>         guest ok = Yes 
> 
> - A file is created on the share: 
>     # touch /export/home1/test 
>     # chown vincent:engineer /export/home1/test 
>     # ls -l /export/home1/test 
>     -rw-rw-r--   1 vincent   engineer       0 Jun 28 15:50
/export/home1/test
> 
> - From Windows 2K, when I right-click properties, Security, I can see 
> the current  permissions: 
>     Engineer (SERVER_NAME\Engineer) 
>     Everyone 
>     Vincent Xxxxx (SERVER_NAME\Vincent) 
> 
> - Clicking on Advanced shows the permissions (respectively Special, 
> Read, Special).  Click Cancel to come back to the Security tab. 
> 
> - But when I click on Add, I receive a window saying "You are logged 
> with an account  that does not have access to: SERVER_NAME. Enter 
> the name and password of an  account with permissions for this 
> domain and click ok." 
> 
> - The equivalent test on WinNT4 (Properties, Security, Permissions, 
> Add, Show users  works, Click on a user, Add, Read, Ok) works very 
> well: an acl is created on the file. 
> 
> 
> What's going on ??? I raised the debug level to 3, 4, even 10 but I
can't
> catch anything  useful (to me). 
> 
> TIA for any help, 
> Pierre 
> 
> 
> I hope this is not too long but a level 4 log gives (at the moment I click 
> on the Add  button): 
> [2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
>   Transaction 2072 of length 88 
> [cut - see original message of June 28th for details]


On 29 Jun 2005 at 10:49, Pierre Dehaen wrote:
> Hi again,
> 
> FYI here are some links talking about the same problem (but no answer):
> <http://lists.samba.org/archive/samba/2003-October/075334.html>
> <http://lists.samba.org/archive/samba/2003-November/002488.html>
> <http://www.mcse.ms/message436146.html>
> 
> Note that on WinNT4 I can partially add permissions to a file: I see the
users
> when I click on "Show users" and I can use them but I cannot see
the groups
> that are available on the Samba server.
> 
> Note also that I see exactly the same when I try to connect a W2K to
another
> W2K (both standalone computers): although I'm connected to the share
with
> a username of the server, from the client I cannot change the permissions
on
> any file of the server !!!
> 
> So I have a basic question now: Is it simply possible, from a W2K/XP, to 
> change the permissions of a file on a share of a standalone server, i.e. 
> without both computers being member of a domain ? I can see a possible 
> commercial reason (from who you know) for this not being allowed, but is 
> there also a technical reason ? Note that some of the above links show the 
> same behavior within a domain... so I'm lost.
> 
> Thanks for any help,
> Pierre
>