samba - Dec 2014 - setfacl: Option -m: Invalid argument near character 3

I just tried that and I got the same error.  I think there is some
extended acl support that I'm missing somewhere.  

It's like the setfacl command is not recognizing the AD groups as valid
groups. 

I should also add the following information:

This server is built up on CentOS 6.6 Minimal using the Sernet-Samba
Enterprise packages.  

It looks like the binary that is running is /usr/sbin/samba and that is
started with /etc/rc.d/init.d/sernet-samba-ad start

Rich

-----Original Message-----
From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org] On Behalf Of Miguel Medalha
Sent: Thursday, December 18, 2014 4:42 PM
To: Rich Webb; samba at lists.samba.org
Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character
3

> I tried setting the permissions from the command line using:
> 
> setfacl -R -m g:MYDOM\\domain\ users:rwx ./shared
> 
> and it gives me:
>
> setfacl: Option -m: Invalid argument near character 3
> 
You should enter:

setfacl -Rm g:MYDOM\\domain\ users:rwx ./shared

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Please is there anyone who has an answer on why this might be happening?
Do I need some sort of sssd support or winbind or something?  In the
wiki about setting up acl's it doesn't say anything about any other
requirements, only that you have to have acl support and xattr support
in your filesystem which I do.

I'm trying to deploy this server and I need a working solution tomorrow
- kind of in a bind.. I hope someone can help.

Thanks,
Rich

-----Original Message-----
From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org] On Behalf Of Rich Webb
Sent: Thursday, December 18, 2014 6:29 PM
To: samba at lists.samba.org
Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character
3

I just tried that and I got the same error.  I think there is some
extended acl support that I'm missing somewhere.  

It's like the setfacl command is not recognizing the AD groups as valid
groups. 

I should also add the following information:

This server is built up on CentOS 6.6 Minimal using the Sernet-Samba
Enterprise packages.  

It looks like the binary that is running is /usr/sbin/samba and that is
started with /etc/rc.d/init.d/sernet-samba-ad start

Rich

-----Original Message-----
From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org] On Behalf Of Miguel Medalha
Sent: Thursday, December 18, 2014 4:42 PM
To: Rich Webb; samba at lists.samba.org
Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character
3

> I tried setting the permissions from the command line using:
> 
> setfacl -R -m g:MYDOM\\domain\ users:rwx ./shared
> 
> and it gives me:
>
> setfacl: Option -m: Invalid argument near character 3
> 
You should enter:

setfacl -Rm g:MYDOM\\domain\ users:rwx ./shared

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Am 19.12.2014 02:33, schrieb Rich Webb:
> Please is there anyone who has an answer on why this might be happening?
> Do I need some sort of sssd support or winbind or something?  In the
> wiki about setting up acl's it doesn't say anything about any other
> requirements, only that you have to have acl support and xattr support
> in your filesystem which I do.
>
> I'm trying to deploy this server and I need a working solution tomorrow
> - kind of in a bind.. I hope someone can help.
>
> Thanks,
> Rich
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rich Webb
> Sent: Thursday, December 18, 2014 6:29 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character
> 3
>
> I just tried that and I got the same error.  I think there is some
> extended acl support that I'm missing somewhere.
>
> It's like the setfacl command is not recognizing the AD groups as valid
> groups.
>
> I should also add the following information:
>
> This server is built up on CentOS 6.6 Minimal using the Sernet-Samba
> Enterprise packages.
>
> It looks like the binary that is running is /usr/sbin/samba and that is
> started with /etc/rc.d/init.d/sernet-samba-ad start
>
> Rich
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Miguel Medalha
> Sent: Thursday, December 18, 2014 4:42 PM
> To: Rich Webb; samba at lists.samba.org
> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character
> 3
>
>
>> I tried setting the permissions from the command line using:
>>
>> setfacl -R -m g:MYDOM\\domain\ users:rwx ./shared
>>
>> and it gives me:
>>
>> setfacl: Option -m: Invalid argument near character 3
>>
> You should enter:
>
> setfacl -Rm g:MYDOM\\domain\ users:rwx ./shared
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
I set the ACL with the following Line:

setfacl -R -m d:g:"<Domain>\domain
admins":rwx,g:root:rwx<Directory>
I used this on a SAMBA 3 Memberserver with winbind for SAMBA3 and PAM. The
Membererver is to a SAMBA 4 DC connected.

