[Samba] Problem with permissions/ACLs

Pierre Dehaen pi at drever.be
Mon Jul 11 13:44:26 GMT 2005


Hi,

I make a second try with my problem. Maybe this time I'll be more lucky ?

You'll find hereafter my two previous unanswered mails about the problem.

Regards,
Pierre

On 28 Jun 2005 at 17:35, Pierre Dehaen wrote:
> Hi, 
> 
> After three days of googling, searching in this list, reading parts of the 
> pdf, and testing, I  surrender: please help ! 
> 
> Summary: 
> I'm running 3.0.10a (binary from www.sunfreeware.com) on Solaris 
> 2.6 in standalone  mode (security=user). I use ACLs on files. I cannot, 
> from windows (w2k, wxp pro), add  a user to the permissions of a file. 
> 
> 
> Details: 
> - The binary was compiled --with-acl-support as "smbd -b|grep ACL" 
> and the  sunfreeware site confirm. 
> 
> - Solaris UFS supports ACLs. 
> 
> - I don't use winbindd 
> 
> - This is my smb.conf: 
> [global] 
>     workgroup = UNIX 
>     server string = Samba Server 3.0 
>     interfaces = x.x.x.x 
>     map to guest = Bad User 
>     username map = /usr/local/samba/private/users.map 
>     log level = 4 
>     log file = /usr/local/samba/var/log.%m 
>     max log size = 500 
>     deadtime = 30 
>     keepalive = 0 
>     dns proxy = No 
>     ldap ssl = no 
>     idmap uid = 10000-20000 
>     idmap gid = 10000-20000 
> 
> - The users.map did not exist at the beginning, but, as the PDF 
> examples have one, I  created it with: 
>     root = Administrator 
> 
> - My users do exist on Solaris and are the same as the Windows users. 
> 
> - The users were added on Samba with smbpasswd -a. 
> 
> - My groups are mapped: 
>     # net groupmap list | sort 
>     Account Operators (S-1-5-32-548) -> -1 
>     Administrators (S-1-5-32-544) -> -1 
>     Backup Operators (S-1-5-32-551) -> -1 
>     Domain Admins (S-1-5-21-3464024308-2102256894-3995807409-512) -> root 
>     Domain Guests (S-1-5-21-3464024308-2102256894-3995807409-514) -> nobody 
>     Domain Users (S-1-5-21-3464024308-2102256894-3995807409-513) -> staff 
>     Engineer (S-1-5-21-3464024308-2102256894-3995807409-1305) -> engineer 
>     Guests (S-1-5-32-546) -> -1 
>     Inter (S-1-5-21-3464024308-2102256894-3995807409-1323) -> inter 
>     Power Users (S-1-5-32-547) -> -1 
>     Print Operators (S-1-5-32-550) -> -1 
>     Replicators (S-1-5-32-552) -> -1 
>     System Operators (S-1-5-32-549) -> -1 
>     Users (S-1-5-32-545) -> -1 
> 
> - A share is defined: 
> [home1] 
>         path = /export/home1 
>         read only = No 
>         guest ok = Yes 
> 
> - A file is created on the share: 
>     # touch /export/home1/test 
>     # chown vincent:engineer /export/home1/test 
>     # ls -l /export/home1/test 
>     -rw-rw-r--   1 vincent   engineer       0 Jun 28 15:50 /export/home1/test 
> 
> - From Windows 2K, when I right-click properties, Security, I can see 
> the current  permissions: 
>     Engineer (SERVER_NAME\Engineer) 
>     Everyone 
>     Vincent Xxxxx (SERVER_NAME\Vincent) 
> 
> - Clicking on Advanced shows the permissions (respectively Special, 
> Read, Special).  Click Cancel to come back to the Security tab. 
> 
> - But when I click on Add, I receive a window saying "You are logged 
> with an account  that does not have access to: SERVER_NAME. Enter 
> the name and password of an  account with permissions for this 
> domain and click ok." 
> 
> - The equivalent test on WinNT4 (Properties, Security, Permissions, 
> Add, Show users  works, Click on a user, Add, Read, Ok) works very 
> well: an acl is created on the file. 
> 
> 
> What's going on ??? I raised the debug level to 3, 4, even 10 but I can't 
> catch anything  useful (to me). 
> 
> TIA for any help, 
> Pierre 
> 
> 
> I hope this is not too long but a level 4 log gives (at the moment I click 
> on the Add  button): 
> [2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
>   Transaction 2072 of length 88 
> [cut - see original message of June 28th for details]



On 29 Jun 2005 at 10:49, Pierre Dehaen wrote:
> Hi again,
> 
> FYI here are some links talking about the same problem (but no answer):
> <http://lists.samba.org/archive/samba/2003-October/075334.html>
> <http://lists.samba.org/archive/samba/2003-November/002488.html>
> <http://www.mcse.ms/message436146.html>
> 
> Note that on WinNT4 I can partially add permissions to a file: I see the users 
> when I click on "Show users" and I can use them but I cannot see the groups 
> that are available on the Samba server.
> 
> Note also that I see exactly the same when I try to connect a W2K to another 
> W2K (both standalone computers): although I'm connected to the share with 
> a username of the server, from the client I cannot change the permissions on 
> any file of the server !!!
> 
> So I have a basic question now: Is it simply possible, from a W2K/XP, to 
> change the permissions of a file on a share of a standalone server, i.e. 
> without both computers being member of a domain ? I can see a possible 
> commercial reason (from who you know) for this not being allowed, but is 
> there also a technical reason ? Note that some of the above links show the 
> same behavior within a domain... so I'm lost.
> 
> Thanks for any help,
> Pierre
> 





More information about the samba mailing list