Local Directory ACLs

Burt Avery ba2k at virginia.edu
Thu Dec 16 18:09:47 GMT 1999


I am perplexed by what I see as a local NT Administrator when I look at the
security that has been applied to the local profiles
(%windir%\Profiles\%username%) as well as other directories of
significance. They show a username of Account Unknown in the Samba domain
named COMPLAB (COMPLAB\Account Unknown). Account Unknown is shown as having
Full Control for the directory of interest. As local Administrator, I can
change the security permissions for the directories of interest.

When logged into the domain COMPLAB as Administrator, I can only view the
security permissions of directories in question, no change is allowed.
Obviously what I think as the domain Administrator does not have rights to
change directory permissions. Again there are entries in the Directory
Permissions table for COMPLAB\Account Unknown. My assumption is Account
Unknown means the SID for the user is invalid.

In smb.conf i have Administrator(s) listed as a domain administrator by
"domain admin = win98adm Administrator" and defined in the username map
file as win98adm = Administrator. Should not domain admins also have
rights, if given, into the local file system? ./testparm shows "nt acl
support = yes".

We are running Samba 2.0.5a under RS/6000 AIX 4.2. There are six WIN98
systems that seem very happy in the domain. The NT test systems are at issue.

My question come to the point of asking whether this situation is normal in
the non-HEAD version. I understand domain control is incompletely
implemented in 2.0.5a. If this situation should not occur in 2.0.5a, how
should i correct it.

How well are ACLs supported in 2.0.5a?

Is this problem related to the failure of NT to download NT profiles
although it re-writes profiles in the expected location
(\\%L\profiles\%U\%a where profiles is /home/samba_profiles). Everytime a
user logs in, NT thinks is the first.

Any help is greatly appreciated. If I can get beyond this problem, I can
get my apps installed by the domain admin and be on the way to a truly
useful administrative domain.

As an afterthough, the test system is registered in the domain (domain
login IS offered as an option). No policies have been applied.


Burt Avery
Computer Systems Engineer
Department of Biomedical Engineering
University of Virginia
Charlottesville, VA 22908
804-924-8065 (w)
804-245-5813 (h)

More information about the samba-ntdom mailing list