I have samba server joined to a domain that I'm trying to use ads security and acls on. I can set acls on the Unix file system, and access from a windows client seems to honor them. I can't view the acls under the security tab, all I see are the standard Unix permissions instead. If I try to add an entry to the acl, I get an access denied error, even if the user is on the list of admin users. Samba version is 3.0.24, OS is Solars 10. Winbind works smoothly, I can set an entry in an ACL to a domain user or group using setfacl on the unix side, and I see it correctly with getfacl. Any ideas please? ~Eric
I've tested this on CentOS 4.3 and am seeing the same issue. It seems like it's probably a configuration problem, but I'll be damned if I can figure it out. ~Eric -----Original Message----- From: samba-bounces+eric.diven=edsiohio.com@lists.samba.org [mailto:samba-bounces+eric.diven=edsiohio.com@lists.samba.org] On Behalf Of Eric Diven Sent: Wednesday, October 17, 2007 4:30 PM To: samba@lists.samba.org Subject: [Samba] Can't see or change ACLs on Windows I have samba server joined to a domain that I'm trying to use ads security and acls on. I can set acls on the Unix file system, and access from a windows client seems to honor them. I can't view the acls under the security tab, all I see are the standard Unix permissions instead. If I try to add an entry to the acl, I get an access denied error, even if the user is on the list of admin users. Samba version is 3.0.24, OS is Solars 10. Winbind works smoothly, I can set an entry in an ACL to a domain user or group using setfacl on the unix side, and I see it correctly with getfacl. Any ideas please? ~Eric -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba man/listinfo/samba
make sure that user logged in to windows box is an owner of files . as i know , only owner can change permissions . try # chown "administrator/DOMAIN" /samba/test.txt , after that try to set permissions on this file from windows . On 10/18/07, Eric Diven <eric.diven@edsiohio.com> wrote:> None when I open the security tab, but when I try to add an entry to the > ACL, I get: > > "Unable to save permission changes on directory on 'croesus running > samba (ipaddress)' (driveletter:). > > Access is denied." > > The smb.conf file is set up to allow admin access to both an AD user and > group: > > the relevant sections of the smb.conf file: > > [global] > workgroup = W2K3TEST > realm = W2K3TEST.LOCAL > server string = croesus running samba > security = ADS > log file = /var/log/samba/log.%m > max log size = 50 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > printcap name = /etc/printcap > preferred master = No > dns proxy = No > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind separator = + > > [afiles] > path = /foo/afiles > admin users = W2K3TEST+bobadmin, @W2K3TEST+admins > read only = No > > I've logged in both as another member of the W2K3TEST+admins group, and > as W2K3TEST+bobadmin, and that doesn't seem to have any effect on > whether or not it works. I've also tried adding a non-domain user and > group to the ACL on the Solaris side to see if that would make an entry > other that the standard permissions appear on Windows, but to no avail. > > ~Eric > > -----Original Message----- > From: Stas [mailto:narezatel@gmail.com] > Sent: Thursday, October 18, 2007 3:39 PM > To: Volker.Lendecke@sernet.de > Cc: Eric Diven; samba@lists.samba.org > Subject: Re: [Samba] Can't see or change ACLs on Windows > > any errors on windows side when you try to set permissions? > > On 10/18/07, Volker Lendecke <Volker.Lendecke@sernet.de> wrote: > > On Thu, Oct 18, 2007 at 09:11:59AM -0400, Eric Diven wrote: > > > Here you go: > > > > > > bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL > > > HAVE_SYS_ACL_H > > > HAVE_SOLARIS_ACLS > > > HAVE__ACL > > > HAVE__FACL > > > > > > It looks plausible to me, but I'm assuming you know better than I > > > what > > > > That indeed looks right. No idea then, sorry. Maybe you want to look > > in a debug level 10 log of smbd, search for > > call_nt_transact_query_security_desc, maybe you find something > > obvious. > > > > Volker > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > >
On Thursday 18 October 2007 03:29:59 Eric Diven wrote:> I have samba server joined to a domain that I'm trying to use ads > security and acls on. I can set acls on the Unix file system, and > access from a windows client seems to honor them. I can't view the acls > under the security tab, all I see are the standard Unix permissions > instead. If I try to add an entry to the acl, I get an access denied > error, even if the user is on the list of admin users. Samba version is > 3.0.24, OS is Solars 10. Winbind works smoothly, I can set an entry in > an ACL to a domain user or group using setfacl on the unix side, and I > see it correctly with getfacl. Any ideas please?Hi Eric, Isn't it normal that Windows cannot see Unix ACL? As far as I know, since it cannot see it, it will then just translate the ACL into a more general ones. -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 17:58:23 up 4:52, 2.6.20-16-generic GNU/Linux Let's use OpenOffice. http://www.openoffice.org The real challenge of teaching is getting your students motivated to learn. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20071019/243b7b42/attachment.bin
