[Samba] Windows ACL modify ability?

Mike Partyka mpartyka at gmail.com
Tue Jan 3 13:46:30 GMT 2006 

Forgot to include some more info that might be helpful.

OS: Fedora Core 4 (up-to-date)
Kernel 2.6.14-1.1653_FC4smp
Samba 3.0.14a-2
Hostname: sand (192.168.0.8)

Windows server 2003 Std. (up-to-date)
*running on a VMWare workstation, running on a generic AMD 1.8Ghz system
Domain: mrpartyka.domain
Hostname: server01 (192.168.0.7)

*the Active Directory server and Samba server and both using NTP and are
within one minute of one another

The join seems to be functioning correctly, i get the expected output when
performing:
net ads info
net ads status -UAdministrator
getent passwd
getent group
wbinfo -u
wbinfo -g

I have not used those parameters other than the "nt acl support". I have
tried to keep it as simple as possible, and i did not understand those
settings to be necesssary to achieve the ability to modify ACL's from the
MMC. (i did set those parameters you mentioned and restarted the server, but
i continue to get "changes could not be saved, access is denied")

I set the baseline permissions from the linux console, that is the directory
is owned by root but i did a

chgrp "MRPARTYKA\Domain Users" /ftproot && chmod g+x /ftproot

to give any "domain users" to ability to write to the shared directory. I
know i can adjust permissions in this manner but a windows admin will be
administering going forward, which is why the ability to adjust through the
use of an MMC is valuable.

Thanks for the response Louis,

On 1/3/06, Louis van Belle <louis at van-belle.nl> wrote:
>
> does your kernel support ACL and Extended Attributes.
>
> Also  you can set the following settings
>
> inherit acls = (yes/no)
> nt acl support =
> map hidden = no
> map system = no
> map achieve = no
> store dos attributes = yes
> ea support = yes
>
> u combine above settings for your enviroment.
> Als dit you set the privileges for the samba server
> or do you set the rights as root
>
> Louis
>
>
> >-----Oorspronkelijk bericht-----
> >Van: Mike Partyka [mailto:mpartyka at gmail.com]
> >Verzonden: dinsdag 3 januari 2006 13:56
> >Aan: Louis van Belle
> >CC: samba at lists.samba.org
> >Onderwerp: Re: [Samba] Windows ACL modify ability?
> >
> >Samba 3.0.14a server which is a domain member server of a 2003
> >Active Directory and Domain Controller.
> >
> >There are no errors that appear in the windows servers event
> >log, and my smb.conf is pretty simple:
> >
> >[global]
> >        unix charset = LOCALE
> >        workgroup = mrpartyka
> >        realm = MRPARTYKA.DOMAIN
> >        server string = SMBv3.0.14a/MS ADS/winbindd
> >        security = ads
> >        log level = 1
> >        syslog = 0
> >        log file = /var/log/samba/%m
> >        max log size = 50
> >        printcap name = CUPS
> >        ldap ssl = No
> >        idmap uid = 10000-40000000
> >        idmap gid = 10000-40000000
> >        template primary group = "Domain Users"
> >        template shell = /bin/bash
> >        nt acl support = Yes
> >        printing = cups
> >        # winbind trusted domains only = Yes
> >        winbind separator = \#
> >
> >[ftp]
> >        comment = All users share
> >        path = /ftproot
> >        valid users = @"MRPARTYKA\Domain Users"
> >        writeable = Yes
> >        browseable = Yes
> >
> >As i said originally, my goal here is to manage
> >permissions's/ACL's from the server 2003 MMC, but any time i
> >try to add or remove groups for access on either the Security
> >tab or the Permissions tab, i get the message "changes could
> >not be saved, access is denied". Also, though the message
> >indicates the changes are not saved, if you open the share
> >properties window again and go to the same permission you just
> >tried to adjust, the group is there, but when you selected the
> >group from the AD container, it looked like "MRPARTYA\Domain
> >Users" and now it's liked as "SAND\Domain Users". SAND is the
> >hostname of the samba server.
> >
> >Is this expected behavior? Due to winbindd making AD groups
> >and users appear as though they are local groups/users of the
> >Samba server? Samba logging indicates this:
> >
> >[2006/01/03 06:43:18, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993)
> >  api_pipe_bind_req: unknown auth type 9 requested.
> >[2006/01/03 06:43:18, 1] smbd/service.c:make_connection_snum(642)
> >  192.168.0.7 (192.168.0.7) connect to service ftp initially
> >as user MRPARTYKA\administrator (uid=10000, gid=10000) (pid 3343)
> >[2006/01/03 06:43:18, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993)
> >  api_pipe_bind_req: unknown auth type 9 requested.
> >[2006/01/03 06:43:22, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993)
> >  api_pipe_bind_req: unknown auth type 9 requested.
> >[2006/01/03 06:43:29, 1] smbd/service.c:close_cnum(830)
> >  192.168.0.7 (192.168.0.7) closed connection to service ftp
> >
> >I have many messages in the Samba archive asking about enties
> >like this, but i did not see any responses explaining it.
> >
> >Any ideas about how i can correct this problem and manage
> >share permissions from the server MMC?
> >
> >TIA,
> >
> >
> >
> >On 1/3/06, Louis van Belle <louis at van-belle.nl > wrote:
> >
> >       Hi,
> >
> >       first which version of samba are you running?
> >       are you running pdc or AD Member ?
> >
> >       etc etc.
> >       need more input ;-)
> >
> >       Louis
> >
> >
> >
> >       >-----Oorspronkelijk bericht-----
> >       >Van: samba-bounces+louis= van-belle.nl at lists.samba.org
> ><mailto:van-belle.nl at lists.samba.org>
> >       >[mailto:
> >samba-bounces+louis=van-belle.nl at lists.samba.org
> ><mailto:samba-bounces+louis=van-belle.nl at lists.samba.org> ]
> >       >Namens Mike Partyka
> >       >Verzonden: maandag 2 januari 2006 23:50
> >       >Aan: samba at lists.samba.org <mailto:samba at lists.samba.org>
> >       >Onderwerp: [Samba] Windows ACL modify ability?
> >       >
> >       >I have posted several questions now and have ben unsuccessful
> >       >in getting any
> >       >responses, so i thought i would take a different tack.
> >       >
> >       >I know adjusting permissions on Samba shares, through the
> >       >Microsoft MMC is
> >       >possible when you have POSIX ACL support compiled in your
> >       >kernel. I don't
> >       >think that level of control is necessary for me and short of
> >       >recompiling the
> >       >kernel for that support i have been unable to adjust
> >       >permissions on Samba
> >       >shares through the MMC, i keep getting "Access is denied".
> >       >
> >       >Could someone just toss out a couple ideas about
> >whether adjustments to
> >       >ACL's ar possible without kernel POSIX ACL support and
> >if so, what some
> >       >causes of the "Access is denied" could be?
> >       >
> >       >TIA,
> >       >
> >       >-MIKE
> >       >--
> >       >To unsubscribe from this list go to the following URL
> >and read the
> >       >instructions:
> >https://lists.samba.org/mailman/listinfo/samba
> ><https://lists.samba.org/mailman/listinfo/samba>
> >       >
> >
> >       --
> >       To unsubscribe from this list go to the following URL
> >and read the
> >       instructions:
> >https://lists.samba.org/mailman/listinfo/samba
> ><https://lists.samba.org/mailman/listinfo/samba>
> >
> >
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list