[Samba] Samba + OpenLDAP + ACL patch on Linux 2.4.18 problems.

Guenther Deschner guenther.deschner at suse.de
Thu Jul 18 14:22:01 GMT 2002 

hi,

have checked that your smbd is properly linked against libacl?

ldd /usr/sbin/smbd should show you something like:

ldd /usr/sbin/smbd 
        libacl.so.1 => /lib/libacl.so.1 (0x40017000)
			...
        libldap.so.2 => /usr/lib/libldap.so.2 (0x40180000)
        liblber.so.2 => /usr/lib/liblber.so.2 (0x401af000)
			...
        libattr.so.1 => /lib/libattr.so.1 (0x402de000)
			...

and maybe you should check again if configure finds your acl-environment

thus config.log should contain
	...
	checking sys/acl.h usability... yes
	checking sys/acl.h presence... yes
	checking for sys/acl.h... yes
	...
	checking whether to support ACLs... checking for acl_get_file in -lacl... yes
	checking for ACL support... yes
	Using posix ACLs
	...

hth,

guenther 


On Thu, Jul 18, 2002 at 04:59:06PM -0400, Erik Enge wrote:
> Hi, all.
> 
> I compiled Samba 2.2.5 (on Linux) with these optinos:
> 
>             --with-smbmount --with-acl-support --with-ldapsam 
> 
> The compilation went fine and everything seems to be working except for
> the ACL part.
> 
> I've applied the ACL patch for Linux 2.4.18 (from acl.bestbits.at) and
> installed all the tools to go with it.  That part works:
> 
>         root at madrid# getfacl /tmp
>         getfacl: Removing leading '/' from absolute path names
>         # file: tmp
>         # owner: root
>         # group: root
>         user::rwx
>         group::rwx
>         other::rwx
> 
> Now, when starting Samba and logging in with a user that owns
> /tmp/file-a, I would expect to be able to add groups and users to that
> file's ACL as I would do in NT normally.
> 
> However, when I try to add users and/or groups, I get an error dialog
> that says "Access Denied" (this is Windows NT Workspation, SP6).
> 
> After some looking into, it seems that Samba is still only honoring the
> traditional owner-group-other Unix permissions, and is not aware of the
> ACLs.  I draw this conclusion from the fact that this file:
> 
>         root at madrid# getfacl /tmp/testing-acls/b-file
>         getfacl: Removing leading '/' from absolute path names
>         # file: tmp/testing-acls/b-file
>         # owner: administrator
>         # group: tty
>         user::rw-
>         group::r-x
>         group:tty:r-x
>         group:pri:r-x
>         mask::rwx
>         other::---
> 
> in the NT Security Tab window shows only "administrator", "Everybody"
> and "tty" as having permissions to the file.  The group "pri" isn't even
> mentioned.
> 
> >From a post earlier on this list¹, I gather that it's my setup that
> there is something wrong with (since that person indicates being able to
> "add the domain user "aps" to the file's ACL from a WinXP box" - I can't
> add or remove anything).  And here is my question - after a long
> explanation - what's wrong with my config that makes Samba not honor the
> ACLs?  Or, have I gone wrong somewhere else?
> 
> I include here my smb.conf:
> 
> # [start smb.conf]
> [global]
>      encrypt passwords = yes
>      security = user
> 
>      netbios name = smbserver
>      comment = Red Hat Samba Server
>      workgroup = smbgroup
> 
>      ldap admin dn = "cn=Manager,dc=a,dc=b"
>      ldap suffix = "dc=a,dc=b"
>      ldap ssl = off
>                                            
>      logon drive = U:
>      logon path = \\%N\profiles\%g
> 
>      domain master = yes
>      domain logons = yes
>      preferred master = yes
>      os level = 255
> 
>      wins support = yes
> 
>      public = yes
>      browsable = yes
>      writeable = no
>    
>      map hidden = no
>      map archive = no
>      map system = no
> 
> [netlogon]
>      path = /share/sys/samba/samba-2.2.5/netlogon
>      locking = no
>      read only = yes
> 
> [profiles]
>      path = /share/sys/samba/samba-2.2.5/profiles
>      read only = no
>      writeable = yes
>      create mask = 0600
>      directory mask = 0700
> 
> [homes]
>      guest ok = no
>      read only = no
> 
> [tmp]
>      comment = temporary files 
>      path = /tmp
>      read only = no
>      admin users = administrator
> # [end smb.conf]
> 
> As an apropos, would it be useful - when I get this up and running - if
> I wrote an Howto or something similar on how to set up a Linux Samba box
> with OpenLDAP and ACLs?  Unless, of course, I have missed some
> documentation out there explaining exactly this.
> 
> Thanks in advance,
> 
> Erik Enge,
> Software Engineer,
> Professional Reviews Inc.
> 
> ¹ <URL:http://lists.samba.org/pipermail/samba/2002-July/075900.html>
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

-- 
Guenther Deschner                          guenther.deschner at suse.de
SuSE Linux Solutions AG                              GnuPG: 8EE11688
Berliner Str. 27                      phone:  +49 (0) 30 / 430944778
D-13507 Berlin                           fax:  +49 (0) 30 / 43732804
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20020718/d2406b74/attachment.bin

More information about the samba mailing list