samba - Jan 2006 - Windows ACL modify ability?

I have posted several questions now and have ben unsuccessful in getting any
responses, so i thought i would take a different tack.

I know adjusting permissions on Samba shares, through the Microsoft MMC is
possible when you have POSIX ACL support compiled in your kernel. I don't
think that level of control is necessary for me and short of recompiling the
kernel for that support i have been unable to adjust permissions on Samba
shares through the MMC, i keep getting "Access is denied".

Could someone just toss out a couple ideas about whether adjustments to
ACL's ar possible without kernel POSIX ACL support and if so, what some
causes of the "Access is denied" could be?

TIA,

-MIKE

Hi, 

first which version of samba are you running? 
are you running pdc or AD Member ? 

etc etc. 
need more input ;-) 

Louis

 
>-----Oorspronkelijk bericht-----
>Van: samba-bounces+louis=van-belle.nl@lists.samba.org 
>[mailto:samba-bounces+louis=van-belle.nl@lists.samba.org] 
>Namens Mike Partyka
>Verzonden: maandag 2 januari 2006 23:50
>Aan: samba@lists.samba.org
>Onderwerp: [Samba] Windows ACL modify ability?
>
>I have posted several questions now and have ben unsuccessful 
>in getting any
>responses, so i thought i would take a different tack.
>
>I know adjusting permissions on Samba shares, through the 
>Microsoft MMC is
>possible when you have POSIX ACL support compiled in your 
>kernel. I don't
>think that level of control is necessary for me and short of 
>recompiling the
>kernel for that support i have been unable to adjust 
>permissions on Samba
>shares through the MMC, i keep getting "Access is denied".
>
>Could someone just toss out a couple ideas about whether adjustments to
>ACL's ar possible without kernel POSIX ACL support and if so, what some
>causes of the "Access is denied" could be?
>
>TIA,
>
>-MIKE
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba
>

I added the attributes acl,user_xattr to the /etc/fstab and then raised the
log level to 10. and attempted once more the MMC, "Connect to another
computer", and used the Samba hostname to connect to it, then i went into a
share, and on the security tab, i hit the advanced button and modified the
write permissions for the group "Domain users" and i got a the message
"changes could not be saved, access is denied". I looked at the
logging and
i have to say i can't make much of it:

