similar to: chown destroys ACLs

Hi, most file access rights sync between ACLs of linux and the security tab of windows file properties, but not all. Where are the other infos stored? I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither output changed when using windows to add individual right for a user that already has rights inherited from the parent directory. Windows remembers every

Hi, I just installed a new AD-DC as described in the wiki. Administrator can log on and see the two default-shares. Then I used ADUC from RSAT to create an OU and a user. User can see the shares (and can map them to a drive letter), but is denied to look inside. Same for another share which I added. Even when administrator grants permission to everybody. I read more wiki, which made me to add a

On Fri, May 15, 2015 at 4:37 AM, Klaus Hartnegg <hartnegg at uni-freiburg.de> wrote: > Not sure which email you mean. I don't think that this can happen. If the > Linux acls are modified, the Windows ACLs are destroyed and all is based on > the Linux permissions and acls (which looks strange when viewed from > Window). If the Windows ACLs are modified, Samba automatically

Many first time users of Samba-4 seem to struggle with the same issues. I suggest the Wiki should have a Readme First similar like this: http://www.klaus-hartnegg.de/gpo/14-03-12-samba4.html It basicly says that Samba 4 can behave either like Samba 3, or as AD-DC, in which case it should do nothing else. Then it lists the main differences, limitations, and requirements. I would love to see a

Am 06.06.2018 um 12:41 schrieb Rowland Penny via samba: > I think that 'standalone' machines will continue Thank you very much for clarification. This means that SMB1 and PDC are the problems, not lack of AD. But if we later need to switch to AD, is there a method like classicupgrade to do it? Currently classicupgrade of a standalone server Samba 3 creates a standalone server Samba

Am 15.05.2015 um 16:30 schrieb Reindl Harald: > the real problem in that thread is that the ordinary chmod/chown > permissions are called repeatly "acls" which is not wrong by the > definiton of "access control list" but mixing that with "windows ACLs" > and "posix ACLs" where on the FS layer we just have ACLs set with > "setfacl" it

Hi, Following the wiki page Setting_up_a_Share_Using_Windows_ACLs windows shows me this error after clicking on Shares: Disk Management could not start the Virtual Disk Service (VDS) on 'COMPUTER'. This can happen if the remote computer does not support VDS, or if a connection cannot be established because it was blocked by Windows Firewall. Tested on a new provisioned AD-DC server.

Hi, I just upgraded in Ubuntu from the ubuntu-package samba 4.1.6 do a self-compiled version 4.1.12. If anybody else happens to have the same task (pdc, not ad), this is how it worked: # do all following as root sudo su - # remove ubuntu samba 4.1.6 aptitude remove samba # install samba 4.1.12 from source aptitude install build-essential libacl1-dev libattr1-dev \ libblkid-dev

Hi, I need to set ACLs on a samba server, and are using icacls in Win7. It takes several hours to edit an ACL with inheritance, affecting a directory tree with 300,000 files. Server cpu > 70%, client cpu < 20%. Is there a way how I can speed this up? Using "setfattr -R" in Linux does it in approximately 2 minutes, but I want real Windows ACLs. There are 300.000 files in a

> On 29.09.2017 14:32 Rowland Penny wrote: > I cannot see where it says not to use on a DC I misread the first section. > What does 'getent passwd username' actually produce ? root at dc1:~# getent passwd administrator COMPANY\administrator:*:0:100::/home/COMPANY/administrator:/bin/false root at dc1:~# getent passwd klaus

On 11/28/2014 9:23 AM, Klaus Hartnegg wrote: > > Is there anything else that I could try, > or do I just have to stay on protocol NT1 > as long as we still use this old software? > > Klaus Try in [global] acl allow execute always=true -- Regards -------------------------------------- Gerald Drouillard Technology Architect Drouillard & Associates, Inc.

Hi Rowland, Am 20.03.2015 um 15:02 schrieb Rowland Penny: >>> Try replacing the global part of your smb.conf with this: >>> >>> [global] >>> netbios name = PLATON >>> workgroup = FEE >>> security = ADS >>> realm = FEE.DE >>> dedicated keytab file = /etc/krb5.keytab >>>

On Wed, May 13, 2015 at 1:20 PM, Klaus Hartnegg <hartnegg at uni-freiburg.de> wrote: > Am 13.05.2015 um 17:30 schrieb S?bastien Le Ray: > >> No they aren't >>> >> >> Yes they are >> > > Not sure about this, but mostly irrelevant anyway, because of this effect > in the other direction: > > If you have set Windows ACLs, and then change

On Fri, 24 Apr 2015, Klaus Hartnegg wrote: > Am 24.04.2015 um 01:02 schrieb Carl G. Riches: >> I'm unable to join a Windows 7 PC >> to the Samba 4 domain when "hosts allow" is defined > >> hosts allow = 127 10.208.29. 10.108.29. > > Maybe the new version insists there must be a dot after the 127. > I put the dot in, to no avail. I also modified the

Missing features from memory from following this mailinglist: - Win7 join to AD still requires two registry changes. - SYSVOL is not replicated, use a cronjob with rsync. - Domain-Trust works only in one direction (which one?). - winbind does not work on DCs, use a separate file server. - Joining an AD requires one of its DCs in the same subnet? - Cluster filesystems destroy TDB files, use CTDB. -

Thanks for your help and replies. Yes, I meant "store dos attributes". It's pretty clear now that I need to keep the parameter 'store dos attributes=no' since 1) the server is an AD member server and 2) the map* parameters don't do the right thing under ZFS / NFSV4 ACLs. I've read that the steps Klaus Hartnegg listed resolves the issue on ZFS on Linux; however, I

Am 10.06.2015 um 03:25 schrieb Mike: > I'm learning to be very deliberate with changing posix and windows acl's so > I don't disturb users' access to files and folders. > I check acl's on a specific file/folder on the server with getfacl. > Then make one small acl modification to one file in a sub-directory of a > share. > Then record the difference reported

Hi, The group that is mapped to rid=512 cannot be used in "valid users", the users cannot map the share (error 5). Is this normal? Should I file a bug? Version 4.1.6-Ubuntu server role = classic primary domain controller smb.conf: valid users = +smbadmin command: net groupmap add ntgroup="Domain Admins" unixgroup=smbadmin rid=512 type=d As soon as I remove the group

Am 29.09.2016 um 16:26 schrieb v g via samba: > Really? Easy and useful, huh? Live sync of directories is VERY useful. So useful that I just try to kill the purchase of EMC Isilon, precisely because it cannot replicate with Windows.

Hi Klaus, I haven't used that tool for at least 13 years but I do recall that, among other things, it read from the registry. Coupled with the fact that Samba 4 AD is not a complete implementation of AD I can't imagine that it could possibly work. More to the point, I'd be seriously concerned about the results. This is not something I'm prepared to test in a production