greetings

On 19/12/14 01:33, Rich Webb wrote:
> Please is there anyone who has an answer on why this might be happening?
> Do I need some sort of sssd support or winbind or something?  In the
> wiki about setting up acl's it doesn't say anything about any other
> requirements, only that you have to have acl support and xattr support
> in your filesystem which I do.
>
> I'm trying to deploy this server and I need a working solution tomorrow
> - kind of in a bind.. I hope someone can help.
>
> Thanks,
> Rich
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rich Webb
> Sent: Thursday, December 18, 2014 6:29 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character
> 3
>
> I just tried that and I got the same error.  I think there is some
> extended acl support that I'm missing somewhere.
>
> It's like the setfacl command is not recognizing the AD groups as valid
> groups.
>
> I should also add the following information:
>
> This server is built up on CentOS 6.6 Minimal using the Sernet-Samba
> Enterprise packages.
>
> It looks like the binary that is running is /usr/sbin/samba and that is
> started with /etc/rc.d/init.d/sernet-samba-ad start
>
> Rich
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Miguel Medalha
> Sent: Thursday, December 18, 2014 4:42 PM
> To: Rich Webb; samba at lists.samba.org
> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character
> 3
>
>
>> I tried setting the permissions from the command line using:
>>
>> setfacl -R -m g:MYDOM\\domain\ users:rwx ./shared
>>
>> and it gives me:
>>
>> setfacl: Option -m: Invalid argument near character 3
>>
> You should enter:
>
> setfacl -Rm g:MYDOM\\domain\ users:rwx ./shared
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
Hi, if I create a dir on one of my DC's and then set an ACL on it:

root at dc01:~# mkdir testdir
root at dc01:~# setfacl -m d:g:'domain admins':rwx ./testdir
root at dc01:~# getfacl ./testdir
# file: testdir
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:EXAMPLE\134Domain\040Admins:rwx
default:mask::rwx
default:other::r-x

So you can see it works, Don't know why others have suggested using 
'-R', all it does is make setfacl recurse into directories.

I think your problem is this: '--use-ntvfs'

Try turning it off, see here, under the heading 'Starting s3fs': 
https://wiki.samba.org/index.php/Samba4/s3fs

Rowland

Matt,

Thanks for the reply.  I'm not trying to add the "users" group. 
I'm
trying to add the "Domain Users" group.  That is the reason for the \
in
front of the space.  It's translated as a literal.  I think I could also
put quotes around it and not have to use the \ and the space.  

The problem is getent group only is listing local unix groups.  I think
that is why setfacl is not able to add active directory groups to the
acl.

Rich. 

-----Original Message-----
From: Mattias Zhabinskiy [mailto:mattiasz at thinklogical.com] 
Sent: Friday, December 19, 2014 12:15 AM
To: Rich Webb
Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character
3

Hello Rich,

First of all remove space in front of the group name "users":

setfacl -R -m g:MYDOM\\domain\users:rwx ./shared

For example, following command works for me:

[root at vmtest007 tmp]# ls -ld test4
drwxrwsr-x. 2 root g-sales       4096 Dec 19 00:10 test4

[root at vmtest007 tmp]# setfacl -Rm g:MYDOMAIN\\g-admin:rwx test4

[root at vmtest007 tmp]# getfacl test4
# file: test4
# owner: root
# group: g-sales
# flags: -s-
user::rwx
group::rwx
group:g-admin:rwx
mask::rwx
other::r-x

[root at vmtest007 tmp]# ls -ld test4
drwxrwsr-x+ 2 root g-sales 4096 Dec 19 00:10 test4

where MYDOMAIN is windows domain name and g-admin is a group name in
MYDOMAIN.
Make sure that group "users" exists by running "getent group
users"
command, for e.g. in my case:
[root at vmtest007 tmp]# getent group g-admin
g-admin:x:91608:alex,bill,joe,kevin

Regards,
Matt

________________________________________
From: samba-bounces at lists.samba.org <samba-bounces at lists.samba.org>
on
behalf of Rich Webb <rwebb at zylatech.com>
Sent: Thursday, December 18, 2014 8:33 PM
To: samba at lists.samba.org
Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character
3

Please is there anyone who has an answer on why this might be happening?
Do I need some sort of sssd support or winbind or something?  In the
wiki about setting up acl's it doesn't say anything about any other
requirements, only that you have to have acl support and xattr support
in your filesystem which I do.

I'm trying to deploy this server and I need a working solution tomorrow
- kind of in a bind.. I hope someone can help.

Thanks,
Rich

-----Original Message-----
From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org] On Behalf Of Rich Webb
Sent: Thursday, December 18, 2014 6:29 PM
To: samba at lists.samba.org
Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character
3

I just tried that and I got the same error.  I think there is some
extended acl support that I'm missing somewhere.