[2006/01/03 16:15:27, 5] smbd/uid.c:change_to_root_user(296)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2006/01/03 16:15:27, 5] auth/auth_util.c:free_server_info(1406)
  attempting to free (and zero) a server_info structure
[2006/01/03 16:15:27, 3] smbd/reply.c:reply_ulogoffX(1264)
  ulogoffX vuid=100
[2006/01/03 16:15:27, 5] lib/util.c:show_msg(486)
[2006/01/03 16:15:27, 5] lib/util.c:show_msg(496)
  size=39
  smb_com=0x74
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=136
  smb_flg2=51201
  smb_tid=0
  smb_pid=65279
  smb_uid=100
  smb_mid=1216
  smt_wct=2
  smb_vwv[ 0]=  255 (0xFF)
  smb_vwv[ 1]=    0 (0x0)
  smb_bcc=0
[2006/01/03 16:15:27, 6] lib/util_sock.c:write_socket(449)
  write_socket(25,43)
[2006/01/03 16:15:27, 6] lib/util_sock.c:write_socket(452)
  write_socket(25,43) wrote 43
[2006/01/03 16:15:27, 10]
lib/util_sock.c:read_smb_length_return_keepalive(505)
  got smb length of 35
[2006/01/03 16:15:27, 6] smbd/process.c:process_smb(1090)
  got message type 0x0 of len 0x23
[2006/01/03 16:15:27, 3] smbd/process.c:process_smb(1091)
  Transaction 20 of length 39
[2006/01/03 16:15:27, 5] lib/util.c:show_msg(486)
[2006/01/03 16:15:27, 5] lib/util.c:show_msg(496)
  size=35
  smb_com=0x71
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=24
  smb_flg2=51207
  smb_tid=1
  smb_pid=65279
  smb_uid=100
  smb_mid=1280
  smt_wct=0
  smb_bcc=0
[2006/01/03 16:15:27, 3] smbd/process.c:switch_message(886)
  switch message SMBtdis (pid 2699) conn 0x880d9c0
[2006/01/03 16:15:27, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/01/03 16:15:27, 5] auth/auth_util.c:debug_nt_user_token(485)
  NT user token: (NULL)
[2006/01/03 16:15:27, 5] auth/auth_util.c:debug_unix_user_token(506)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2006/01/03 16:15:27, 5] smbd/uid.c:change_to_root_user(296)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2006/01/03 16:15:27, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/01/03 16:15:27, 5] auth/auth_util.c:debug_nt_user_token(485)
  NT user token: (NULL)
[2006/01/03 16:15:27, 5] auth/auth_util.c:debug_unix_user_token(506)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2006/01/03 16:15:27, 5] smbd/uid.c:change_to_root_user(296)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2006/01/03 16:15:27, 1] smbd/service.c:close_cnum(830)
  192.168.0.7 (192.168.0.7) closed connection to service ftp
[2006/01/03 16:15:27, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to ftp
[2006/01/03 16:15:27, 4] smbd/vfs.c:vfs_ChDir(660)
  vfs_ChDir to /
[2006/01/03 16:15:27, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/01/03 16:15:27, 5] auth/auth_util.c:debug_nt_user_token(485)
  NT user token: (NULL)
[2006/01/03 16:15:27, 5] auth/auth_util.c:debug_unix_user_token(506)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2006/01/03 16:15:27, 5] smbd/uid.c:change_to_root_user(296)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2006/01/03 16:15:27, 5] lib/util.c:show_msg(486)
[2006/01/03 16:15:27, 5] lib/util.c:show_msg(496)
  size=35
  smb_com=0x71
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=136
  smb_flg2=51201
  smb_tid=1
  smb_pid=65279
  smb_uid=100
  smb_mid=1280
  smt_wct=0
  smb_bcc=0
[2006/01/03 16:15:27, 6] lib/util_sock.c:write_socket(449)
  write_socket(25,39)
[2006/01/03 16:15:27, 6] lib/util_sock.c:write_socket(452)
  write_socket(25,39) wrote 39
[2006/01/03 16:15:27, 10] lib/util_sock.c:read_socket_data(378)
  read_socket_data: recv of 4 returned 0. Error = Success
[2006/01/03 16:15:27, 10] lib/util_sock.c:receive_smb_raw(556)
  receive_smb_raw: length < 0!
[2006/01/03 16:15:27, 3] smbd/process.c:timeout_processing(1334)
  timeout_processing: End of file from client (client has disconnected).
[2006/01/03 16:15:27, 5] lib/gencache.c:gencache_shutdown(88)
  Closing cache file
[2006/01/03 16:15:27, 5] libsmb/namecache.c:namecache_shutdown(79)
  namecache_shutdown: netbios namecache closed successfully.
[2006/01/03 16:15:27, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/01/03 16:15:27, 5] auth/auth_util.c:debug_nt_user_token(485)
  NT user token: (NULL)
[2006/01/03 16:15:27, 5] auth/auth_util.c:debug_unix_user_token(506)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2006/01/03 16:15:27, 5] smbd/uid.c:change_to_root_user(296)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2006/01/03 16:15:27, 2] smbd/server.c:exit_server(609)
  Closing connections
[2006/01/03 16:15:27, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2006/01/03 16:15:27, 5] smbd/oplock.c:receive_local_message(107)
  receive_local_message: doing select with timeout of 1 ms
[2006/01/03 16:15:27, 3] smbd/server.c:exit_server(652)
  Server exit (normal exit)

Could someone briefly translate? BTW, i do have the usermap file entry like
this:

root     "MRPARTYKA/Administrator"

Do others here have similar entries that equivalate root to the domain
administrator account?

