samba - Nov 2007 - ACL changes on Samba NT 4.0 Member Server

I have a Samba 3.0.24-7 on Fedora 6 as a member of an Windows NT 4.0 
domain, with a simple share setup with ACLs.  The permissions on the 
share from Windows XP Pro Security tab shows Everyone, and root (Unix 
Group\root) without any Permissions.  When trying to add permissions 
from XP while logged on as CPDOM+admin the error is display "Unable to 
save permission changes on "share name" on "server name"
Access is
denied.  Files can be copied to the share but can't be opened.  Below is 
the smb.conf.  I believe ACLs would work if I add access.  I tried 
setting the ACLs using setfacl and then the permissions show full 
control from XP, but I'm still unable to change permissions or open files.

[global]

    winbind separator = +
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = no

    security = domain
    workgroup = CPDOM
    netbios name = FILE_SRV
    password server = XSERVER
    server string 

[data]
    comment = FILES
    path = /files
    guest ok = yes
    create mask = 0777
    writeable = yes
    nt acl support = yes
    oplocks = no
    browseable = yes
    dos filemode = yes    
    admin users = CPDOM+admin

Hans

On 11/1/07, Hans-Wilhelm Heisinger <wheisinger@semcowindows.com>
wrote:
> I have a Samba 3.0.24-7 on Fedora 6 as a member of an Windows NT 4.0
> domain, with a simple share setup with ACLs.  The permissions on the
> share from Windows XP Pro Security tab shows Everyone, and root (Unix
> Group\root) without any Permissions.  When trying to add permissions
> from XP while logged on as CPDOM+admin the error is display "Unable to
> save permission changes on "share name" on "server
name" Access is
> denied.  Files can be copied to the share but can't be opened.  Below
is
> the smb.conf.  I believe ACLs would work if I add access.  I tried
> setting the ACLs using setfacl and then the permissions show full
> control from XP, but I'm still unable to change permissions or open
files.
>
> [global]
>
>     winbind separator = +
>     idmap uid = 10000-20000
>     idmap gid = 10000-20000
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind use default domain = no
>
>     security = domain
>     workgroup = CPDOM
>     netbios name = FILE_SRV
>     password server = XSERVER
>     server string >
>
> [data]
>     comment = FILES
>     path = /files
>     guest ok = yes
>     create mask = 0777
>     writeable = yes
>     nt acl support = yes
>     oplocks = no
>     browseable = yes
>     dos filemode = yes
>     admin users >
Your smb.conf file looks fine. Can  CPDOM+admin log into the unix
system and create files? You are mounting your unix filesystem with
acls enabled? Also can you post an ls -al on /files

On 11/1/07, Hans-Wilhelm Heisinger <wheisinger@semcowindows.com>
wrote:
>
>  John,
>
>      Thank you for the reply. Below is the output from mount and ls -al.
> Yes I can login as CPDOM+admin and create files, but connecting to the
share
> as CPDOM+admin doesn't work.
>
>  Hans
>
>  [root@localhost ~]# mount
>  /dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
>  proc on /proc type proc (rw)
>  sysfs on /sys type sysfs (rw)
>  devpts on /dev/pts type devpts (rw,gid=5,mode=620)
>  /dev/hda1 on /boot type ext3 (rw,acl)
>  tmpfs on /dev/shm type tmpfs (rw)
>  none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
>  sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
>
>  [root@localhost ~]# ls -al /files
>  total 5196
>  drwxrwxrwx  3 root root    4096 Nov  1 10:17 .
>  drwxr-xr-x 26 root root    4096 Nov  1 05:25 ..
>  -rwxrw-rw-  1 root root     413 Feb 24  2006 AS400.WS
>  -rwxrw-rw-  1 root root     398 Jul 27 14:13 dnsb.txt
>  -rwxrw-rw-  1 root root 3100432 May 22  2006 Dsclient.exe
>  drwxrwxrwx  2 root root    4096 Apr  7  2005 Fonts
>  -rwxrw-rw-  1 root root    1411 Aug 15 08:09 hans.txt
>  -rwxrw-rw-  1 root root   61440 Sep 14 08:57 IDTag.exe
>  -rwxrw-rw-  1 root root  262727 Apr 21  2003 keyfinder.exe
>  -rwxrw-rw-  1 root root   25088 Mar 22  2007 Label6x4 layout with text.doc
>  -rwxrw-rw-  1 root root   60416 Jun  6 09:41 Label proposal II.xls
>  -rwxrw-rw-  1 root root   90112 May  9  2006 OfficeTime.exe
>  -rwxrw-rw-  1 root root     317 Jul  3 07:51 OutputsLisec.txt
>  -rwxrw-rw-  1 root root  173231 May  4  1999 REPLICA.HLP
>  -rwxrw-rw-  1 root root    1101 Apr 25  2005 Salesreport.dtf
>  -rw-rw-rw-  1 root root     481 Nov  1 08:42 smb.conf
>  -rwxrw-rw-  1 root root   69632 Mar  4  2004 system.mdw
>  -rwxrw-rw-  1 root root  491008 May 10 13:20 TSClient.doc
>  -rwxrw-rw-  1 root root  782848 Jun 30  2006 WIP LOCATIONS.xls
>  -rwxrw-rw-  1 root root    5632 Aug  4  2004 wmi.dll
>  -rwxrw-rw-  1 root root   16930 May 31  1994 XCOPY.EXE
>
>
>
>
It is possible the problem is that the owner and group of the share
are both root. I never do that for any of my working samba shares. The
owner can be a user or possibly root but the group is always a group
that the users I want to change acls. I see from the docs that dos
filemode is supposed to fix that so maybe this is not the case.

Can you set a log level of 10 and see if there are any errors caused
when you try to change the acls?

John