It's like the setfacl command is not recognizing the AD groups as valid
groups.

I should also add the following information:

This server is built up on CentOS 6.6 Minimal using the Sernet-Samba
Enterprise packages.

It looks like the binary that is running is /usr/sbin/samba and that is
started with /etc/rc.d/init.d/sernet-samba-ad start

Rich

-----Original Message-----
From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org] On Behalf Of Miguel Medalha
Sent: Thursday, December 18, 2014 4:42 PM
To: Rich Webb; samba at lists.samba.org
Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character
3

> I tried setting the permissions from the command line using:
>
> setfacl -R -m g:MYDOM\\domain\ users:rwx ./shared
>
> and it gives me:
>
> setfacl: Option -m: Invalid argument near character 3
>
You should enter:

setfacl -Rm g:MYDOM\\domain\ users:rwx ./shared

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 19/12/14 13:22, Rich Webb wrote:
> Matt,
>
> Thanks for the reply.  I'm not trying to add the "users"
group.  I'm
> trying to add the "Domain Users" group.  That is the reason for
the \ in
> front of the space.  It's translated as a literal.  I think I could
also
> put quotes around it and not have to use the \ and the space.
>
> The problem is getent group only is listing local unix groups.  I think
> that is why setfacl is not able to add active directory groups to the
> acl.
That may be your problem, 'getent group' will not show any domain group,
but 'getent group <a domain group>' should show the domain group.

If you are running samba4 in AD mode, then you are running winbind, 
though you may not be **using** it.

Can you post what OS & samba packages you are using.

Rowland
>
> Rich.
>
> -----Original Message-----
> From: Mattias Zhabinskiy [mailto:mattiasz at thinklogical.com]
> Sent: Friday, December 19, 2014 12:15 AM
> To: Rich Webb
> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character
> 3
>
> Hello Rich,
>
> First of all remove space in front of the group name "users":
>
> setfacl -R -m g:MYDOM\\domain\users:rwx ./shared
>
> For example, following command works for me:
>
> [root at vmtest007 tmp]# ls -ld test4
> drwxrwsr-x. 2 root g-sales       4096 Dec 19 00:10 test4
>
> [root at vmtest007 tmp]# setfacl -Rm g:MYDOMAIN\\g-admin:rwx test4
>
> [root at vmtest007 tmp]# getfacl test4
> # file: test4
> # owner: root
> # group: g-sales
> # flags: -s-
> user::rwx
> group::rwx
> group:g-admin:rwx
> mask::rwx
> other::r-x
>
> [root at vmtest007 tmp]# ls -ld test4
> drwxrwsr-x+ 2 root g-sales 4096 Dec 19 00:10 test4
>
> where MYDOMAIN is windows domain name and g-admin is a group name in
> MYDOMAIN.
> Make sure that group "users" exists by running "getent group
users"
> command, for e.g. in my case:
> [root at vmtest007 tmp]# getent group g-admin
> g-admin:x:91608:alex,bill,joe,kevin
>
> Regards,
> Matt
>
> ________________________________________
> From: samba-bounces at lists.samba.org <samba-bounces at
lists.samba.org> on
> behalf of Rich Webb <rwebb at zylatech.com>
> Sent: Thursday, December 18, 2014 8:33 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character
> 3
>
> Please is there anyone who has an answer on why this might be happening?
> Do I need some sort of sssd support or winbind or something?  In the
> wiki about setting up acl's it doesn't say anything about any other
> requirements, only that you have to have acl support and xattr support
> in your filesystem which I do.
>
> I'm trying to deploy this server and I need a working solution tomorrow
> - kind of in a bind.. I hope someone can help.
>
> Thanks,
> Rich
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rich Webb
> Sent: Thursday, December 18, 2014 6:29 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character
> 3
>
> I just tried that and I got the same error.  I think there is some
> extended acl support that I'm missing somewhere.
>
> It's like the setfacl command is not recognizing the AD groups as valid
> groups.
>
> I should also add the following information:
>
> This server is built up on CentOS 6.6 Minimal using the Sernet-Samba
> Enterprise packages.
>
> It looks like the binary that is running is /usr/sbin/samba and that is
> started with /etc/rc.d/init.d/sernet-samba-ad start
>
> Rich
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Miguel Medalha
> Sent: Thursday, December 18, 2014 4:42 PM
> To: Rich Webb; samba at lists.samba.org
> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near character
> 3
>
>
>> I tried setting the permissions from the command line using:
>>
>> setfacl -R -m g:MYDOM\\domain\ users:rwx ./shared
>>
>> and it gives me:
>>
>> setfacl: Option -m: Invalid argument near character 3
>>
> You should enter:
>
> setfacl -Rm g:MYDOM\\domain\ users:rwx ./shared
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

What's the content of your /etc/nsswitch.conf?

