[Samba] permissions change from windows doesn't work

Ángel Galindo Muñoz agalindo at ub.edu
Fri May 12 06:59:50 GMT 2006 

	Hi!

	This is a reply to an old mail, from one year ago ( 
http://lists.samba.org/archive/samba/2005-June/107570.html ). But this 
also replies to 
http://lists.samba.org/archive/samba/2003-October/075334.html and 
http://lists.samba.org/archive/samba/2003-November/002488.html .

	This issue is a Microsoft Windows missfunction. Microsoft Windows 
clients just can't remember which credentials use to do that work. There 
are several actions which does correctly: can connect, can view 
permissions and can use the first security dialog, but when you try to 
go to the "Advanced tab" , this does some action in which it fools and 
doesn't know which credentials use. Once I raised the log level (log 
level = 4) and saw that the client is trying to use the SID of the local 
user (the ones from the client machine). This works fine if your windows 
connect to shares on a Microsoft Domain, but fails connecting to shares 
published from Stand-Alone servers.

	I think that this is the same problem which doesn't let "Admin Users" 
change ownership of files.

	There is a WORKAROUND for the first problem: Just authenticate this 
way: If your user is "vincent", then just use the credencials 
"whateveryouwant\vincent" (with the correct password for "vincent" 
user). Then when the dialog asks again for valid credencials then give 
him again "whateveryouwant\vincent" and the corrct password. This works.


	This is a missfunction. Call it a "bug", if you want. Microsoft Support 
says (explicitly) that this is done this way "by design" (mmmmm.... nice).


	The second problem (changing ownership) can be solved using smbcacls, 
which works fine ... but not recursively.


	Best regards,

-- 
Angel Galindo Muñoz
University of Barcelona, Spain




Pierre Dehaen wrote:
> Hi again,
> 
> FYI here are some links talking about the same problem (but no answer):
> <http://lists.samba.org/archive/samba/2003-October/075334.html>
> <http://lists.samba.org/archive/samba/2003-November/002488.html>
> <http://www.mcse.ms/message436146.html>
> 
> Note that on WinNT4 I can partially add permissions to a file: I see the users 
> when I click on "Show users" and I can use them but I cannot see the groups 
> that are available on the Samba server.
> 
> Note also that I see exactly the same when I try to connect a W2K to another 
> W2K (both standalone computers): although I'm connected to the share with 
> a username of the server, from the client I cannot change the permissions on 
> any file of the server !!!
> 
> So I have a basic question now: Is it simply possible, from a W2K/XP, to 
> change the permissions of a file on a share of a standalone server, i.e. 
> without both computers being member of a domain ? I can see a possible 
> commercial reason (from who you know) for this not being allowed, but is 
> there also a technical reason ? Note that some of the above links show the 
> same behavior within a domain... so I'm lost.
> 
> Thanks for any help,
> Pierre
> 
> On 28 Jun 2005 at 17:35, Pierre Dehaen wrote:
> 
> 
>>Hi, 
>>
>>After three days of googling, searching in this list, reading parts of the 
>>pdf, and testing, I  surrender: please help ! 
>>
>>Summary: 
>>I'm running 3.0.10a (binary from www.sunfreeware.com) on Solaris 
>>2.6 in standalone  mode (security=user). I use ACLs on files. I cannot, 
>>from windows (w2k, wxp pro), add  a user to the permissions of a file. 
>>
>>
>>Details: 
>>- The binary was compiled --with-acl-support as "smbd -b|grep ACL" 
>>and the  sunfreeware site confirm. 
>>
>>- Solaris UFS supports ACLs. 
>>
>>- I don't use winbindd 
>>
>>- This is my smb.conf: 
>>[global] 
>>    workgroup = UNIX 
>>    server string = Samba Server 3.0 
>>    interfaces = x.x.x.x 
>>    map to guest = Bad User 
>>    username map = /usr/local/samba/private/users.map 
>>    log level = 4 
>>    log file = /usr/local/samba/var/log.%m 
>>    max log size = 500 
>>    deadtime = 30 
>>    keepalive = 0 
>>    dns proxy = No 
>>    ldap ssl = no 
>>    idmap uid = 10000-20000 
>>    idmap gid = 10000-20000 
>>
>>- The users.map did not exist at the beginning, but, as the PDF 
>>examples have one, I  created it with: 
>>    root = Administrator 
>>
>>- My users do exist on Solaris and are the same as the Windows users. 
>>
>>- The users were added on Samba with smbpasswd -a. 
>>
>>- My groups are mapped: 
>>    # net groupmap list | sort 
>>    Account Operators (S-1-5-32-548) -> -1 
>>    Administrators (S-1-5-32-544) -> -1 
>>    Backup Operators (S-1-5-32-551) -> -1 
>>    Domain Admins (S-1-5-21-3464024308-2102256894-3995807409-512) -> root 
>>    Domain Guests (S-1-5-21-3464024308-2102256894-3995807409-514) -> nobody 
>>    Domain Users (S-1-5-21-3464024308-2102256894-3995807409-513) -> staff 
>>    Engineer (S-1-5-21-3464024308-2102256894-3995807409-1305) -> engineer 
>>    Guests (S-1-5-32-546) -> -1 
>>    Inter (S-1-5-21-3464024308-2102256894-3995807409-1323) -> inter 
>>    Power Users (S-1-5-32-547) -> -1 
>>    Print Operators (S-1-5-32-550) -> -1 
>>    Replicators (S-1-5-32-552) -> -1 
>>    System Operators (S-1-5-32-549) -> -1 
>>    Users (S-1-5-32-545) -> -1 
>>
>>- A share is defined: 
>>[home1] 
>>        path = /export/home1 
>>        read only = No 
>>        guest ok = Yes 
>>
>>- A file is created on the share: 
>>    # touch /export/home1/test 
>>    # chown vincent:engineer /export/home1/test 
>>    # ls -l /export/home1/test 
>>    -rw-rw-r--   1 vincent   engineer       0 Jun 28 15:50 /export/home1/test 
>>
>>- From Windows 2K, when I right-click properties, Security, I can see 
>>the current  permissions: 
>>    Engineer (SERVER_NAME\Engineer) 
>>    Everyone 
>>    Vincent Xxxxx (SERVER_NAME\Vincent) 
>>
>>- Clicking on Advanced shows the permissions (respectively Special, 
>>Read, Special).  Click Cancel to come back to the Security tab. 
>>
>>- But when I click on Add, I receive a window saying "You are logged 
>>with an account  that does not have access to: SERVER_NAME. Enter 
>>the name and password of an  account with permissions for this 
>>domain and click ok." 
>>
>>- The equivalent test on WinNT4 (Properties, Security, Permissions, 
>>Add, Show users  works, Click on a user, Add, Read, Ok) works very 
>>well: an acl is created on the file. 
>>
>>
>>What's going on ??? I raised the debug level to 3, 4, even 10 but I can't 
>>catch anything  useful (to me). 
>>
>>TIA for any help, 
>>Pierre 
>>
>>
>>I hope this is not too long but a level 4 log gives (at the moment I click 
>>on the Add  button): 
>>[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091) 
>>  Transaction 2072 of length 88 
>>[cut - see original message for details]
> 
>

More information about the samba mailing list