Rowland Penny
2014-Dec-19 14:02 UTC
[Samba] setfacl: Option -m: Invalid argument near character 3
On 19/12/14 13:40, Rich Webb wrote:> Running CentOS 6.6 > Using the Sernet Enterprise packages - sernet-samba-ad. > > Just tried: > > getent group "Domain Users" > getent group DOMAIN\\Domain\ Users > > and neither command returned any entries. > > Rich > > -----Original Message----- > From: samba-bounces at lists.samba.org > [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny > Sent: Friday, December 19, 2014 8:37 AM > To: samba at lists.samba.org > Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character > 3 > > On 19/12/14 13:22, Rich Webb wrote: >> Matt, >> >> Thanks for the reply. I'm not trying to add the "users" group. I'm >> trying to add the "Domain Users" group. That is the reason for the \ >> in front of the space. It's translated as a literal. I think I could >> also put quotes around it and not have to use the \ and the space. >> >> The problem is getent group only is listing local unix groups. I >> think that is why setfacl is not able to add active directory groups >> to the acl. > That may be your problem, 'getent group' will not show any domain group, > but 'getent group <a domain group>' should show the domain group. > > If you are running samba4 in AD mode, then you are running winbind, > though you may not be **using** it. > > Can you post what OS & samba packages you are using. > > Rowland >> Rich. >> >> -----Original Message----- >> From: Mattias Zhabinskiy [mailto:mattiasz at thinklogical.com] >> Sent: Friday, December 19, 2014 12:15 AM >> To: Rich Webb >> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near >> character >> 3 >> >> Hello Rich, >> >> First of all remove space in front of the group name "users": >> >> setfacl -R -m g:MYDOM\\domain\users:rwx ./shared >> >> For example, following command works for me: >> >> [root at vmtest007 tmp]# ls -ld test4 >> drwxrwsr-x. 2 root g-sales 4096 Dec 19 00:10 test4 >> >> [root at vmtest007 tmp]# setfacl -Rm g:MYDOMAIN\\g-admin:rwx test4 >> >> [root at vmtest007 tmp]# getfacl test4 >> # file: test4 >> # owner: root >> # group: g-sales >> # flags: -s- >> user::rwx >> group::rwx >> group:g-admin:rwx >> mask::rwx >> other::r-x >> >> [root at vmtest007 tmp]# ls -ld test4 >> drwxrwsr-x+ 2 root g-sales 4096 Dec 19 00:10 test4 >> >> where MYDOMAIN is windows domain name and g-admin is a group name in >> MYDOMAIN. >> Make sure that group "users" exists by running "getent group users" >> command, for e.g. in my case: >> [root at vmtest007 tmp]# getent group g-admin >> g-admin:x:91608:alex,bill,joe,kevin >> >> Regards, >> Matt >> >> ________________________________________ >> From: samba-bounces at lists.samba.org <samba-bounces at lists.samba.org> on >> behalf of Rich Webb <rwebb at zylatech.com> >> Sent: Thursday, December 18, 2014 8:33 PM >> To: samba at lists.samba.org >> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near >> character >> 3 >> >> Please is there anyone who has an answer on why this might be > happening? >> Do I need some sort of sssd support or winbind or something? In the >> wiki about setting up acl's it doesn't say anything about any other >> requirements, only that you have to have acl support and xattr support >> in your filesystem which I do. >> >> I'm trying to deploy this server and I need a working solution >> tomorrow >> - kind of in a bind.. I hope someone can help. >> >> Thanks, >> Rich >> >> -----Original Message----- >> From: samba-bounces at lists.samba.org >> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rich Webb >> Sent: Thursday, December 18, 2014 6:29 PM >> To: samba at lists.samba.org >> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near >> character >> 3 >> >> I just tried that and I got the same error. I think there is some >> extended acl support that I'm missing somewhere. >> >> It's like the setfacl command is not recognizing the AD groups as >> valid groups. >> >> I should also add the following information: >> >> This server is built up on CentOS 6.6 Minimal using the Sernet-Samba >> Enterprise packages. >> >> It looks like the binary that is running is /usr/sbin/samba and that >> is started with /etc/rc.d/init.d/sernet-samba-ad start >> >> Rich >> >> -----Original