Am 19. Dezember 2014 14:22:56 MEZ, schrieb Rich Webb <rwebb at
zylatech.com>:
>Matt,
>
>Thanks for the reply.  I'm not trying to add the "users"
group.  I'm
>trying to add the "Domain Users" group.  That is the reason for
the \
>in
>front of the space.  It's translated as a literal.  I think I could
>also
>put quotes around it and not have to use the \ and the space.  
>
>The problem is getent group only is listing local unix groups.  I think
>that is why setfacl is not able to add active directory groups to the
>acl.
>
>Rich. 
>
>-----Original Message-----
>From: Mattias Zhabinskiy [mailto:mattiasz at thinklogical.com] 
>Sent: Friday, December 19, 2014 12:15 AM
>To: Rich Webb
>Subject: Re: [Samba] setfacl: Option -m: Invalid argument near
>character
>3
>
>Hello Rich,
>
>First of all remove space in front of the group name "users":
>
>setfacl -R -m g:MYDOM\\domain\users:rwx ./shared
>
>For example, following command works for me:
>
>[root at vmtest007 tmp]# ls -ld test4
>drwxrwsr-x. 2 root g-sales       4096 Dec 19 00:10 test4
>
>[root at vmtest007 tmp]# setfacl -Rm g:MYDOMAIN\\g-admin:rwx test4
>
>[root at vmtest007 tmp]# getfacl test4
># file: test4
># owner: root
># group: g-sales
># flags: -s-
>user::rwx
>group::rwx
>group:g-admin:rwx
>mask::rwx
>other::r-x
>
>[root at vmtest007 tmp]# ls -ld test4
>drwxrwsr-x+ 2 root g-sales 4096 Dec 19 00:10 test4
>
>where MYDOMAIN is windows domain name and g-admin is a group name in
>MYDOMAIN.
>Make sure that group "users" exists by running "getent group
users"
>command, for e.g. in my case:
>[root at vmtest007 tmp]# getent group g-admin
>g-admin:x:91608:alex,bill,joe,kevin
>
>Regards,
>Matt
>
>________________________________________
>From: samba-bounces at lists.samba.org <samba-bounces at
lists.samba.org> on
>behalf of Rich Webb <rwebb at zylatech.com>
>Sent: Thursday, December 18, 2014 8:33 PM
>To: samba at lists.samba.org
>Subject: Re: [Samba] setfacl: Option -m: Invalid argument near
>character
>3
>
>Please is there anyone who has an answer on why this might be
>happening?
>Do I need some sort of sssd support or winbind or something?  In the
>wiki about setting up acl's it doesn't say anything about any other
>requirements, only that you have to have acl support and xattr support
>in your filesystem which I do.
>
>I'm trying to deploy this server and I need a working solution tomorrow
>- kind of in a bind.. I hope someone can help.
>
>Thanks,
>Rich
>
>-----Original Message-----
>From: samba-bounces at lists.samba.org
>[mailto:samba-bounces at lists.samba.org] On Behalf Of Rich Webb
>Sent: Thursday, December 18, 2014 6:29 PM
>To: samba at lists.samba.org
>Subject: Re: [Samba] setfacl: Option -m: Invalid argument near
>character
>3
>
>I just tried that and I got the same error.  I think there is some
>extended acl support that I'm missing somewhere.
>
>It's like the setfacl command is not recognizing the AD groups as valid
>groups.
>
>I should also add the following information:
>
>This server is built up on CentOS 6.6 Minimal using the Sernet-Samba
>Enterprise packages.
>
>It looks like the binary that is running is /usr/sbin/samba and that is
>started with /etc/rc.d/init.d/sernet-samba-ad start
>
>Rich
>
>-----Original Message-----
>From: samba-bounces at lists.samba.org
>[mailto:samba-bounces at lists.samba.org] On Behalf Of Miguel Medalha
>Sent: Thursday, December 18, 2014 4:42 PM
>To: Rich Webb; samba at lists.samba.org
>Subject: Re: [Samba] setfacl: Option -m: Invalid argument near
>character
>3
>
>
>> I tried setting the permissions from the command line using:
>>
>> setfacl -R -m g:MYDOM\\domain\ users:rwx ./shared
>>
>> and it gives me:
>>
>> setfacl: Option -m: Invalid argument near character 3
>>
>
>You should enter:
>
>setfacl -Rm g:MYDOM\\domain\ users:rwx ./shared
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba