[Samba] Samba trusted domains and access control lists problem (cannot delete or rename)

Ian Clancy clancyian at cel.ie
Thu Jun 2 20:12:01 GMT 2005

I am having difficuly deleting and renaming files with users from a 
foreign domain using acls.
My setup is as follows :
I have two Samba (3.0.14a)/LDAP domains connected via a VPN (OpenVPN) 
with a bi-directional trust relationship established. The trust 
relationship appears to be working correctly. I can log on onto PC's at 
either end on either Domain :) and the browse lists of both domains are 
syncronising properly.
I am using the same WINS server for both domains and this is located in 
DomA on the Primary Domain Controller.
I want users on DomB to be able to access shares on Domain Member 
servers on DomA.
Winbind is running on my fileservers and i am using ldap as an idmap 
 Users from DomA are mapped on my Domain member server using ldap and 
DomB users are mapped using winbind. I have the following entry in my 
nsswitch.conf file:

passwd:     files ldap winbind
shadow:     files ldap winbind
group:      files ldap winbind

I have not seen anyone else do this so i am not sure if it is correct 
:). It appears to work however as  'getent passwd' and 'getent group' 
return users from both Domains. Users of DomB are prepended with DomB+ 
(as expected). So far so good ...

The following is a share on one of my Domain member server on DomA

        comment = Materials Share
        path = /var/shares/Materials
        read only = No
        inherit permissions = Yes
        inherit acls = Yes

I can successfully set the acls's from the shell using setfacl. The 
permissions on the above share are as follows

# file: Materials
# owner: root
# group: DomA Users
group:DomB+DomB users:rwx
default:group:DomA Users:rwx
default:group:DomB+DomB users:rwx

Users from DomB can successfully access the share. They can even create 
files as follows in the root directory of the above share :

# file: New Text Document.txt
# owner: DomB+yorketom
# group: DomB+domain users
user:root:rwx                   #effective:rw-
group::rwx                      #effective:rw-
group:DomA Users:rwx             #effective:rw-
group:DomB+DomB users:rwx     #effective:rw-

However, I cannot delete or rename this file ?!.

So to summerise i have two main questions:

1. Why are the effective permissions on the file above 'rw-' ?

2. In windows i can see permissions for the owner, group and also 
Everyone but none of the other permissions, for example 'group:DomA 
Users:rwx             #effective:rw-' as listed above ?

If you've managed to get this far, thanks for reading :).

Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Co. Galway,

P : ++353 93 23151
F : ++353 93 23110
E : mailto:clancyian at cel.ie
W : http://www.cel-europe.com

More information about the samba mailing list