[Samba] Windows ACL modify ability?
Mike Partyka
mpartyka at gmail.com
Tue Jan 3 13:46:30 GMT 2006
Forgot to include some more info that might be helpful.
OS: Fedora Core 4 (up-to-date)
Kernel 2.6.14-1.1653_FC4smp
Samba 3.0.14a-2
Hostname: sand (192.168.0.8)
Windows server 2003 Std. (up-to-date)
*running on a VMWare workstation, running on a generic AMD 1.8Ghz system
Domain: mrpartyka.domain
Hostname: server01 (192.168.0.7)
*the Active Directory server and Samba server and both using NTP and are
within one minute of one another
The join seems to be functioning correctly, i get the expected output when
performing:
net ads info
net ads status -UAdministrator
getent passwd
getent group
wbinfo -u
wbinfo -g
I have not used those parameters other than the "nt acl support". I have
tried to keep it as simple as possible, and i did not understand those
settings to be necesssary to achieve the ability to modify ACL's from the
MMC. (i did set those parameters you mentioned and restarted the server, but
i continue to get "changes could not be saved, access is denied")
I set the baseline permissions from the linux console, that is the directory
is owned by root but i did a
chgrp "MRPARTYKA\Domain Users" /ftproot && chmod g+x /ftproot
to give any "domain users" to ability to write to the shared directory. I
know i can adjust permissions in this manner but a windows admin will be
administering going forward, which is why the ability to adjust through the
use of an MMC is valuable.
Thanks for the response Louis,
On 1/3/06, Louis van Belle <louis at van-belle.nl> wrote:
>
> does your kernel support ACL and Extended Attributes.
>
> Also you can set the following settings
>
> inherit acls = (yes/no)
> nt acl support =
> map hidden = no
> map system = no
> map achieve = no
> store dos attributes = yes
> ea support = yes
>
> u combine above settings for your enviroment.
> Als dit you set the privileges for the samba server
> or do you set the rights as root
>
> Louis
>
>
> >-----Oorspronkelijk bericht-----
> >Van: Mike Partyka [mailto:mpartyka at gmail.com]
> >Verzonden: dinsdag 3 januari 2006 13:56
> >Aan: Louis van Belle
> >CC: samba at lists.samba.org
> >Onderwerp: Re: [Samba] Windows ACL modify ability?
> >
> >Samba 3.0.14a server which is a domain member server of a 2003
> >Active Directory and Domain Controller.
> >
> >There are no errors that appear in the windows servers event
> >log, and my smb.conf is pretty simple:
> >
> >[global]
> > unix charset = LOCALE
> > workgroup = mrpartyka
> > realm = MRPARTYKA.DOMAIN
> > server string = SMBv3.0.14a/MS ADS/winbindd
> > security = ads
> > log level = 1
> > syslog = 0
> > log file = /var/log/samba/%m
> > max log size = 50
> > printcap name = CUPS
> > ldap ssl = No
> > idmap uid = 10000-40000000
> > idmap gid = 10000-40000000
> > template primary group = "Domain Users"
> > template shell = /bin/bash
> > nt acl support = Yes
> > printing = cups
> > # winbind trusted domains only = Yes
> > winbind separator = \#
> >
> >[ftp]
> > comment = All users share
> > path = /ftproot
> > valid users = @"MRPARTYKA\Domain Users"
> > writeable = Yes
> > browseable = Yes
> >
> >As i said originally, my goal here is to manage
> >permissions's/ACL's from the server 2003 MMC, but any time i
> >try to add or remove groups for access on either the Security
> >tab or the Permissions tab, i get the message "changes could
> >not be saved, access is denied". Also, though the message
> >indicates the changes are not saved, if you open the share
> >properties window again and go to the same permission you just
> >tried to adjust, the group is there, but when you selected the
> >group from the AD container, it looked like "MRPARTYA\Domain
> >Users" and now it's liked as "SAND\Domain Users". SAND is the
> >hostname of the samba server.
> >
> >Is this expected behavior? Due to winbindd making AD groups
> >and users appear as though they are local groups/users of the
> >Samba server? Samba logging indicates this:
> >
> >[2006/01/03 06:43:18, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993)
> > api_pipe_bind_req: unknown auth type 9 requested.
> >[2006/01/03 06:43:18, 1] smbd/service.c:make_connection_snum(642)
> > 192.168.0.7 (192.168.0.7) connect to service ftp initially
> >as user MRPARTYKA\administrator (uid=10000, gid=10000) (pid 3343)
> >[2006/01/03 06:43:18, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993)
> > api_pipe_bind_req: unknown auth type 9 requested.
> >[2006/01/03 06:43:22, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993)
> > api_pipe_bind_req: unknown auth type 9 requested.
> >[2006/01/03 06:43:29, 1] smbd/service.c:close_cnum(830)
> > 192.168.0.7 (192.168.0.7) closed connection to service ftp
> >
> >I have many messages in the Samba archive asking about enties
> >like this, but i did not see any responses explaining it.
> >
> >Any ideas about how i can correct this problem and manage
> >share permissions from the server MMC?
> >
> >TIA,
> >
> >
> >
> >On 1/3/06, Louis van Belle <louis at van-belle.nl > wrote:
> >
> > Hi,
> >
> > first which version of samba are you running?
> > are you running pdc or AD Member ?
> >
> > etc etc.
> > need more input ;-)
> >
> > Louis
> >
> >
> >
> > >-----Oorspronkelijk bericht-----
> > >Van: samba-bounces+louis= van-belle.nl at lists.samba.org
> ><mailto:van-belle.nl at lists.samba.org>
> > >[mailto:
> >samba-bounces+louis=van-belle.nl at lists.samba.org
> ><mailto:samba-bounces+louis=van-belle.nl at lists.samba.org> ]
> > >Namens Mike Partyka
> > >Verzonden: maandag 2 januari 2006 23:50
> > >Aan: samba at lists.samba.org <mailto:samba at lists.samba.org>
> > >Onderwerp: [Samba] Windows ACL modify ability?
> > >
> > >I have posted several questions now and have ben unsuccessful
> > >in getting any
> > >responses, so i thought i would take a different tack.
> > >
> > >I know adjusting permissions on Samba shares, through the
> > >Microsoft MMC is
> > >possible when you have POSIX ACL support compiled in your
> > >kernel. I don't
> > >think that level of control is necessary for me and short of
> > >recompiling the
> > >kernel for that support i have been unable to adjust
> > >permissions on Samba
> > >shares through the MMC, i keep getting "Access is denied".
> > >
> > >Could someone just toss out a couple ideas about
> >whether adjustments to
> > >ACL's ar possible without kernel POSIX ACL support and
> >if so, what some
> > >causes of the "Access is denied" could be?
> > >
> > >TIA,
> > >
> > >-MIKE
> > >--
> > >To unsubscribe from this list go to the following URL
> >and read the
> > >instructions:
> >https://lists.samba.org/mailman/listinfo/samba
> ><https://lists.samba.org/mailman/listinfo/samba>
> > >
> >
> > --
> > To unsubscribe from this list go to the following URL
> >and read the
> > instructions:
> >https://lists.samba.org/mailman/listinfo/samba
> ><https://lists.samba.org/mailman/listinfo/samba>
> >
> >
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list