Whoops, these were both supposed to go to the list. If I log on as the owner of the file, I still can't add another entry to the ACL. I can change the permissions set on the user, group and world permissions, but that's it. I do see that that the owner is identified as the user I'm logged in as. ~Eric -----Original Message----- From: Stas [mailto:narezatel@gmail.com] Sent: Friday, October 19, 2007 12:13 AM To: Eric Diven Cc: samba@lists.samba.org Subject: Re: [Samba] Can't see or change ACLs on Windows make sure that user logged in to windows box is an owner of files . as i know , only owner can change permissions . try # chown "administrator/DOMAIN" /samba/test.txt , after that try to set permissions on this file from windows . On 10/18/07, Eric Diven <eric.diven@edsiohio.com> wrote:> None when I open the security tab, but when I try to add an entry to > the ACL, I get: > > "Unable to save permission changes on directory on 'croesus running > samba (ipaddress)' (driveletter:). > > Access is denied." > > The smb.conf file is set up to allow admin access to both an AD user > and > group: > > the relevant sections of the smb.conf file: > > [global] > workgroup = W2K3TEST > realm = W2K3TEST.LOCAL > server string = croesus running samba > security = ADS > log file = /var/log/samba/log.%m > max log size = 50 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > printcap name = /etc/printcap > preferred master = No > dns proxy = No > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind separator = + > > [afiles] > path = /foo/afiles > admin users = W2K3TEST+bobadmin, @W2K3TEST+admins > read only = No > > I've logged in both as another member of the W2K3TEST+admins group, > and as W2K3TEST+bobadmin, and that doesn't seem to have any effect on > whether or not it works. I've also tried adding a non-domain user and> group to the ACL on the Solaris side to see if that would make an > entry other that the standard permissions appear on Windows, but to noavail.> > ~Eric > > -----Original Message----- > From: Stas [mailto:narezatel@gmail.com] > Sent: Thursday, October 18, 2007 3:39 PM > To: Volker.Lendecke@sernet.de > Cc: Eric Diven; samba@lists.samba.org > Subject: Re: [Samba] Can't see or change ACLs on Windows > > any errors on windows side when you try to set permissions? > > On 10/18/07, Volker Lendecke <Volker.Lendecke@sernet.de> wrote: > > On Thu, Oct 18, 2007 at 09:11:59AM -0400, Eric Diven wrote: > > > Here you go: > > > > > > bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL > > > HAVE_SYS_ACL_H > > > HAVE_SOLARIS_ACLS > > > HAVE__ACL > > > HAVE__FACL > > > > > > It looks plausible to me, but I'm assuming you know better than I > > > what > > > > That indeed looks right. No idea then, sorry. Maybe you want to look> > in a debug level 10 log of smbd, search for > > call_nt_transact_query_security_desc, maybe you find something > > obvious. > > > > Volker > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > >
-----Original Message----- From: Stas [mailto:narezatel@gmail.com] Sent: Monday, October 29, 2007 1:37 PM To: Eric Diven Subject: Re: [Samba] Can't see or change ACLs on Windows well , lets's try again .. create test directory " /samba/testdir run # chmod 777 -R /samba/testdir create share in smb.conf that points to /samba/test create some file in new share from windows box. open file properties and check permissions and owner ( you should see "everyone - full control , CREATOR OWNER - full control , etc , and owner of created file should be user that logged in ) now try to set permissions , it should work . if you want to restrict users - remove "everyone" from ACL list , this will just reset "Everyone" permission to "none" , so no one will able to modify files until you add specific users or groups to ACL list . looking strange but it worked for me.. Still no luck. Our new directory: drwxrwxrwx 2 W2K3TEST+bobadmin W2K3TEST+awriters 512 Oct 29 13:41 stastest [stastest] path = /foo/stastest writeable = yes inherit owner = yes inherit permissions = yes inherit acls = yes nt acl support = yes I've tried this with various inherit options on and off (including the dir sticky bit for inheriting group ownership) and still can't get it to go. I've also tried with varying ownerships on the directory with no change. Also, when I try to remove Everyone (or for that matter, the unix group or owner) from the ACL, it pops right back up. Everyone doesn't have Full Control set either. Nor for that matter does the group that owns the file. Both Everyone and the group get rw permissions. ~Eric ~Eric On 10/29/07, Eric Diven <eric.diven@edsiohio.com> wrote:> > > -----Original Message----- > From: Stas [mailto:narezatel@gmail.com] > Sent: Friday, October 26, 2007 6:56 PM > To: Eric Diven > Cc: samba@lists.samba.org > Subject: Re: [Samba] Can't see or change ACLs on Windows > > any errors in samba's log? > what error exactly you get at windows box when you try to set > permissions? > > Annoyingly, I'm not getting any logging for clients. Why, I don'tknow.> I see start-up messages correctly in the log.smbd file, including > those at log level 10, but not ones from clients. > > Here are the logging-related lines from smbd.conf > > # this tells Samba to use a separate log file for each machine # that > connects > log file = /var/log/samba/log.%m > > # Put a capping on the size of the log files (in Kb). > max log size = 50 > > The exact text of the error I get in Windows is: > > "Unable to save permission changes on hjkl.txt. > > Access is denied > [OK]" > > As usual, I'm logged in as the owner of the file. > > Sigh. > > Thanks for your continuing help on this, by the way. This is driving > me nuts. > > ~Eric > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >
Whoops, meant to go to the list, sorry. ~Eric -----Original Message----- From: Eric Diven Sent: Tuesday, October 30, 2007 11:29 AM To: 'Volker.Lendecke@SerNet.DE' Subject: RE: [Samba] Can't see or change ACLs on Windows On Tue, Oct 30, 2007 at 10:59:41AM -0400, Eric Diven wrote:> Okay, here's what I've figured out from trying to do what yousuggested: Well, so far we haven't seen any debug logs. Volker So far, neither have I. I'm getting nothing in the logs on either CentOS or Solaris when I do anything from the windows client. Neither the mtimes nor the file sizes on the logs that get generated at startup are changing, and I'm not getting any new logfiles for client machines that log on: "Annoyingly, I'm not getting any logging for clients. Why, I don't know. I see start-up messages correctly in the log.smbd file, including those at log level 10, but not ones from clients. Here are the logging-related lines from smbd.conf # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 50" ^ From yesterday ^ If I could trouble you with a really stupid question: Do I need to jack the logging up on nmbd to 10 as well? I'm working under the assumption that this is an smbd problem, so that's where I've turned up the logging. We all know of course what happens when you assume ;-) ~Eric