[Samba] samba menber of AD domain and ACL support question

Eric Belhomme {gmane}+no/spam at ricospirit.net
Tue Jan 17 09:32:56 GMT 2006


I'm running a file server on a Debian Sarge Server with official packaged 
samba packages from debian (3.0.14a-Debian).

This server is a member of an AD Windows 2000 domain, so kerberos and 
winbind are well configured on this computer (AD members can log on and 
so on...)

Samba shares a volumes formatted with xfs from stock debian kernel 
(2.6.8-2-386) with acl extentions activated :

    path = /var/smbspool/pdf/nobody
    browseable = yes
    create mode = 666
    writable = yes
    nt acl support = yes

I put some basic acls ont his share :
srvpdf:/var/smbspool/pdf# getfacl ./nobody
# file: nobody
# owner: nobody
# group: nogroup

So ACLs on this share reports some members should get all privileges on 
this directory.

Now let's go on a Win2k workstation an logon at Administrator... If I 
browse the share and open properties/security options :
- users are well listed, for eatch user, there absolutly no privilege 
cases marked (all cases are blank)
- if I open advanced privileges, i can see users have rights (for example 
nobody and icsb2k/administrator have all privileges activated, 
icsb/domain users have only some)
- if i try to modify privileges (i'm logged a icsb2k\administrator) I get 
a message "Unable to save privileges on this share\n access forbidden" 
(axproximate translation, my windows is in french...)

my questions are :
- why get I a strange display on security option ?
- why can't I able to modify privileges via windows ?



More information about the samba mailing list