[Samba] Samba + OpenLDAP + ACL patch on Linux 2.4.18 problems.
Guenther Deschner
guenther.deschner at suse.de
Thu Jul 18 14:22:01 GMT 2002
hi,
have checked that your smbd is properly linked against libacl?
ldd /usr/sbin/smbd should show you something like:
ldd /usr/sbin/smbd
libacl.so.1 => /lib/libacl.so.1 (0x40017000)
...
libldap.so.2 => /usr/lib/libldap.so.2 (0x40180000)
liblber.so.2 => /usr/lib/liblber.so.2 (0x401af000)
...
libattr.so.1 => /lib/libattr.so.1 (0x402de000)
...
and maybe you should check again if configure finds your acl-environment
thus config.log should contain
...
checking sys/acl.h usability... yes
checking sys/acl.h presence... yes
checking for sys/acl.h... yes
...
checking whether to support ACLs... checking for acl_get_file in -lacl... yes
checking for ACL support... yes
Using posix ACLs
...
hth,
guenther
On Thu, Jul 18, 2002 at 04:59:06PM -0400, Erik Enge wrote:
> Hi, all.
>
> I compiled Samba 2.2.5 (on Linux) with these optinos:
>
> --with-smbmount --with-acl-support --with-ldapsam
>
> The compilation went fine and everything seems to be working except for
> the ACL part.
>
> I've applied the ACL patch for Linux 2.4.18 (from acl.bestbits.at) and
> installed all the tools to go with it. That part works:
>
> root at madrid# getfacl /tmp
> getfacl: Removing leading '/' from absolute path names
> # file: tmp
> # owner: root
> # group: root
> user::rwx
> group::rwx
> other::rwx
>
> Now, when starting Samba and logging in with a user that owns
> /tmp/file-a, I would expect to be able to add groups and users to that
> file's ACL as I would do in NT normally.
>
> However, when I try to add users and/or groups, I get an error dialog
> that says "Access Denied" (this is Windows NT Workspation, SP6).
>
> After some looking into, it seems that Samba is still only honoring the
> traditional owner-group-other Unix permissions, and is not aware of the
> ACLs. I draw this conclusion from the fact that this file:
>
> root at madrid# getfacl /tmp/testing-acls/b-file
> getfacl: Removing leading '/' from absolute path names
> # file: tmp/testing-acls/b-file
> # owner: administrator
> # group: tty
> user::rw-
> group::r-x
> group:tty:r-x
> group:pri:r-x
> mask::rwx
> other::---
>
> in the NT Security Tab window shows only "administrator", "Everybody"
> and "tty" as having permissions to the file. The group "pri" isn't even
> mentioned.
>
> >From a post earlier on this list¹, I gather that it's my setup that
> there is something wrong with (since that person indicates being able to
> "add the domain user "aps" to the file's ACL from a WinXP box" - I can't
> add or remove anything). And here is my question - after a long
> explanation - what's wrong with my config that makes Samba not honor the
> ACLs? Or, have I gone wrong somewhere else?
>
> I include here my smb.conf:
>
> # [start smb.conf]
> [global]
> encrypt passwords = yes
> security = user
>
> netbios name = smbserver
> comment = Red Hat Samba Server
> workgroup = smbgroup
>
> ldap admin dn = "cn=Manager,dc=a,dc=b"
> ldap suffix = "dc=a,dc=b"
> ldap ssl = off
>
> logon drive = U:
> logon path = \\%N\profiles\%g
>
> domain master = yes
> domain logons = yes
> preferred master = yes
> os level = 255
>
> wins support = yes
>
> public = yes
> browsable = yes
> writeable = no
>
> map hidden = no
> map archive = no
> map system = no
>
> [netlogon]
> path = /share/sys/samba/samba-2.2.5/netlogon
> locking = no
> read only = yes
>
> [profiles]
> path = /share/sys/samba/samba-2.2.5/profiles
> read only = no
> writeable = yes
> create mask = 0600
> directory mask = 0700
>
> [homes]
> guest ok = no
> read only = no
>
> [tmp]
> comment = temporary files
> path = /tmp
> read only = no
> admin users = administrator
> # [end smb.conf]
>
> As an apropos, would it be useful - when I get this up and running - if
> I wrote an Howto or something similar on how to set up a Linux Samba box
> with OpenLDAP and ACLs? Unless, of course, I have missed some
> documentation out there explaining exactly this.
>
> Thanks in advance,
>
> Erik Enge,
> Software Engineer,
> Professional Reviews Inc.
>
> ¹ <URL:http://lists.samba.org/pipermail/samba/2002-July/075900.html>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
--
Guenther Deschner guenther.deschner at suse.de
SuSE Linux Solutions AG GnuPG: 8EE11688
Berliner Str. 27 phone: +49 (0) 30 / 430944778
D-13507 Berlin fax: +49 (0) 30 / 43732804
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20020718/d2406b74/attachment.bin
More information about the samba
mailing list