AW: Problems with samba 2.2.2

Jörg Hänsel joerg.haensel at web.de
Thu Oct 25 05:42:02 GMT 2001 

Hello (Hallo),
thanks for your quick help. As you wrote I tried to be more precise.

> > I rebuilt the packages acl, acl-dev from oss.sgi.com and samba as debian
> > packages.
> > The ACLs and XFS seem work fine and pretty fast.
>
> This means that you can use 'chacl', 'getfacl', and 'setfacl'
> correctly on an
> XFS filesystem?
>
I have not much experience using ACLs but I tried some examples I found in
different documents and they worked. I tested the behavior of writing to
files and directories with different users.

> User manager for domains is running on the NT server.  I'm not
> sure how it is
> supposed to know about the groups you have assigned on the Samba
> server. Does
> 'getent group' show this user in your LOCAl 'smbdomadm' group?

You can run User manager for domains on a NT Workstation as well. I thought
that it is just like a frontend for specific RPC on the PDC. Since I listed
"smbdomadm" in the "domain admin group" param in smb.conf I expect smbdomadm
to be a GLOBAL group in my domain. (Sure, on the samba server it is local.)
So the user "haenseladmin" is definitly member of the local unix group
"smbdomadm" and of the global  nt-group "smbdomadm".
I hope I understood the difference between local and global groups in NT
Domains.

> > ACLs do not work:
> > -----------------
> > When I use the ACL capable versions of samba the file security
> dialog under
> > Windows NT does not show the correct ACLs.
> > I use Default ACLs. Perhaps this causes problems under windows NT.
>
> Please be more specific in how this is failing.  Are you setting
> ACLs in Samba
> that are not reflected when you try 'getfacl'?  Are you setting ACLs under
> Linux that are not reflected when you look at them through the NT security
> dialog?  What is the ACL set for your directory?  What is the
> umask set as?

An example:
I am loggeg in at the samba server as "haenseladm" with following
environment:
unix umask 077
umask of samba share: create mask=0600, directory mask: 0700
groups: haenseladm (primary), smbdomadm (2nd)

1.) create a file in home

haenseladmin at reno:~$ touch test
haenseladmin at reno:~$ ls -l
total 0
-rw-------    1 haensela haensela        0 Oct 25 12:30 test
haenseladmin at reno:~$ getfacl test
# file: test
# owner: haenseladmin
# group: haenseladmin
user::rw-
group::---
other::---

2.) logged in at a Windows NT Client as haenseladm:
The Seccurity Dialog in Windows Explorer says for the file "test":
Everyone                (O) (take ownership) ???
group haenseladmin      (O) ???
haenseladmin            (RW) OK.

When I close the dialog with OK and list the file under unix I get the
following:
haenseladmin at reno:~$ ls -l test
-rw-rwx---    1 haensela haensela        0 Oct 25 12:30 test
haenseladmin at reno:~$ getfacl test
# file: test
# owner: haenseladmin
# group: haenseladmin
user::rw-
group::---
other::---
mask::rwx

So suddenly the mask appears ! I am new to ACLs so I  perhaps I understodd
something wrong. I dont understand why the group is rwx with --- and mask
rwx. I thougt that the mask is just for restricting group ownerships in die
Access Control List and its Bits are ANDed to the group Bits and so the
corresponding List should be:
-rw-------    1 haensela haensela        0 Oct 25 12:30 test

3.) Again open the security dialog (Windows NT) and remove everyone and
change permission of user/group "haenseladm" to full.

Result:
haenseladmin at reno:~$ ls -l
total 4
-rwxrwx---    1 haensela haensela        0 Oct 25 12:30 test
haenseladmin at reno:~$ getfacl test
# file: test
# owner: haenseladmin
# group: haenseladmin
other::---
user::rwx
group::rwx
mask::rwx

That seem to be OK.

4.) under unix:
haenseladmin at reno:~$ su
Password:
reno:/home/haenseladmin# groupadd sambatest
reno:/home/haenseladmin# usermod -G smbdomadm,sambatest haenseladmin
reno:/home/haenseladmin# exit

5.) Logging in again as haenseladmin
haenseladmin at reno:~$ groups
haenseladmin smbdomadm sambatest

6.) At the NT Client:
Add group "sambatest" with full access to the ACL of file "test"

7.) At Unix:
haenseladmin at reno:~$ getfacl test
# file: test
# owner: haenseladmin
# group: haenseladmin
group:sambatest:rwx
group::rwx
user::rwx
other::---
mask::rwx

Seem to work as well.

I will do some other tests. After the initial errors are fixed the ACL seem
to work. But the NT ACL - Posix ACL mapping when creating a file seems to
fail.


Thanks a lot,
Joerg

More information about the samba-ntdom mailing list