Here is my smb.conf file:

# Global parameters, created by Mike Partyka, Agostoinc, 12302005:1230
[global]
        unix charset = LOCALE
        workgroup = mrpartyka
        realm = MRPARTYKA.DOMAIN
        server string = SMBv3.0.14a/MS ADS/winbindd
        security = ads
        log level = 10
        syslog = 0
        log file = /var/log/samba/%m
        max log size = 50
        printcap name = CUPS
        idmap uid = 10000-40000000
        idmap gid = 10000-40000000
        template primary group = "MRPARTYKA/Domain Users"
        template shell = /bin/bash
        printing = cups
        # winbind trusted domains only = Yes
        winbind separator = /

[ftp]
        comment = All users share
        path = /ftproot
        valid users = @"MRPARTYKA/Domain Users"
        writeable = Yes
        browseable = Yes
        nt acl support = Yes
        inherit acls = Yes
        map hidden = No
        map system = No
        map archive = No
        store dos attributes = Yes
        ea support = Yes

>
>
> On 1/3/06, Louis van Belle <louis@van-belle.nl> wrote:
> >
> > Your welkom, its my bosses time ;-)
> >
> > Louis
> >
> >
> > >-----Oorspronkelijk bericht-----
> > >Van: Mike Partyka [mailto:mpartyka@gmail.com]
> > >Verzonden: dinsdag 3 januari 2006 16:15
> > >Aan: Louis van Belle
> > >CC: samba@lists.samba.org
> > >Onderwerp: Re: [Samba] Windows ACL modify ability?
> > >
> > >Interesting, i was not aware of that, the kernel does have the
> > >necessary support in it for POSIX ACL's and Extended
> > >attributes, but i was lacking the entry in /etc/fstab i added
> > >it and will test it this afternoon and report back.
> > >
> > >Thanks for taking the time to respond, Louis!
> > >
> > >
> > >On 1/3/06, Louis van Belle <louis@van-belle.nl> wrote:
> > >
> > >       wel, is there in  /boot a config-xxxx file
> > >
> > >       open it with you favorite editor,
> > >       search for XATTR or POSIX_CAL
> > >
> > >       if set M its possible you still have to load the modules
> > >       if set Y its in kernel, then kernel is ok.
> > >
> > >       check you fstab
> > >       i added for /home only the acl and EA.
> > >       like this.
> > >
> > >       dev/sda12      /home   ext3    defaults,acl,user_xattr
> > >       0       2
> > >
> > >       if there is no acl,user_xattr
> > >       then there is no windows rights management.
> > >
> > >       i set right with the explorer and this is working ok on
> > >       my samba. ( als 3.0.14a debian)
> > >
> > >       Louis
> > >
> > >
> > >
> > >
> > >       >-----Oorspronkelijk bericht-----
> > >       >Van: Mike Partyka [mailto:mpartyka@gmail.com]
> > >       >Verzonden: dinsdag 3 januari 2006 15:00
> > >       >Aan: Louis van Belle
> > >       >CC: samba@lists.samba.org
> > >       >Onderwerp: Re: [Samba] Windows ACL modify ability?
> > >       >
> > >       >Your referring to POSIX ACL support in the kernel? I am
not
> > >       >entirely sure how to check for this in the standard
> > >       >precompliled kernel, and i believe that support not to
be
> > >       >common in most linux distro's so i would guess
that, POSIX ACL
> > >       >support is not enabled.
> > >       >
> > >       >My understanding is that POSIX ACL support will get you
a
> > >       >closer approximation to windows ACL's,that is,
finer grained
> > >       >control over the UNIX permissions, but i think standard
UNIX
> > >       >perms should be adequet.
> > >       >
> > >       >That was my original question though, "Is POSIX
ACL kernel
> > >       >support necessary to perform ACL adjustments through a
windows
> > >       >MMC?". It does not seem to be from the
documentation i have
> > >       >read but i was not certain which was why i thought i
would
> > >       >toss the question out to the mailing list.
> > >       >
> > >       >Thanks again, Louis
> > >       >
> > >       >
> > >       >On 1/3/06, Louis van Belle < louis@van-belle.nl
> > ><mailto: louis@van-belle.nl> > wrote:
> > >       >
> > >       >       does your kernel support ACL and Extended
Attributes.
> > >       >
> > >       >
> > >       >
> > >       >
> > >       >
> > >       >
> > >
> > >       --
> > >       To unsubscribe from this list go to the following URL
> > >and read the
> > >       instructions:  
https://lists.samba.org/mailman/listinfo/samba
> > >
> > >
> > >
> > >
> >
> >
>