Message----- >> From: samba-bounces at lists.samba.org >> [mailto:samba-bounces at lists.samba.org] On Behalf Of Miguel Medalha >> Sent: Thursday, December 18, 2014 4:42 PM >> To: Rich Webb; samba at lists.samba.org >> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near >> character >> 3 >> >> >>> I tried setting the permissions from the command line using: >>> >>> setfacl -R -m g:MYDOM\\domain\ users:rwx ./shared >>> >>> and it gives me: >>> >>> setfacl: Option -m: Invalid argument near character 3 >>> >> You should enter: >> >> setfacl -Rm g:MYDOM\\domain\ users:rwx ./shared >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaOK, do you have 'libnss_winbind.so' on your system ? it would normal be in /usr/lib or similar. If you have, then it probably just needs 'winbind' adding to the 'passwd' & 'groups' lines in /etc/nsswitch.conf. If you cannot find it then it needs to be installed, anybody know which Sernet package provides it ?? Rowland
Rich Webb
2014-Dec-19 14:05 UTC
[Samba] setfacl: Option -m: Invalid argument near character 3
find . -name libnss_winbind.so -print ./lib64/libnss_winbind.so It's there so just add winbind to the nsswitch.conf? Restart anything? Thanks, Rich -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny Sent: Friday, December 19, 2014 9:03 AM To: samba at lists.samba.org Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character 3 OK, do you have 'libnss_winbind.so' on your system ? it would normal be in /usr/lib or similar. If you have, then it probably just needs 'winbind' adding to the 'passwd' & 'groups' lines in /etc/nsswitch.conf. If you cannot find it then it needs to be installed, anybody know which Sernet package provides it ?? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rich Webb
2014-Dec-19 14:06 UTC
[Samba] setfacl: Option -m: Invalid argument near character 3
Looks like that worked but the UIDs probably need to be mapped more appropriately - how do I take care of that? getent group "domain users" DOMAIN\Domain Users:*:100: Rich -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Rich Webb Sent: Friday, December 19, 2014 9:05 AM To: samba at lists.samba.org Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character 3 find . -name libnss_winbind.so -print ./lib64/libnss_winbind.so It's there so just add winbind to the nsswitch.conf? Restart anything? Thanks, Rich -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny Sent: Friday, December 19, 2014 9:03 AM To: samba at lists.samba.org Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character 3 OK, do you have 'libnss_winbind.so' on your system ? it would normal be in /usr/lib or similar. If you have, then it probably just needs 'winbind' adding to the 'passwd' & 'groups' lines in /etc/nsswitch.conf. If you cannot find it then it needs to be installed, anybody know which Sernet package provides it ?? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
It should be sernet-samba-winbind. It's automatically installed by sernet-samba package as far as I know. For me it was enough to add winbind to passwd and group in nsswitch.conf Am 19. Dezember 2014 15:02:42 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:>On 19/12/14 13:40, Rich Webb wrote: >> Running CentOS 6.6 >> Using the Sernet Enterprise packages - sernet-samba-ad. >> >> Just tried: >> >> getent group "Domain Users" >> getent group DOMAIN\\Domain\ Users >> >> and neither command returned any entries. >> >> Rich >> >> -----Original Message----- >> From: samba-bounces at lists.samba.org >> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny >> Sent: Friday, December 19, 2014 8:37 AM >> To: samba at lists.samba.org >> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near >character >> 3 >> >> On 19/12/14 13:22, Rich Webb wrote: >>> Matt, >>> >>> Thanks for the reply. I'm not trying to add the "users" group. I'm >>> trying to add the "Domain Users" group. That is the reason for the >\ >>> in front of the space. It's translated as a literal. I think I >could >>> also put quotes around it and not have to use the \ and the space. >>> >>> The problem is getent group only is listing local unix groups. I >>> think that is why setfacl is not able to add active directory groups >>> to the acl. >> That may be your problem, 'getent