Dear Rowland, I changed smb.conf as its tip. I had already read about the ACL's Windows and Posix. Even changing the smb.conf and using the ACL methods, I still do not write access to the folder. Example: # mkdir /mnt/data/teste1 # ls -all /mnt/data/teste1 total 12 drwxrws---+ 2 administrator domain admins 6 Out 25 10:05 . drwxrwxr-x+ 10 root domain admins 4096 Out 25 10:05 .. # chmod 2770 /mnt/data/teste1 # chown administrator:"Domain Admins" /mnt/data/teste1 Logged in as administrator / domain admin, still I get access denied error when I try to create a file in this folder.
On Tue, 25 Oct 2016 12:16:29 +0000 (UTC) Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:> Dear Rowland, > I changed smb.conf as its tip. > I had already read about the ACL's Windows and Posix. > Even changing the smb.conf and using the ACL methods, I still do not > write access to the folder. > > Example: > > > # mkdir /mnt/data/teste1 > # ls -all /mnt/data/teste1 > total 12 > drwxrws---+ 2 administrator domain admins 6 Out 25 10:05 . > drwxrwxr-x+ 10 root domain admins 4096 Out 25 10:05 .. > > # chmod 2770 /mnt/data/teste1 > # chown administrator:"Domain Admins" /mnt/data/teste1 > > Logged in as administrator / domain admin, still I get access denied > error when I try to create a file in this folder. >What ID does 'Administrator' have ? it should be '0' If you are following the windows ACLs page on the wiki, you shouldn't use the Unix tools on the share directory, do any changes from windows. Can I suggest you add this line to smb.conf: username map = /etc/samba/user.map Where '/etc/samba' is the path to smb.conf. create /etc/samba/user.map with this content: !root = DOMAIN\Administrator DOMAIN\administrator Administrator administrator Replace 'DOMAIN' with your workgroup name. This will map 'Administrator' to the Unix user 'root' Rowland
Dear Rowland, I changed smb.conf as its tip. username map = /etc/samba/user.map create /etc/samba/user.map with this content and filled the information. The above changes, I realized in DC and fileserver. Now, when I try to manipulate the permissions through Windows ACL method, the "Security" tab no longer displays the groups/permissions. Displays "You do not have permission to view or edit the permission settings of this object." I tried to remove all permissions with the command below, however, the permission is not changed: setfacl -x user: "xxxx" /mnt/data As I mixed the ACL permissions through Windows and Posix, I would like to remove all permissions and do it all again. Luckily, this server is in the testing phase. I want to work with permissions using Windows ACL method.It is possible to remove all permissions and reconfigures them again?
On Tue, 25 Oct 2016 18:15:47 +0000 (UTC) Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:> > > Dear Rowland, > I changed smb.conf as its tip. > username map = /etc/samba/user.map > create /etc/samba/user.map with this content and filled the > information. > > The above changes, I realized in DC and fileserver. > Now, when I try to manipulate the permissions through Windows ACL > method, the "Security" tab no longer displays the groups/permissions. > Displays "You do not have permission to view or edit the permission > settings of this object." > > I tried to remove all permissions with the command below, however, > the permission is not changed: > > setfacl -x user: "xxxx" /mnt/data > > As I mixed the ACL permissions through Windows and Posix, I would > like to remove all permissions and do it all again. Luckily, this > server is in the testing phase. I want to work with permissions using > Windows ACL method.It is possible to remove all permissions and > reconfigures them again? >We were discussing a domain member, you only use the 'user.map' on a domain member, remove it from the DC, it already has a way of mapping Administrator to root. As for resetting permissions, it is explained on the windows ACLs wiki page, at the bottom of the page. Rowland
I removed the vestments of the DC user.map. I had already trying to reset the permissions, following this session: https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#Troubleshooting When I try to reset the permissions as shown in the bottom page of the ACL Windows page, nothing happens. # ls -l /mnt/data total 20 drwxrwxr-x+ 3 administrator domain admins 4096 Set 30 09:44 NTI drwxrwxr-x+ 3 ricardo domain admins 50 Set 14 14:36 rsync drwxrwxr-x+ 2 administrator domain admins 4096 Set 2 10:40 teste drwxr-xr-x+ 2 root domain admins 6 Out 25 15:01 teste1 # setfacl -R -b /mnt/data # setfacl -R -b /mnt/data/* # ls -l /mnt/data total 20 drwxrwxr-x 3 administrator domain admins 4096 Set 30 09:44 NTI drwxrwxr-x 3 ricardo domain admins 50 Set 14 14:36 rsync drwxrwxr-x 2 administrator domain admins 4096 Set 2 10:40 teste drwxr-xr-x 2 root domain admins 6 Out 25 15:01 teste1 # getfacl /mnt/data/ getfacl: Removing leading '/' from absolute path names # file: mnt/data/ # owner: administrator # group: root user::rwx group::r-x other::r-x # setfacl -R -m default:group:"Domain Admins":rwx /mnt/data/* # getfacl /mnt/data/ getfacl: Removing leading '/' from absolute path names # file: mnt/data/ # owner: administrator # group: root user::rwx group::r-x other::r-x default:user::rwx default:group::r-x default:group:domain\040admins:rwx default:mask::rwx default:other::r-x Have any other tips so I can check?