samba - Dec 2014 - setfacl: Option -m: Invalid argument near character 3

What's the content of your /etc/nsswitch.conf?

Am 19. Dezember 2014 14:22:56 MEZ, schrieb Rich Webb <rwebb at
zylatech.com>:
>Matt,
>
>Thanks for the reply.  I'm not trying to add the "users"
group.  I'm
>trying to add the "Domain Users" group.  That is the reason for
the \
>in
>front of the space.  It's translated as a literal.  I think I could
>also
>put quotes around it and not have to use the \ and the space.  
>
>The problem is getent group only is listing local unix groups.  I think
>that is why setfacl is not able to add active directory groups to the
>acl.
>
>Rich. 
>
>-----Original Message-----
>From: Mattias Zhabinskiy [mailto:mattiasz at thinklogical.com] 
>Sent: Friday, December 19, 2014 12:15 AM
>To: Rich Webb
>Subject: Re: [Samba] setfacl: Option -m: Invalid argument near
>character
>3
>
>Hello Rich,
>
>First of all remove space in front of the group name "users":
>
>setfacl -R -m g:MYDOM\\domain\users:rwx ./shared
>
>For example, following command works for me:
>
>[root at vmtest007 tmp]# ls -ld test4
>drwxrwsr-x. 2 root g-sales       4096 Dec 19 00:10 test4
>
>[root at vmtest007 tmp]# setfacl -Rm g:MYDOMAIN\\g-admin:rwx test4
>
>[root at vmtest007 tmp]# getfacl test4
># file: test4
># owner: root
># group: g-sales
># flags: -s-
>user::rwx
>group::rwx
>group:g-admin:rwx
>mask::rwx
>other::r-x
>
>[root at vmtest007 tmp]# ls -ld test4
>drwxrwsr-x+ 2 root g-sales 4096 Dec 19 00:10 test4
>
>where MYDOMAIN is windows domain name and g-admin is a group name in
>MYDOMAIN.
>Make sure that group "users" exists by running "getent group
users"
>command, for e.g. in my case:
>[root at vmtest007 tmp]# getent group g-admin
>g-admin:x:91608:alex,bill,joe,kevin
>
>Regards,
>Matt
>
>________________________________________
>From: samba-bounces at lists.samba.org <samba-bounces at
lists.samba.org> on
>behalf of Rich Webb <rwebb at zylatech.com>
>Sent: Thursday, December 18, 2014 8:33 PM
>To: samba at lists.samba.org
>Subject: Re: [Samba] setfacl: Option -m: Invalid argument near
>character
>3
>
>Please is there anyone who has an answer on why this might be
>happening?
>Do I need some sort of sssd support or winbind or something?  In the
>wiki about setting up acl's it doesn't say anything about any other
>requirements, only that you have to have acl support and xattr support
>in your filesystem which I do.
>
>I'm trying to deploy this server and I need a working solution tomorrow
>- kind of in a bind.. I hope someone can help.
>
>Thanks,
>Rich
>
>-----Original Message-----
>From: samba-bounces at lists.samba.org
>[mailto:samba-bounces at lists.samba.org] On Behalf Of Rich Webb
>Sent: Thursday, December 18, 2014 6:29 PM
>To: samba at lists.samba.org
>Subject: Re: [Samba] setfacl: Option -m: Invalid argument near
>character
>3
>
>I just tried that and I got the same error.  I think there is some
>extended acl support that I'm missing somewhere.
>
>It's like the setfacl command is not recognizing the AD groups as valid
>groups.
>
>I should also add the following information:
>
>This server is built up on CentOS 6.6 Minimal using the Sernet-Samba
>Enterprise packages.
>
>It looks like the binary that is running is /usr/sbin/samba and that is
>started with /etc/rc.d/init.d/sernet-samba-ad start
>
>Rich
>
>-----Original Message-----
>From: samba-bounces at lists.samba.org
>[mailto:samba-bounces at lists.samba.org] On Behalf Of Miguel Medalha
>Sent: Thursday, December 18, 2014 4:42 PM
>To: Rich Webb; samba at lists.samba.org
>Subject: Re: [Samba] setfacl: Option -m: Invalid argument near
>character
>3
>
>
>> I tried setting the permissions from the command line using:
>>
>> setfacl -R -m g:MYDOM\\domain\ users:rwx ./shared
>>
>> and it gives me:
>>
>> setfacl: Option -m: Invalid argument near character 3
>>
>
>You should enter:
>
>setfacl -Rm g:MYDOM\\domain\ users:rwx ./shared
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

Sorry, ignore me. I didn't read the rest...

