Setting ACLs via Windows client

Mack Hooper MHooper at MeshNetworks.com
Tue Sep 18 10:46:05 GMT 2001 

I've been having this problem for a while as well.  Using Redhat 7.1, kernel
2.4.7, ext2fs with posix ACLs, fileutils with posix ACLs, winbind.
Configured PAM, copied over the necessary nsswitch files, etc.  Just updated
to newest CVS, branch SAMBA_2_2.

I try to add an object to the ACL for a share, and when I hit Apply or OK I
see this in the logs for the machine I'm trying it from:

[2001/09/18 11:56:19, 0] smbd/posix_acls.c:create_canon_ace_lists(750)
  create_canon_ace_lists: unable to map SID
S-1-5-21-4054839845-3177800500-41736
57015-21004 to uid or gid.

Over and over... I ended up killing the smb daemon to stop it.

Thoughts?

Mack

-----Original Message-----
From: kill -9 [mailto:kill-9 at warbeast.com]
Sent: Tuesday, September 18, 2001 12:12 AM
To: Michels, Gustavo [EES/BR]
Cc: David Brodbeck; samba at lists.samba.org
Subject: RE: Setting ACLs via Windows client


I had problems with this also using ext2fs, posix acls, and any client,
2.2.1a. The permissions would fail with access denied. I did a cvs update
today, and all the sudden it worked. I did however do something this time
that I had never done before. I actually removed everything from the old
samba install dirs and installed fresh, the copied over the relevant
config files, lmhosts, etc. I have not tried from nt yet, but I did try
from win98 nexus tools, which never even came close to working before. 
Later,
Alex


 On Mon, 17 Sep 2001, Michels, Gustavo
[EES/BR] wrote:

> Date: Mon, 17 Sep 2001 21:57:47 +0100
> From: "Michels, Gustavo [EES/BR]" <gustavo.michels at emersonenergy.com>
> To: David Brodbeck <DavidB at mail.interclean.com>, samba at lists.samba.org
> Subject: RE: Setting ACLs via Windows client
> 
> Hi David,
> 
> Thanks for your prompt reply! Could you put here a result of a getfacl of
> one of your shares? Now that I have messed with chmod, I would like to
know
> how you left all the permissions set.
> 
> cheers
> Gustavo
> 
> -----Original Message-----
> From: David Brodbeck [mailto:DavidB at mail.interclean.com]
> Sent: segunda-feira, 17 de setembro de 2001 17:46
> To: Michels, Gustavo [EES/BR]; samba at lists.samba.org
> Subject: RE: Setting ACLs via Windows client
> 
> 
> I've been having the same problem with Windows NT 4 clients, Samba 2.2.1a,
> and ext2fs with the ACL patches.  I can set the ACLs just fine with
setfacl,
> and the clients honor them, but I can't set them from NT.  It just
silently
> fails.  I've asked about this a few times on the list and gotten basically
> no response, but I'm hoping maybe it'll be fixed in 2.2.2 because it's a
> major annoyance.  I'm running Samba 2.2.1a with winbindd from an older
HEAD
> CVS.
> 
> Setting ACLs with setfacl isn't too hard, though it's a bit of a pain.
You
> can do things like:
> 
> setfacl -m "g:DOMAIN+Programmers:rwx" foo
> 
> to add a group to the ACL list for a file or directory.  To set a default
> ACL on a directory, just add a -d before the -m.  You can make changes
> recursively with the -R switch.  Removing an entry is similar:
> 
> setfacl -x "g:DOMAIN+Programmers" foo
> 
> The only gotcha is that if you set UNIX permissions with chmod, they're
> combined with the ACL permissions to create the most restrictive
> interpretation.  So most of the time it's best to avoid chmod and use
> setfacl to set those permissions, too.  (For example, 'setfacl -m g::rx
> foo'.)
> 
> Interestingly enough, I have "map hidden = yes", and my NT clients can
turn
> the hidden bit on and off just fine, as long as they're the owner of the
> file they're working on, but setting ACLs doesn't work.
> 
> -----Original Message-----
> From: Michels, Gustavo [EES/BR]
> [mailto:gustavo.michels at emersonenergy.com]
> Sent: Monday, September 17, 2001 4:29 PM
> To: samba at lists.samba.org
> Subject: Setting ACLs via Windows client
> 
> 
> Hello,
> 
> A little question about ACLs; my test server is set up with XFS and has
> support for ACLs. I have built the latest samba cvs source with acl
support
> and as far as I can see from the configure results, acls were detected and
> were compiled.
> 
> Note: I am using winbind to authenticate the users.
> 
> Can I set the acls permissions from a windows 2000 client? I am trying to
do
> this for a while without success... After I set the folder's permission in
> windows (add any user/group from the domain), looking again from the
client
> does not show the change I have just made in the permissions... Anyone
with
> similar problems?
> 
> The folder is chmoded 01777 and I am trying to make this change using a
> domain account declared as an admin user in smb.conf.
> 
> Here are the results of getfacl:
> 
> [root at splus001 files]# getfacl departments/
> # file: departments/
> # owner: root
> # group: root
> user::rwx
> group::rwx
> other::rwx
> 
> I also tried reading the manpages of setfacl but without any visible
> success.
> 
> Can anyone help me or tell me where I can find more detailed documentation
> on setting ACLs for Samba?
> 
> Cheers
> Gustavo
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 

----------------------------------------------------------------------------
"First, they ignore you. Then they laugh
at you. Then they fight you. Then you
win." - Mahatma Ghandi

In a world without walls and fences, who needs windows and gates?

Alex West
A&M Communications - Tech Guru
BioControl Technology Inc., MIS Administrator
kill-9 at warbeast.com | kill-9 at ipost.net
WebPage -> www.warbeast.com/~kill-9
Visit Third Eye Digital Productions - http://www.indiana-emall.com/thirdeye
Check out my band and FREE music at ***  www.mp3.com/snowpants  ***
----------------------------------------------------------------------------


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba
****************************************************************************
This e-mail is intended only for the addressee named above and may contain
confidential, proprietary or privileged information. If you are not the
named addressee or the person responsible for delivering the message to the
named addressee, please inform us promptly by reply e-mail, then delete the
e-mail and destroy any printed copy. The contents should not be disclosed to
anyone and no copies should be made. We take reasonable precautions to
ensure that our emails are virus free. However we accept no responsibility
for any virus transmitted by us and recommend that you subject any incoming
e-mail to your own virus checking procedures.

More information about the samba mailing list