[Samba] Windows ACL modify ability?

Mike Partyka mpartyka at gmail.com
Tue Jan 3 12:55:52 GMT 2006 

Samba 3.0.14a server which is a domain member server of a 2003 Active
Directory and Domain Controller.

There are no errors that appear in the windows servers event log, and my
smb.conf is pretty simple:

[global]
        unix charset = LOCALE
        workgroup = mrpartyka
        realm = MRPARTYKA.DOMAIN
        server string = SMBv3.0.14a/MS ADS/winbindd
        security = ads
        log level = 1
        syslog = 0
        log file = /var/log/samba/%m
        max log size = 50
        printcap name = CUPS
        ldap ssl = No
        idmap uid = 10000-40000000
        idmap gid = 10000-40000000
        template primary group = "Domain Users"
        template shell = /bin/bash
        nt acl support = Yes
        printing = cups
        # winbind trusted domains only = Yes
        winbind separator = \#

[ftp]
        comment = All users share
        path = /ftproot
        valid users = @"MRPARTYKA\Domain Users"
        writeable = Yes
        browseable = Yes

As i said originally, my goal here is to manage permissions's/ACL's from the
server 2003 MMC, but any time i try to add or remove groups for access on
either the Security tab or the Permissions tab, i get the message "changes
could not be saved, access is denied". Also, though the message indicates
the changes are not saved, if you open the share properties window again and
go to the same permission you just tried to adjust, the group is there, but
when you selected the group from the AD container, it looked like
"MRPARTYA\Domain Users" and now it's liked as "SAND\Domain Users". SAND is
the hostname of the samba server.

Is this expected behavior? Due to winbindd making AD groups and users appear
as though they are local groups/users of the Samba server? Samba logging
indicates this:

[2006/01/03 06:43:18, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993)
  api_pipe_bind_req: unknown auth type 9 requested.
[2006/01/03 06:43:18, 1] smbd/service.c:make_connection_snum(642)
  192.168.0.7 (192.168.0.7) connect to service ftp initially as user
MRPARTYKA\administrator (uid=10000, gid=10000) (pid 3343)
[2006/01/03 06:43:18, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993)
  api_pipe_bind_req: unknown auth type 9 requested.
[2006/01/03 06:43:22, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993)
  api_pipe_bind_req: unknown auth type 9 requested.
[2006/01/03 06:43:29, 1] smbd/service.c:close_cnum(830)
  192.168.0.7 (192.168.0.7) closed connection to service ftp

I have many messages in the Samba archive asking about enties like this, but
i did not see any responses explaining it.

Any ideas about how i can correct this problem and manage share permissions
from the server MMC?

TIA,



On 1/3/06, Louis van Belle <louis at van-belle.nl> wrote:
>
> Hi,
>
> first which version of samba are you running?
> are you running pdc or AD Member ?
>
> etc etc.
> need more input ;-)
>
> Louis
>
>
>
> >-----Oorspronkelijk bericht-----
> >Van: samba-bounces+louis=van-belle.nl at lists.samba.org
> >[mailto: samba-bounces+louis=van-belle.nl at lists.samba.org]
> >Namens Mike Partyka
> >Verzonden: maandag 2 januari 2006 23:50
> >Aan: samba at lists.samba.org
> >Onderwerp: [Samba] Windows ACL modify ability?
> >
> >I have posted several questions now and have ben unsuccessful
> >in getting any
> >responses, so i thought i would take a different tack.
> >
> >I know adjusting permissions on Samba shares, through the
> >Microsoft MMC is
> >possible when you have POSIX ACL support compiled in your
> >kernel. I don't
> >think that level of control is necessary for me and short of
> >recompiling the
> >kernel for that support i have been unable to adjust
> >permissions on Samba
> >shares through the MMC, i keep getting "Access is denied".
> >
> >Could someone just toss out a couple ideas about whether adjustments to
> >ACL's ar possible without kernel POSIX ACL support and if so, what some
> >causes of the "Access is denied" could be?
> >
> >TIA,
> >
> >-MIKE
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions:   https://lists.samba.org/mailman/listinfo/samba
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list