Am 19. Dezember 2014 23:29:54 MEZ, schrieb Tim <rintimtim at
gmx.net>:
>What's the content of your /etc/nsswitch.conf?
>
>Am 19. Dezember 2014 14:22:56 MEZ, schrieb Rich Webb
><rwebb at zylatech.com>:
>>Matt,
>>
>>Thanks for the reply.  I'm not trying to add the "users"
group.  I'm
>>trying to add the "Domain Users" group.  That is the reason
for the \
>>in
>>front of the space.  It's translated as a literal.  I think I could
>>also
>>put quotes around it and not have to use the \ and the space.  
>>
>>The problem is getent group only is listing local unix groups.  I
>think
>>that is why setfacl is not able to add active directory groups to the
>>acl.
>>
>>Rich. 
>>
>>-----Original Message-----
>>From: Mattias Zhabinskiy [mailto:mattiasz at thinklogical.com] 
>>Sent: Friday, December 19, 2014 12:15 AM
>>To: Rich Webb
>>Subject: Re: [Samba] setfacl: Option -m: Invalid argument near
>>character
>>3
>>
>>Hello Rich,
>>
>>First of all remove space in front of the group name "users":
>>
>>setfacl -R -m g:MYDOM\\domain\users:rwx ./shared
>>
>>For example, following command works for me:
>>
>>[root at vmtest007 tmp]# ls -ld test4
>>drwxrwsr-x. 2 root g-sales       4096 Dec 19 00:10 test4
>>
>>[root at vmtest007 tmp]# setfacl -Rm g:MYDOMAIN\\g-admin:rwx test4
>>
>>[root at vmtest007 tmp]# getfacl test4
>># file: test4
>># owner: root
>># group: g-sales
>># flags: -s-
>>user::rwx
>>group::rwx
>>group:g-admin:rwx
>>mask::rwx
>>other::r-x
>>
>>[root at vmtest007 tmp]# ls -ld test4
>>drwxrwsr-x+ 2 root g-sales 4096 Dec 19 00:10 test4
>>
>>where MYDOMAIN is windows domain name and g-admin is a group name in
>>MYDOMAIN.
>>Make sure that group "users" exists by running "getent
group users"
>>command, for e.g. in my case:
>>[root at vmtest007 tmp]# getent group g-admin
>>g-admin:x:91608:alex,bill,joe,kevin
>>
>>Regards,
>>Matt
>>
>>________________________________________
>>From: samba-bounces at lists.samba.org <samba-bounces at
lists.samba.org> on
>>behalf of Rich Webb <rwebb at zylatech.com>
>>Sent: Thursday, December 18, 2014 8:33 PM
>>To: samba at lists.samba.org
>>Subject: Re: [Samba] setfacl: Option -m: Invalid argument near
>>character
>>3
>>
>>Please is there anyone who has an answer on why this might be
>>happening?
>>Do I need some sort of sssd support or winbind or something?  In the
>>wiki about setting up acl's it doesn't say anything about any
other
>>requirements, only that you have to have acl support and xattr support
>>in your filesystem which I do.
>>
>>I'm trying to deploy this server and I need a working solution
>tomorrow
>>- kind of in a bind.. I hope someone can help.
>>
>>Thanks,
>>Rich
>>
>>-----Original Message-----
>>From: samba-bounces at lists.samba.org
>>[mailto:samba-bounces at lists.samba.org] On Behalf Of Rich Webb
>>Sent: Thursday, December 18, 2014 6:29 PM
>>To: samba at lists.samba.org
>>Subject: Re: [Samba] setfacl: Option -m: Invalid argument near
>>character
>>3
>>
>>I just tried that and I got the same error.  I think there is some
>>extended acl support that I'm missing somewhere.
>>
>>It's like the setfacl command is not recognizing the AD groups as
>valid
>>groups.
>>
>>I should also add the following information:
>>
>>This server is built up on CentOS 6.6 Minimal using the Sernet-Samba
>>Enterprise packages.
>>
>>It looks like the binary that is running is /usr/sbin/samba and that
>is
>>started with /etc/rc.d/init.d/sernet-samba-ad start
>>
>>Rich
>>
>>-----Original Message-----
>>From: samba-bounces at lists.samba.org
>>[mailto:samba-bounces at lists.samba.org] On Behalf Of Miguel Medalha
>>Sent: Thursday, December 18, 2014 4:42 PM
>>To: Rich Webb; samba at lists.samba.org
>>Subject: Re: [Samba] setfacl: Option -m: Invalid argument near
>>character
>>3
>>
>>
>>> I tried setting the permissions from the command line using:
>>>
>>> setfacl -R -m g:MYDOM\\domain\ users:rwx ./shared
>>>
>>> and it gives me:
>>>
>>> setfacl: Option -m: Invalid argument near character 3
>>>
>>
>>You should enter:
>>
>>setfacl -Rm g:MYDOM\\domain\ users:rwx ./shared
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  https://lists.samba.org/mailman/options/samba
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  https://lists.samba.org/mailman/options/samba
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  https://lists.samba.org/mailman/options/samba
>>-- 
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  https://lists.samba.org/mailman/options/samba
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

