[Samba] Another Samba+ACLs thread

Andrew Furey andrew at terminus.net.au
Thu Nov 28 04:19:01 GMT 2002 

(offlist replies discontinued due to increasing large number of people
involved)



Gareth Davies wrote:
 > Shouldn't you be setting setfacl -m DOMAIN+andrewfu:rwx myfile ?

I tried that, but it didn't work:

setfacl: Option -m: Invalid argument near character 1

I also tried escaping/quoting the + in various ways, replacing with \ or
/, etc. No joy.



Tom Hallewell wrote:
 > You should be able to find the server in W2K's server manager and
 > confirm that it is a trusted member of the Domain. It sounds like
 > smbd isn't linking to the acl libs-have you run ldd to see if
 > you are linking to libacl.so.1? My recent problem was similar and I
 > found that I wasn't compiling against the acl libs.
[snip various deb-src specific instructions]


a) I presume I should be looking in Active Directory Users & Computers 
-> domain -> Computers -> smbserver name ?
If so, it's listed as a WinNT 4 "workstation or server", as a member of 
Domain Computers (we're in a mixed domain, not native, so that makes 
sense to me).


b) (grepped for brevity)
$ ldd /usr/local/samba/bin/smbd | grep -i acl
         libacl.so.1 => /lib/libacl.so.1 (0x40015000)

$ nm /usr/local/samba/bin/smbd | grep -i acl | wc
      88       244     2655


c) The Debian compilation instructions aren't used, since 2.2.7 isn't 
available yet so I'm compiling from the tarball. However I used the 
following configure line:

configure --disable-nls --with-acl-support=yes 
--with-configdir=/etc/samba --with-logfilebase=/var/log/samba

That way I can have the Debian 2.2.3a-12 (or whatever it is) and the 
2.2.7 compiled ones use the same logfiles and config files.



David Pullman wrote:
 > A thought that occurs to me when looking at the two ways of
 > displaying the name above is that I've heard that a W2K domain will
 > record machine name more like a dns domain (with its emphasis on ddns
 > and all that).  So it makes me wonder if you have a W2K PDC.
 >
 > We're using an NT PDC still with a mix of W2K and NT 40 clients (we
 > have a half dozen BDCs and about 500 windows clients, and a couple of
 >  hundred mixed UNIX platform clients).  All of our file servers are
 > samba on solaris.  So we only see something like andrewfu
 > (SMBSERVERNAME\andrewfu) on a NT security dialog acl.  On a setfacl
 > on the UNIX side it is stictly username, the UNIX systems have no
 > idea about the NT domain.  This is of course excepting the samba
 > server itself, which has security = domain.  This lets a user map a
 > drive using their NT passwd, which might be different than their NIS
 > passwd.

The test machine here is a fairly standard / minimal install of W2k 
server, which seems to be workign as expected otherwise (although I 
haven't had much experience with W2k, and I don't have any other W2k 
machines around to test.

Your thoughts about the usernames seems to make sense, except, does that 
mean that the Windows ACL dialog will _always_ show the UNIX username? I 
would have thought that the username mapping would apply to that part 
also. Although admittedly, if one UNIX name maps to more than one 
Windows name, there would be problems... although it won't, in my case.

Hopefully the mapping can be worked out in some way... the system will 
have ~500 users, and given that 50% - 75% of them are 
username-map-required style names, it would get mighty annoying mighty 
fast, trying to map them in your head...


(phew!)

-- 
ANDREW FUREY <andrew at terminus.net.au> - Sysadmin/developer for Terminus.
Providing online networks of Australian lawyers (http://www.ilaw.com.au)
and Linux experts (http://www.linuxconsultants.com.au) for instant help!
Disclaimer: http://www.terminus.net.au/disclaimer.html. GCS L+++ P++ t++

More information about the samba mailing list