samba - Jun 2016 - Samba43 ACL's issues

Hi there,

I'm having trouble with permissions and ACL's running samba43.

I want to be able to set permissions on a folder to an specific user.

I'm having a similar issue reported here 
https://lists.samba.org/archive/samba/2010-July/156965.html

However my error message is slightly different:

When I set the permission on an specific user by creating a new folder 
inside the share, right click -> properties -> security tab I get:

An error ocurred while applying security information to:

\\servername\test

The parameter is incorrect


I have tried changing the permissions manually with "chmod a+rwx
/test/"

But this does not look like a permissions problem this looks more like 
samba or some setting in smb4.con itself


this is my smb4.conf file:

  Global parameters
[global]
         interfaces = 192.168.1.100
         bind interfaces only = yes
         workgroup = CW1
         realm = DOMAIN.NAME.COM.AU
         netbios name = SERVER1
         server role = active directory domain controller
         dns forwarder = 192.168.1.1
         printing = bsd
         server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc, dnsupdate, dns
         dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, 
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, 
eventlog6, backupkey, dnsserver
         restrict anonymous = 1
         map acl inherit = no
         store dos attributes = yes
         unix extensions = no
         ea support = no
         idmap_ldb:use rfc2307 = yes
         browseable= yes
         writable = yes
         read only= no
         create mask = 770
         force create mode = 770
         directory mask = 770
         force directory mode = 770
         kerberos method = system keytab
         client ldap sasl wrapping = sign
         allow dns updates = nonsecure and secure

[test]
         path = /var/fileshare/test
         valid users = @DOMAIN.NAME.COM.AU\staff
         guest ok = yes
         read only = no

Not sure what am I missing, I appreciate your help.

Regards,

-- 
Juan Garcia

What about this in your global section
create mask = 770 
         force create mode = 770
         directory mask = 770
         force directory mode = 770

Greetings
Daniel


EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen 
Tel.: 07071/206-463, Fax: 07071/206-499
 Email: mueller at tropenklinik.de
 www.tropenklinik.de
 www.bauen-sie-mit.tropenklinik.de




-----Ursprüngliche Nachricht-----
Von: Juan Garcia [mailto:juan at ish.com.au] 
Gesendet: Dienstag, 21. Juni 2016 13:47
An: samba at lists.samba.org
Betreff: [Samba] Samba43 ACL's issues

Hi there,

I'm having trouble with permissions and ACL's running samba43.

I want to be able to set permissions on a folder to an specific user.

I'm having a similar issue reported here
https://lists.samba.org/archive/samba/2010-July/156965.html

However my error message is slightly different:

When I set the permission on an specific user by creating a new folder inside
the share, right click -> properties -> security tab I get:

An error ocurred while applying security information to:

\\servername\test

The parameter is incorrect


I have tried changing the permissions manually with "chmod a+rwx
/test/"

But this does not look like a permissions problem this looks more like samba or
some setting in smb4.con itself


this is my smb4.conf file:

  Global parameters
[global]
         interfaces = 192.168.1.100
         bind interfaces only = yes
         workgroup = CW1
         realm = DOMAIN.NAME.COM.AU
         netbios name = SERVER1
         server role = active directory domain controller
         dns forwarder = 192.168.1.1
         printing = bsd
         server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc, dnsupdate, dns
         dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, 
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, 
eventlog6, backupkey, dnsserver
         restrict anonymous = 1
         map acl inherit = no
         store dos attributes = yes
         unix extensions = no
         ea support = no
         idmap_ldb:use rfc2307 = yes
         browseable= yes
         writable = yes
         read only= no
         create mask = 770
         force create mode = 770
         directory mask = 770
         force directory mode = 770
         kerberos method = system keytab
         client ldap sasl wrapping = sign
         allow dns updates = nonsecure and secure

[test]
         path = /var/fileshare/test
         valid users = @DOMAIN.NAME.COM.AU\staff
         guest ok = yes
         read only = no

Not sure what am I missing, I appreciate your help.

