[Samba] Can't set ACL with Windows XP - why?
Cleber P. de Souza
cleberps at gmail.com
Mon Nov 6 14:00:53 GMT 2006
On 11/6/06, Manuel Graumann <mgraumann at gc-heat.de> wrote:
> Hi :)
>
> Thank you for your answer!
>
> >To set a user admin rights on samba use the 'admin users' options This can
> be set for a share or for whole shares.
>
> As you can see, I set admin users for the particular share to '@Domain
> Admins' which is the LDAP group that should be granted all rights to the
> share. The user I'm trying to set the ACLs with is member of this group.
>
> >Also remember to map samba to ldap groups.
>
> Meaning what exactly? How can I check if this is correct?
>
> >Use 'net groupmap list' to check your settings and verify if the GIDs are
> correct.
>
> # net groupmap list
> Domain Admins (S-1-5-21-3842594120-1922355106-3159979546-512) -> Domain
> Admins
>
It seems that is corretly mapped.
> # slapcat
> dn: cn=Domain Admins,ou=Groups,dc=mydomain,dc=tld
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 512
> cn: Domain Admins
>
Oh,
You have forgotten the sambaGroupType (must be 2 for Domain Admins),
SambaSID, that in your case must be
'S-1-5-21-3842594120-1922355106-3159979546-512'.
If users aren't defined to this group as the principal group, you must
also set memberUid for those that are needed.
Remember that another object as SambaDomain objectclass must be set
and your domain SID ('S-1-5-21-3842594120-1922355106-3159979546') be
set too on the SambaSID field.
SambaDomainName is other field that must be set to your domain name.
> Seems to be correct or is this not what you meant?
>
> >With field on LDAP 'Domain Admins' group are you using to put the username?
> (memberUid, sambaSIDList or set Domain Admins the principal group for the
> user?)
>
> It's 'memberUid'. The principal group for the user is 'Domain Users'.
>
> >Also set 'nt acl support' to yes (I think 'yes' is the default) in your
> smb.conf.
>
> As I read this is default, I did not explicitly set this one to yes to keep
> a smaller smb.conf. But even after adding this one to the share I got the
> same error. (Yes... I logged off and restarted samba before testing)
>
> >It seems a permission problem.
>
> That is exactly what I think but I can't figure it out.
Windows rights works with SID and GID. If they aren't corretly,
permission errors are common.
>
> Regards
>
> Manuel
>
> On 11/5/06, Manuel Graumann <mgraumann at gc-heat.de> wrote:
> > Hi there,
> >
> > finally all seems to be working. Samba 3 as PDC with LDAP Backend.
> > Even ACLs are possible with the command line tool setfacl. These ACLs
> > work fine in Samba and are displayed correctly in the Windows
> > filemanager in the security-tab.
> >
> > But one thing remains unsolved: why can't I set those ACLs directly
> > from my Windows client machine? If I try to modify the ACL I always
> > get a message that my settings have not been saved and an "Access
> > denied".
> >
> > Share definition:
> >
> > [fsroot]
> > comment = Fileserver Root
> > path = /data/srv/samba/root
> > admin users = '@Domain Admins'
> > read only = No
> > inherit acls = Yes
> >
> > # getfacl /data/srv/samba/root
> > # file: root
> > # owner: root
> > # group: Domain\040Admins
> > user::rwx
> > group::rwx
> > other::rwx
> >
> > The group "Domain Admins" has been granted SeDiskOperatorPrivilege.
> > The user trying to change the ACLs from Windows is a member of the
> > group "Domain Admins"
> >
> > Any suggestions would be appeciated.
> >
> > Regards
> >
> > Manuel
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/listinfo/samba
> >
>
>
> --
> ***
> Cleber P. de Souza
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
>
--
***
Cleber P. de Souza
More information about the samba
mailing list