[Samba] permissions change from windows doesn't work
Ángel Galindo Muñoz
agalindo at ub.edu
Fri May 12 06:59:50 GMT 2006
This is a reply to an old mail, from one year ago (
http://lists.samba.org/archive/samba/2005-June/107570.html ). But this
also replies to
This issue is a Microsoft Windows missfunction. Microsoft Windows
clients just can't remember which credentials use to do that work. There
are several actions which does correctly: can connect, can view
permissions and can use the first security dialog, but when you try to
go to the "Advanced tab" , this does some action in which it fools and
doesn't know which credentials use. Once I raised the log level (log
level = 4) and saw that the client is trying to use the SID of the local
user (the ones from the client machine). This works fine if your windows
connect to shares on a Microsoft Domain, but fails connecting to shares
published from Stand-Alone servers.
I think that this is the same problem which doesn't let "Admin Users"
change ownership of files.
There is a WORKAROUND for the first problem: Just authenticate this
way: If your user is "vincent", then just use the credencials
"whateveryouwant\vincent" (with the correct password for "vincent"
user). Then when the dialog asks again for valid credencials then give
him again "whateveryouwant\vincent" and the corrct password. This works.
This is a missfunction. Call it a "bug", if you want. Microsoft Support
says (explicitly) that this is done this way "by design" (mmmmm.... nice).
The second problem (changing ownership) can be solved using smbcacls,
which works fine ... but not recursively.
Angel Galindo Muñoz
University of Barcelona, Spain
Pierre Dehaen wrote:
> Hi again,
> FYI here are some links talking about the same problem (but no answer):
> Note that on WinNT4 I can partially add permissions to a file: I see the users
> when I click on "Show users" and I can use them but I cannot see the groups
> that are available on the Samba server.
> Note also that I see exactly the same when I try to connect a W2K to another
> W2K (both standalone computers): although I'm connected to the share with
> a username of the server, from the client I cannot change the permissions on
> any file of the server !!!
> So I have a basic question now: Is it simply possible, from a W2K/XP, to
> change the permissions of a file on a share of a standalone server, i.e.
> without both computers being member of a domain ? I can see a possible
> commercial reason (from who you know) for this not being allowed, but is
> there also a technical reason ? Note that some of the above links show the
> same behavior within a domain... so I'm lost.
> Thanks for any help,
> On 28 Jun 2005 at 17:35, Pierre Dehaen wrote:
>>After three days of googling, searching in this list, reading parts of the
>>pdf, and testing, I surrender: please help !
>>I'm running 3.0.10a (binary from www.sunfreeware.com) on Solaris
>>2.6 in standalone mode (security=user). I use ACLs on files. I cannot,
>>from windows (w2k, wxp pro), add a user to the permissions of a file.
>>- The binary was compiled --with-acl-support as "smbd -b|grep ACL"
>>and the sunfreeware site confirm.
>>- Solaris UFS supports ACLs.
>>- I don't use winbindd
>>- This is my smb.conf:
>> workgroup = UNIX
>> server string = Samba Server 3.0
>> interfaces = x.x.x.x
>> map to guest = Bad User
>> username map = /usr/local/samba/private/users.map
>> log level = 4
>> log file = /usr/local/samba/var/log.%m
>> max log size = 500
>> deadtime = 30
>> keepalive = 0
>> dns proxy = No
>> ldap ssl = no
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>>- The users.map did not exist at the beginning, but, as the PDF
>>examples have one, I created it with:
>> root = Administrator
>>- My users do exist on Solaris and are the same as the Windows users.
>>- The users were added on Samba with smbpasswd -a.
>>- My groups are mapped:
>> # net groupmap list | sort
>> Account Operators (S-1-5-32-548) -> -1
>> Administrators (S-1-5-32-544) -> -1
>> Backup Operators (S-1-5-32-551) -> -1
>> Domain Admins (S-1-5-21-3464024308-2102256894-3995807409-512) -> root
>> Domain Guests (S-1-5-21-3464024308-2102256894-3995807409-514) -> nobody
>> Domain Users (S-1-5-21-3464024308-2102256894-3995807409-513) -> staff
>> Engineer (S-1-5-21-3464024308-2102256894-3995807409-1305) -> engineer
>> Guests (S-1-5-32-546) -> -1
>> Inter (S-1-5-21-3464024308-2102256894-3995807409-1323) -> inter
>> Power Users (S-1-5-32-547) -> -1
>> Print Operators (S-1-5-32-550) -> -1
>> Replicators (S-1-5-32-552) -> -1
>> System Operators (S-1-5-32-549) -> -1
>> Users (S-1-5-32-545) -> -1
>>- A share is defined:
>> path = /export/home1
>> read only = No
>> guest ok = Yes
>>- A file is created on the share:
>> # touch /export/home1/test
>> # chown vincent:engineer /export/home1/test
>> # ls -l /export/home1/test
>> -rw-rw-r-- 1 vincent engineer 0 Jun 28 15:50 /export/home1/test
>>- From Windows 2K, when I right-click properties, Security, I can see
>>the current permissions:
>> Engineer (SERVER_NAME\Engineer)
>> Vincent Xxxxx (SERVER_NAME\Vincent)
>>- Clicking on Advanced shows the permissions (respectively Special,
>>Read, Special). Click Cancel to come back to the Security tab.
>>- But when I click on Add, I receive a window saying "You are logged
>>with an account that does not have access to: SERVER_NAME. Enter
>>the name and password of an account with permissions for this
>>domain and click ok."
>>- The equivalent test on WinNT4 (Properties, Security, Permissions,
>>Add, Show users works, Click on a user, Add, Read, Ok) works very
>>well: an acl is created on the file.
>>What's going on ??? I raised the debug level to 3, 4, even 10 but I can't
>>catch anything useful (to me).
>>TIA for any help,
>>I hope this is not too long but a level 4 log gives (at the moment I click
>>on the Add button):
>>[2005/06/28 16:16:02, 3] smbd/process.c:process_smb(1091)
>> Transaction 2072 of length 88
>>[cut - see original message for details]
More information about the samba