I also have two DCs and I am using them also as filers.
Built-In users and groups are normally mapped by idmap.ldb

I also got issues with mapping of built-in users. I needed the same idmap.ldb on
both of my DCs.
I also don't see these groups by hitting getent group.

I followed another stragedy: Every new group that will have filesystem access
has a name starting with GGF (Group Global File). These new GGF groups all have
rfc2307 attributes. Built-In groups are members of these GGF groups if needed.
It's just a kind of naming convention.

Users will always have rfc2307 attributes due to file system access like
profiles or home.

It's a workaround but it works fine for me.

Am 20. Dezember 2014 01:02:38 MEZ, schrieb Rich Webb <rwebb at
zylatech.com>:
>lol tim it's okay.  Thanks you nailed it right away though.  That was
>the issue.  Only thing I'm battling now is that I can't seem to use
the
>built in groups such as Authenticated Users or Network Service or
>System
>- do you know why that would be?  Maybe not supported by the internal
>winbind for samba4?  
> 
>I realize it would probably be better to have the DC be a DC and have a
>FS be a FS which is doable since I'm running a vmware platform.  
> 
>Rich
> 
>
>________________________________
>
>From: Tim [mailto:rintimtim at gmx.net] 
>Sent: Friday, December 19, 2014 5:38 PM
>To: Rich Webb; samba at lists.samba.org
>Subject: Re: [Samba] setfacl: Option -m: Invalid argument near
>character
>3
>
>
>Sorry, ignore me. I didn't read the rest...
>
>
>Am 19. Dezember 2014 23:29:54 MEZ, schrieb Tim <rintimtim at gmx.net>:
>
>	What's the content of your /etc/nsswitch.conf?
>	
>	Am 19. Dezember 2014 14:22:56 MEZ, schrieb Rich Webb
><rwebb at zylatech.com>:
>
>		Matt,
>		
>		Thanks for the reply.  I'm not trying to add the "users"
>group.  I'm
>		trying to add the "Domain Users" group.  That is the
>reason for the \
>		in
>		front of the space.  It's translated as a literal.  I
>think I could
>		also
>		put quotes around it and not have to use the \ and the
>space.  
>		
>		The problem is getent group only is listing local unix
>groups.  I think
>		that is why setfacl is not able to add active directory
>groups to the
>		acl.
>		
>		Rich. 
>		
>		-----Original Message-----
>		From: Mattias Zhabinskiy
>[mailto:mattiasz at thinklogical.com] 
>		Sent: Friday, December 19, 2014 12:15 AM
>		To: Rich Webb
>		Subject: Re: [Samba] setfacl: Option -m: Invalid
>argument near
>		character
>		3
>		
>		Hello Rich,
>		
>		First of all remove space in front of the group name
>"users":
>		
>		setfacl -R -m g:MYDOM\\domain\users:rwx ./shared
>		
>		For example, following command works for me:
>		
>		[root at vmtest007 tmp]# ls -ld test4
>		drwxrwsr-x. 2 root g-sales       4096 Dec 19 00:10 test4
>		
>		[root at vmtest007 tmp]# setfacl -Rm
>g:MYDOMAIN\\g-admin:rwx test4
>		
>		[root at vmtest007 tmp]# getfacl test4
>		# file: test4
>		# owner: root
>		# group: g-sales
>		# flags: -s-
>		user::rwx
>		group::rwx
>		group:g-admin:rwx
>		mask::rwx
>		other::r-x
>		
>		[root at vmtest007 tmp]# ls -ld test4
>		drwxrwsr-x+ 2 root g-sales 4096 Dec 19 00:10 test4
>		
>		where MYDOMAIN is windows domain name and g-admin is a
>group name in
