[Samba] Can set ACLs great from Windows,
but see only SIDs when i reopen them
Thomas Boutell
boutell at boutell.com
Wed Mar 9 15:28:05 GMT 2005
Good morning, Samba List,
I'm setting ACLs from the security tab of the properties window of a folder
via a Windows XP SP2 client. The Samba share in question is running on
3.0.11 with an ext3 file system and Fedora Core 3 underneath. All this
works great -- I can set up ACLs beautifully from Windows and when I check
them out with getfacl on the Linux side, the results make sense to me.
However, when I close and re-open the properties window, the two
groups I've set up ACLs for -- AD\salesgroup and AD\marketinggroup --
show up only as SIDs (S-bignumber-with-hyphens). Which, of course,
is confusing.
I've appended the output of getfacl, the relevant part of "getent group",
and my smb.conf file. Thanks for any thoughts on this. I could certainly
just write this up as a frustrating quirk that will "hopefully be fixed soon,"
but of course I'd rather present the fix!
Is there some way in which Samba might not be correctly mapping SIDs back to
names upon request from the client?
Thanks again!
GETFACL OUTPUT:
[root at ADSambaFP1 ~]# getfacl /research
# file: research
# owner: AD\134salesperson1
# group: root
user::rwx
group::---
group:10012:rwx
group:10015:r-x
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:10012:rwx
default:group:10015:r-x
default:mask::rwx
default:other::---
GETENT GROUP OUTPUT:
AD\domain computers:x:10003:
AD\domain controllers:x:10002:
AD\schema admins:x:10005:AD\administrator
AD\enterprise admins:x:10006:AD\administrator
AD\domain admins:x:10007:AD\administrator
AD\domain users:x:10000:
AD\domain guests:x:10001:
AD\group policy creator owners:x:10004:AD\administrator
AD\dnsupdateproxy:x:10013:
AD\cheaters:x:10014:
AD\salesgroup:x:10012:AD\salesperson2,AD\salesperson1
AD\marketinggroup:x:10015:AD\marketperson2,AD\marketperson1
AD\hrgroup:x:10016:AD\hrperson2,AD\hrperson1
MY SMB.CONF FILE:
[global]
log level = 3
log file = /var/log/samba/%m.log
# Use CUPS for all back end printing chores
printing = cups
printcap = cups
load printers = yes
idmap gid = 10000-20000
map acl inherit = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
admin users = AD\Administrator
printer admin = AD\Administrator
# winbind trusted domains only = yes
encrypt passwords = YES
realm = AD.CORP.COM
template shell = /bin/bash
dns proxy = no
cups options = raw
server string = Samba Server
idmap uid = 10000-20000
workgroup = AD
printcap name = /etc/printcap
security = ads
max log size = 50
winbind use default domain = no
password server = windc1.ad.corp.com
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
guest ok = no
comment = All Printers
printable = yes
writable = no
path = /var/spool/samba
[research]
comment = Research Files, Sales Writes, Marketing Reads
writeable = yes
path = /research
[print$]
comment = Printer Drivers for Windows
path = /usr/local/samba/windrivers
write list = AD\administrator
--
Thomas Boutell
Boutell.Com, Inc.
http://www.boutell.com/
More information about the samba
mailing list