Hello, I have joined the Linux server (Suse 11.2) to the Windows domain (win2003) and users can login to the server using their window's domain credentials. Also can view all of the domain groups using 'wbinfo -g', however when I try to set the acls on a local dir' I get the follow error; #setfacl -m g:DOMAIN\\groupname:r /tmp/testacl setfacl: Option -m: Invalid argument near character 3 The same error occurs if I use a domain user, although I can add a local Linux user or group. What am I overlooking? Many thanks on advance. James
On November 3, 2010, "James D. Parra" <jamesp at musicreports.com> wrote:> Hello, > > I have joined the Linux server (Suse 11.2) to the Windows domain > (win2003) and users can login to the server using their window's domain > credentials. Also can view all of the domain groups using 'wbinfo -g', > however when I try to set the acls on a local dir' I get the follow > error; > > #setfacl -m g:DOMAIN\\groupname:r /tmp/testacl > setfacl: Option -m: Invalid argument near character 3 > > The same error occurs if I use a domain user, although I can add a local > Linux user or group. What am I overlooking? >setfacl has no idea about smb group or user names. You probably need to setup winbindd/nsswitch to map domain groups and users to local groups and users before you can assign acls.
> I have joined the Linux server (Suse 11.2) to the Windows domain (win2003) and users can login to the server using their window's domain credentials. Also can view all of the domain groups using 'wbinfo -g', however when I try to set the acls on a local dir' I get the follow error; > > #setfacl -m g:DOMAIN\\groupname:r /tmp/testacl > setfacl: Option -m: Invalid argument near character 3The setfacl tool knows nothing about Windos domains, hence the error you see. You can also use the user or group number as given by "getent passwd" and "getent group". In this case, setfacl does work. You can also try smbcacls which comes with Samba or set the ACLs from a Windows client.
The key tool is nsswitch. Winbind may or may not be necessary, depending on your precise set up. It's the nsswitch libraries and configuration file which tell Linux where to fetch user and group information. ~~~~~~~~~~~~~~~~~~~~~~~~~ Hello Bruce, Still can't get setfacl to get group or user info from the AD (Windows 2003) I have the following in nsswitch.conf; passwd: compat ldap group: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files dns services: files ldap protocols: files rpc: files ethers: files netmasks: files netgroup: files ldap publickey: files bootparams: files automount: files nis aliases: files ldap passwd_compat: ldap <snip> And the linux box is joined to the domain; # net ads testjoin Join is OK <snip> I can get details from 'wbinfo' fmt-mwr:~ # wbinfo -g DOMAIN+pg_out_test <snip> Somewhere is the magic to get setfacl to see the AD groups and users. Many thanks, James
On Fri, Nov 05, 2010 at 11:13:39AM -0700, Shuaib Ilyas (shilyas) wrote:> I am running samba server version samba (3.0.33-3.7.el5_3.1) on Fedora > core. This is working fine and I can access the server share from the > clients. I need to do some tests using this samba server with SMB > signing enabled. How can I enable smb signing on my samba server? > > I have searched over web but have not found the procedure to do it. > > Any pointers will be helpful.server signing = mandatory Volker
Thanks, Volker. After making this change, when client is sending Negotiate protocol Request, server is not responding to this request. Is it something to do with workgroup/domain? In my setup, this samba server is in a workgroup not part of the domain. Shuaib [global] workgroup = wrkgrp netbios name = smbserver security = SHARE load printers = No default service = global path = /home available = yes encrypt passwords = yes server signing = mandatory -----Original Message----- From: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE] Sent: Friday, November 05, 2010 12:01 PM To: Shuaib Ilyas (shilyas) Cc: samba at lists.samba.org Subject: Re: [Samba] How to enable smb signing on samba On Fri, Nov 05, 2010 at 11:13:39AM -0700, Shuaib Ilyas (shilyas) wrote:> I am running samba server version samba (3.0.33-3.7.el5_3.1) onFedora> core. This is working fine and I can access the server share from the > clients. I need to do some tests using this samba server with SMB > signing enabled. How can I enable smb signing on my samba server? > > I have searched over web but have not found the procedure to do it. > > Any pointers will be helpful.server signing = mandatory Volker
On Fri, 2010-11-05 at 12:52 -0700, Shuaib Ilyas (shilyas) wrote:> Thanks, Volker. > > After making this change, when client is sending Negotiate protocol > Request, server is not responding to this request. > > Is it something to do with workgroup/domain? > In my setup, this samba server is in a workgroup not part of the domain. > > Shuaib > > > [global] > > workgroup = wrkgrp > > netbios name = smbserver > > security = SHARE > > load printers = No > > default service = global > > path = /home > > available = yes > > encrypt passwords = yes > server signing = mandatoryYou cannot use security=share and smb signing at the same time. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 190 bytes Desc: This is a digitally signed message part URL: <http://lists.samba.org/pipermail/samba/attachments/20101106/0c72f47e/attachment.pgp>
Hi Andrew, Many thanks, I changed security = user and got it working. Best Regards, Shuaib -----Original Message----- From: Andrew Bartlett [mailto:abartlet at samba.org] Sent: Friday, November 05, 2010 9:15 PM To: Shuaib Ilyas (shilyas) Cc: Volker.Lendecke at SerNet.DE; samba at lists.samba.org Subject: Re: [Samba] How to enable smb signing on samba On Fri, 2010-11-05 at 12:52 -0700, Shuaib Ilyas (shilyas) wrote:> Thanks, Volker. > > After making this change, when client is sending Negotiate protocol > Request, server is not responding to this request. > > Is it something to do with workgroup/domain? > In my setup, this samba server is in a workgroup not part of the domain. > > Shuaib > > > [global] > > workgroup = wrkgrp > > netbios name = smbserver > > security = SHARE > > load printers = No > > default service = global > > path = /home > > available = yes > > encrypt passwords = yes > server signing = mandatoryYou cannot use security=share and smb signing at the same time. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.