[Samba] ACLs on client Samba machines with Samba PDC.

Buchan Milne bgmilne at cae.co.za
Thu Jul 25 05:22:02 GMT 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

| Message: 3
| Date: Wed, 24 Jul 2002 13:49:09 -0700 (PDT)
| From: "Ken D'Ambrosio" <kend at employees.org>
| To: samba at lists.samba.org
| Subject: [Samba] ACLs on client Samba machines with Samba PDC.
|
| I've got a Samba box (2.2.5a) as a member of a Samba domain.  Both the PDC
| and client are running 2.4.18 with XFS and ACLs compiled in.  Problem: on
| the client, I can -NOT- modify the ACLs for files from Windows.  (Note
| that I can modify the stock Unix permissions, but not the extended
| users/permissions that ACL support offers.)  If I try, they just vanish
| when I click "OK".  However, if I remove the client from the domain, and
| set it up by itself with "security = user", it works fine.
|

I've been banging my head against this one for a while, since I was
trying to test ACLs on my member server (my desktop) before putting
2.2.5 on our production server. As it turns out, they work fine on the
production server, but not on my desktop member server ...

It turns out that on member servers, you can apply ACLs using the
"machine domain" (but for some reason, I only get groups, and not users
here?), but not the domain it is a member of.

You will probably notice that the permissions visible in the security
properties box list the users/groups on the "machine domain" instead of
the domain (in my case, BGMILNE-MDK83\bgmilne instead of CAE\bgmilne).

In the logs you will see that when you try and add ACLs with users from
the domain, samba fails to map the SID+RID from the domain to a uid.
This may require winbind-type functionality, or it may just be a bug
(and one worth fixing soon!).

| Am I doing something dumb, or is this an oversight/glitch/bug?

Seems like a bug, but I'm not sure it can work without winbind (and thus
a Windows DC) or with 2.2. Hopefully it works in HEAD, and hopefully 3.0
will be out soon.

Just FYI, I am running 2.2.5 with LDAP on the DC, and 2.2.5 without LDAP
on the member server. I hope ACLs work on an LDAP BDC, since we'll be
putting one in next week ...

Buchan

- --
|----------------Registered Linux User #182071-----------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE9P+0hrJK6UGDSBKcRAn8ZAKCRYKtiEHWc2HbFFdWlTZzgcOaKvwCgw2cK
zpnqnot0LfvCv2HuiNUVZFc=
=BGrf
-----END PGP SIGNATURE-----

More information about the samba mailing list