>		MYDOMAIN.
>		Make sure that group "users" exists by running "getent
>group users"
>		command, for e.g. in my case:
>		[root at vmtest007 tmp]# getent group g-admin
>		g-admin:x:91608:alex,bill,joe,kevin
>		
>		Regards,
>		Matt
>		
>________________________________
>
>
>		From: samba-bounces at lists.samba.org
><samba-bounces at lists.samba.org> on
>		behalf of Rich Webb <rwebb at zylatech.com>
>		Sent: Thursday, December 18, 2014 8:33 PM
>		To: samba at lists.samba.org
>		Subject: Re: [Samba] setfacl: Option -m: Invalid
>argument near
>		character
>		3
>		
>		Please is there anyone who has an answer on why this
>might be
>		happening?
>		Do I need some sort of sssd support or winbind or
>something?  In the
>		wiki about setting up acl's it doesn't say anything
>about any other
>		requirements, only that you have to have acl support and
>xattr support
>		in your filesystem which I do.
>		
>		I'm trying to deploy this server and I need a working
>solution tomorrow
>		- kind of in a bind.. I hope someone can help.
>		
>		Thanks,
>		Rich
>		
>		-----Original Message-----
>		From: samba-bounces at lists.samba.org
>		[mailto:samba-bounces at lists.samba.org] On Behalf Of Rich
>Webb
>		Sent: Thursday, December 18, 2014 6:29 PM
>		To: samba at lists.samba.org
>		Subject: Re: [Samba] setfacl: Option -m: Invalid
>argument near
>		character
>		3
>		
>		I just tried that and I got the same error.  I think
>there is some
>		extended acl support that I'm missing somewhere.
>		
>		It's like the setfacl command is not recognizing the AD
>groups as valid
>		groups.
>		
>		I should also add the following information:
>		
>		This server is built up on CentOS 6.6 Minimal using the
>Sernet-Samba
>		Enterprise packages.
>		
>		It looks like the binary that is running is
>/usr/sbin/samba and that is
>		started with /etc/rc.d/init.d/sernet-samba-ad start
>		
>		Rich
>		
>		-----Original Message-----
>		From: samba-bounces at lists.samba.org
>		[mailto:samba-bounces at lists.samba.org] On Behalf Of
>Miguel Medalha
>		Sent: Thursday, December 18, 2014 4:42 PM
>		To: Rich Webb; samba at lists.samba.org
>		Subject: Re: [Samba] setfacl: Option -m: Invalid
>argument near
>		character
>		3
>		
>		
>
>			 I tried setting the permissions from the
>command line using:
>			
>			 setfacl -R -m g:MYDOM\\domain\ users:rwx
>./shared
>			
>			 and it gives me:
>			
>			 setfacl: Option -m: Invalid argument near
>character 3
>
>
>
>		You should enter:
>		
>		setfacl -Rm g:MYDOM\\domain\ users:rwx ./shared
>		
>		--
>		To unsubscribe from this list go to the following URL
>and read the
>		instructions:
>https://lists.samba.org/mailman/options/samba
>		--
>		To unsubscribe from this list go to the following URL
>and read the
>		instructions:
>https://lists.samba.org/mailman/options/samba
>		--
>		To unsubscribe from this list go to the following URL
>and read the
>		instructions:
>https://lists.samba.org/mailman/options/samba
>		-- 
>		To unsubscribe from this list go to the following URL
>and read the
>		instructions:
>https://lists.samba.org/mailman/options/samba
>
>	-- 
>	To unsubscribe from this list go to the following URL and read
>the
>	instructions:  https://lists.samba.org/mailman/options/samba