[Samba] Win2k domain, ACLs and permissions

Paul Eggleton paule at cjntech.co.nz
Tue Apr 8 05:18:14 GMT 2003

Hi there,

I have been trying to set up Samba 2.2.8 to connect to our Windows 2000
domain, and provide shares that support file permissions as a Win2K box
would, under Red Hat 8.0. To that end I recompiled the kernel (2.4.20)
with patches from acl.bestbits.org, enabling ext2 and ext3 EA and ACL
support. I set up winbind, joined the domain OK, and got name resolution
working pretty well. Everything seemed perfect until I tried to
seriously edit the file permissions from a Windows 2000 machine. I could
add other users to a folder/file and set the permissions for them
without any problems, but I did have trouble with the following:

1) If I delete Everyone, Domain Users, or Administrator from a folder's
permissions, they reappear when the settings are applied.

2) Changing settings on the Everyone, Domain Users, or Administrator
that include "subfolders and files" does not seem to work - these
permissions are removed (leaving it with "this folder only" when

After doing a bit of digging I noticed two other problems:

3) Some groups, including "Authenticated Users" and "Administrators" did
not seem to be available on the Linux machine, either in the list
produced from wbinfo -g or to be set on a file on a share from Windows

4) Group name resolution doesn't seem to be fully working under Linux.
wbinfo will translate between a gid, a SID, and the name just fine, but
if I use ls -l on a directory that has been created via a share, the
owner is looked up correctly but not the group ("10002" instead of
"CJNTECH\whatever"). getfacl produces similar results, returning a
number for the group instead of the name. I checked, and winbind is in
the "group:" line in /etc/nsswitch.conf.

In the hope that these problems would be fixed in the latest version, I
made a backup and then upgraded to 3.0 alpha 23. After a bit of
tweaking, setting up Kerberos etc. I managed to get it back to the state
that 2.2.8 was in (joined to domain, resolving user/group names, etc.)
Problem #2 seems to have gone away, but the others are still present.

I have searched the net, but not found anything conclusive regarding
these issues. Any ideas? (Please let me know if I can provide any
further details.)


Paul Eggleton                  Ph:    +64-9-4154790
Software Developer             Fax:   +64-9-4154791
CJN Technologies Ltd.          DDI:   +64-9-4154795
http://www.cjntech.co.nz       Email: paule at cjntech.co.nz

More information about the samba mailing list