Regards,

-- 
Juan Garcia


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 21/06/2016 10:22 PM, Mueller wrote:
> What about this in your global section
> create mask = 770
>          force create mode = 770
>          directory mask = 770
>          force directory mode = 770
>
> Greetings
> Daniel
>
Hi Daniel, Thanks for your response. Those settings are already in my 
smb4.conf

  Global parameters
[global]
         interfaces = 192.168.1.100
         bind interfaces only = yes
	workgroup = CW1
	realm = DOMAIN.NAME.COM.AU
	netbios name = SERVER1
         server role = active directory domain controller
         dns forwarder = 192.168.1.1
         printing = bsd
         server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc, dnsupdate, dns
         dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, 
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, 
eventlog6, backupkey, dnsserver
         restrict anonymous = 1
         vfs objects = acl_xattr
         map acl inherit = Yes
         store dos attributes = no
         unix extensions = no
         inherit acls = yes
         inherit permissions = yes
         ea support = no
         idmap_ldb:use rfc2307 = yes
         browseable= yes
         writable = yes
         read only= no
         create mask = 770
         force create mode = 770
         directory mask = 770
         force directory mode = 770

The problem is not about accessing folders, we want to be able to assign 
to an specific folder different permissions inside the same file share

Let's say I have this set up:

Share:
Public/

Subfloder:
Public/folder1

Required Permissions:
DM\user.one -> full access
DM\user.two -> readonly

So in windows with an administrator account I right click on the folder 
to assign this permissions on the Security tab, right after I hit 
"apply" I get:
An error occurred while applying security information to:
Public/folder1
The parameter is incorrect


Any ideas?
>
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
> Tel.: 07071/206-463, Fax: 07071/206-499
>  Email: mueller at tropenklinik.de
>  www.tropenklinik.de
>  www.bauen-sie-mit.tropenklinik.de
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Juan Garcia [mailto:juan at ish.com.au]
> Gesendet: Dienstag, 21. Juni 2016 13:47
> An: samba at lists.samba.org
> Betreff: [Samba] Samba43 ACL's issues
>
> Hi there,
>
> I'm having trouble with permissions and ACL's running samba43.
>
> I want to be able to set permissions on a folder to an specific user.
>
> I'm having a similar issue reported here
https://lists.samba.org/archive/samba/2010-July/156965.html
>
> However my error message is slightly different:
>
> When I set the permission on an specific user by creating a new folder
inside the share, right click -> properties -> security tab I get:
>
> An error ocurred while applying security information to:
>
> \\servername\test
>
> The parameter is incorrect
>
>
> I have tried changing the permissions manually with "chmod a+rwx
/test/"
>
> But this does not look like a permissions problem this looks more like
samba or some setting in smb4.con itself
>
>
> this is my smb4.conf file:
>
>   Global parameters
> [global]
>          interfaces = 192.168.1.100
>          bind interfaces only = yes
>          workgroup = CW1
>          realm = DOMAIN.NAME.COM.AU
>          netbios name = SERVER1
>          server role = active directory domain controller
>          dns forwarder = 192.168.1.1
>          printing = bsd
>          server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, dns
>          dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
> eventlog6, backupkey, dnsserver
>          restrict anonymous = 1
>          map acl inherit = no
>          store dos attributes = yes
>          unix extensions = no
>          ea support = no
>          idmap_ldb:use rfc2307 = yes
>          browseable= yes
>          writable = yes
>          read only= no
>          create mask = 770
>          force create mode = 770
>          directory mask = 770
>          force directory mode = 770
>          kerberos method = system keytab
>          client ldap sasl wrapping = sign
>          allow dns updates = nonsecure and secure
>
> [test]
>          path = /var/fileshare/test
>          valid users = @DOMAIN.NAME.COM.AU\staff
>          guest ok = yes
>          read only = no
>
> Not sure what am I missing, I appreciate your help.
>
> Regards,
>