group' will not show any domain >group, >> but 'getent group <a domain group>' should show the domain group. >> >> If you are running samba4 in AD mode, then you are running winbind, >> though you may not be **using** it. >> >> Can you post what OS & samba packages you are using. >> >> Rowland >>> Rich. >>> >>> -----Original Message----- >>> From: Mattias Zhabinskiy [mailto:mattiasz at thinklogical.com] >>> Sent: Friday, December 19, 2014 12:15 AM >>> To: Rich Webb >>> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near >>> character >>> 3 >>> >>> Hello Rich, >>> >>> First of all remove space in front of the group name "users": >>> >>> setfacl -R -m g:MYDOM\\domain\users:rwx ./shared >>> >>> For example, following command works for me: >>> >>> [root at vmtest007 tmp]# ls -ld test4 >>> drwxrwsr-x. 2 root g-sales 4096 Dec 19 00:10 test4 >>> >>> [root at vmtest007 tmp]# setfacl -Rm g:MYDOMAIN\\g-admin:rwx test4 >>> >>> [root at vmtest007 tmp]# getfacl test4 >>> # file: test4 >>> # owner: root >>> # group: g-sales >>> # flags: -s- >>> user::rwx >>> group::rwx >>> group:g-admin:rwx >>> mask::rwx >>> other::r-x >>> >>> [root at vmtest007 tmp]# ls -ld test4 >>> drwxrwsr-x+ 2 root g-sales 4096 Dec 19 00:10 test4 >>> >>> where MYDOMAIN is windows domain name and g-admin is a group name in >>> MYDOMAIN. >>> Make sure that group "users" exists by running "getent group users" >>> command, for e.g. in my case: >>> [root at vmtest007 tmp]# getent group g-admin >>> g-admin:x:91608:alex,bill,joe,kevin >>> >>> Regards, >>> Matt >>> >>> ________________________________________ >>> From: samba-bounces at lists.samba.org <samba-bounces at lists.samba.org> >on >>> behalf of Rich Webb <rwebb at zylatech.com> >>> Sent: Thursday, December 18, 2014 8:33 PM >>> To: samba at lists.samba.org >>> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near >>> character >>> 3 >>> >>> Please is there anyone who has an answer on why this might be >> happening? >>> Do I need some sort of sssd support or winbind or something? In the >>> wiki about setting up acl's it doesn't say anything about any other >>> requirements, only that you have to have acl support and xattr >support >>> in your filesystem which I do. >>> >>> I'm trying to deploy this server and I need a working solution >>> tomorrow >>> - kind of in a bind.. I hope someone can help. >>> >>> Thanks, >>> Rich >>> >>> -----Original Message----- >>> From: samba-bounces at lists.samba.org >>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rich Webb >>> Sent: Thursday, December 18, 2014 6:29 PM >>> To: samba at lists.samba.org >>> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near >>> character >>> 3 >>> >>> I just tried that and I got the same error. I think there is some >>> extended acl support that I'm missing somewhere. >>> >>> It's like the setfacl command is not recognizing the AD groups as >>> valid groups. >>> >>> I should also add the following information: >>> >>> This server is built up on CentOS 6.6 Minimal using the Sernet-Samba >>> Enterprise packages. >>> >>> It looks like the binary that is running is /usr/sbin/samba and that >>> is started with /etc/rc.d/init.d/sernet-samba-ad start >>> >>> Rich >>> >>> -----Original Message----- >>> From: samba-bounces at lists.samba.org >>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Miguel Medalha >>> Sent: Thursday, December 18, 2014 4:42 PM >>> To: Rich Webb; samba at lists.samba.org >>> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near >>> character >>> 3 >>> >>> >>>> I tried setting the permissions from the command line using: >>>> >>>> setfacl -R -m g:MYDOM\\domain\ users:rwx ./shared >>>> >>>> and it gives me: >>>> >>>> setfacl: Option -m: Invalid argument near character 3 >>>> >>> You should enter: >>> >>> setfacl -Rm g:MYDOM\\domain\ users:rwx ./shared >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >OK, do you have 'libnss_winbind.so' on your system ? it would normal be > >in /usr/lib or similar. If you have, then it probably just needs >'winbind' adding to the 'passwd' & 'groups' lines in >/etc/nsswitch.conf. >If you cannot find it then it needs to be installed, anybody know which > >Sernet package provides it ?? > >Rowland >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba