[Samba] Permissions/ACLs change from Windows

Pierre Dehaen pi at drever.be
Tue Jul 12 15:23:19 GMT 2005 

Hi,

Let's try during US office hours.    ;-)

I'm sorry to nearly spam you all with this but I can't imagine I'm the only one 
having the problem. I use the simplest config: standalone server, no domain, 
no AD, no ldap, no winbindd. You'll find hereafter my two previous 
unanswered mails describing the problem. Please help.

Regards,
Pierre

On 28 Jun 2005 at 17:35, Pierre Dehaen wrote:
> Hi, 
> 
> After three days of googling, searching in this list, reading parts of the 
> pdf, and testing, I  surrender: please help ! 
> 
> Summary: 
> I'm running 3.0.10a (binary from www.sunfreeware.com) on Solaris 
> 2.6 in standalone  mode (security=user). I use ACLs on files. I cannot, 
> from windows (w2k, wxp pro), add  a user to the permissions of a file. 
> 
> 
> Details: 
> - The binary was compiled --with-acl-support as "smbd -b|grep ACL" 
> and the  sunfreeware site confirm. 
> 
> - Solaris UFS supports ACLs. 
> 
> - I don't use winbindd 
> 
> - This is my smb.conf: 
> [global] 
>     workgroup = UNIX 
>     server string = Samba Server 3.0 
>     interfaces = x.x.x.x 
>     map to guest = Bad User 
>     username map = /usr/local/samba/private/users.map 
>     log level = 4 
>     log file = /usr/local/samba/var/log.%m 
>     max log size = 500 
>     deadtime = 30 
>     keepalive = 0 
>     dns proxy = No 
>     ldap ssl = no 
>     idmap uid = 10000-20000 
>     idmap gid = 10000-20000 
> 
> - The users.map did not exist at the beginning, but, as the PDF 
> examples have one, I  created it with: 
>     root = Administrator 
> 
> - My users do exist on Solaris and are the same as the Windows users. 
> 
> - The users were added on Samba with smbpasswd -a. 
> 
> - My groups are mapped: 
>     # net groupmap list | sort 
>     Account Operators (S-1-5-32-548) -> -1 
>     Administrators (S-1-5-32-544) -> -1 
>     Backup Operators (S-1-5-32-551) -> -1 
>     Domain Admins (S-1-5-21-3464024308-2102256894-3995807409-512) -> root 
>     Domain Guests (S-1-5-21-3464024308-2102256894-3995807409-514) -> nobody 
>     Domain Users (S-1-5-21-3464024308-2102256894-3995807409-513) -> staff 
>     Engineer (S-1-5-21-3464024308-2102256894-3995807409-1305) -> engineer 
>     Guests (S-1-5-32-546) -> -1 
>     Inter (S-1-5-21-3464024308-2102256894-3995807409-1323) -> inter 
>     Power Users (S-1-5-32-547) -> -1 
>     Print Operators (S-1-5-32-550) -> -1 
>     Replicators (S-1-5-32-552) -> -1 
>     System Operators (S-1-5-32-549) -> -1 
>     Users (S-1-5-32-545) -> -1 
> 
> - A share is defined: 
> [home1] 
>         path = /export/home1 
>         read only = No 
>         guest ok = Yes 
> 
> - A file is created on the share: 
>     # touch /export/home1/test 
>     # chown vincent:engineer /export/home1/test 
>     # ls -l /export/home1/test 
>     -rw-rw-r--   1 vincent   engineer       0 Jun 28 15:50 /export/home1/test 
> 
> - From Windows 2K, when I right-click properties, Security, I can see 
> the current  permissions: 
>     Engineer (SERVER_NAME\Engineer) 
>     Everyone 
>     Vincent Xxxxx (SERVER_NAME\Vincent) 
> 
> - Clicking on Advanced shows the permissions (respectively Special, 
> Read, Special).  Click Cancel to come back to the Security tab. 
> 
> - But when I click on Add, I receive a window saying "You are logged 
> with an account  that does not have access to: SERVER_NAME. Enter 
> the name and password of an  account with permissions for this 
> domain and click ok." 
> 
> - The equivalent test on WinNT4 (Properties, Security, Permissions, 
> Add, Show users  works, Click on a user, Add, Read, Ok) works very 
> well: an acl is created on the file. 
> 
> 
> What's going on ??? I raised the debug level to 3, 4, even 10 but I can't 
> catch anything  useful (to me). 
> 
> TIA for any help, 
> Pierre 
> 
> 
> I hope this is not too long but a level 4 log gives (at the moment I click 
> on the Add  button): 
> [2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
>   Transaction 2072 of length 88 
> [cut - see original message of June 28th for details]



On 29 Jun 2005 at 10:49, Pierre Dehaen wrote:
> Hi again,
> 
> FYI here are some links talking about the same problem (but no answer):
> <http://lists.samba.org/archive/samba/2003-October/075334.html>
> <http://lists.samba.org/archive/samba/2003-November/002488.html>
> <http://www.mcse.ms/message436146.html>
> 
> Note that on WinNT4 I can partially add permissions to a file: I see the users 
> when I click on "Show users" and I can use them but I cannot see the groups 
> that are available on the Samba server.
> 
> Note also that I see exactly the same when I try to connect a W2K to another 
> W2K (both standalone computers): although I'm connected to the share with 
> a username of the server, from the client I cannot change the permissions on 
> any file of the server !!!
> 
> So I have a basic question now: Is it simply possible, from a W2K/XP, to 
> change the permissions of a file on a share of a standalone server, i.e. 
> without both computers being member of a domain ? I can see a possible 
> commercial reason (from who you know) for this not being allowed, but is 
> there also a technical reason ? Note that some of the above links show the 
> same behavior within a domain... so I'm lost.
> 
> Thanks for any help,
> Pierre
>

More information about the samba mailing list