[Samba] Can't see or change ACLs on Windows
Eric Diven
eric.diven at edsiohio.com
Mon Oct 22 13:12:42 GMT 2007
Here's what I have set up. The ACLs on the directory afiles currently
do pretty much what I need them to do with samba, which is set up
permissions and acls on any files created in the directory by a windows
client. It needs a little fine-tuning, but it's close.
bash-3.00# ls -l ; getfacl afiles
total 2
drwxrws---+ 2 W2K3TEST+bobadmin W2K3TEST+awriters 512 Oct 17 17:07
afiles
# file: afiles
# owner: W2K3TEST+bobadmin
# group: W2K3TEST+awriters
user::rwx
user:afile:rwx #effective:rwx
group::rwx #effective:rwx
group:afile:rwx #effective:rwx
group:W2K3TEST+areaders:r-x #effective:r-x
group:W2K3TEST+awriters:rwx #effective:rwx
group:W2K3TEST+admins:rwx #effective:rwx
mask:rwx
other:---
default:user::rwx
default:group::rwx
default:group:W2K3TEST+areaders:r-x
default:group:W2K3TEST+awriters:rwx
default:group:W2K3TEST+admins:rwx
default:mask:rwx
default:other:---
bash-3.00#
~Eric
-----Original Message-----
From: Stas [mailto:narezatel at gmail.com]
Sent: Friday, October 19, 2007 6:22 PM
To: Eric Diven
Cc: samba at lists.samba.org
Subject: Re: [Samba] Can't see or change ACLs on Windows
strange ...
please post getfacl output .
On 10/19/07, Eric Diven <eric.diven at edsiohio.com> wrote:
> Whoops, these were both supposed to go to the list.
>
> If I log on as the owner of the file, I still can't add another entry
> to the ACL. I can change the permissions set on the user, group and
> world permissions, but that's it. I do see that that the owner is
> identified as the user I'm logged in as.
>
> ~Eric
>
> -----Original Message-----
> From: Stas [mailto:narezatel at gmail.com]
> Sent: Friday, October 19, 2007 12:13 AM
> To: Eric Diven
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Can't see or change ACLs on Windows
>
> make sure that user logged in to windows box is an owner of files .
> as i know , only owner can change permissions .
> try # chown "administrator/DOMAIN" /samba/test.txt , after that try
> to set permissions on this file from windows .
>
>
> On 10/18/07, Eric Diven <eric.diven at edsiohio.com> wrote:
> > None when I open the security tab, but when I try to add an entry to
> > the ACL, I get:
> >
> > "Unable to save permission changes on directory on 'croesus running
> > samba (ipaddress)' (driveletter:).
> >
> > Access is denied."
> >
> > The smb.conf file is set up to allow admin access to both an AD user
> > and
> > group:
> >
> > the relevant sections of the smb.conf file:
> >
> > [global]
> > workgroup = W2K3TEST
> > realm = W2K3TEST.LOCAL
> > server string = croesus running samba
> > security = ADS
> > log file = /var/log/samba/log.%m
> > max log size = 50
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > printcap name = /etc/printcap
> > preferred master = No
> > dns proxy = No
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> > winbind separator = +
> >
> > [afiles]
> > path = /foo/afiles
> > admin users = W2K3TEST+bobadmin, @W2K3TEST+admins
> > read only = No
> >
> > I've logged in both as another member of the W2K3TEST+admins group,
> > and as W2K3TEST+bobadmin, and that doesn't seem to have any effect
> > on whether or not it works. I've also tried adding a non-domain
> > user and
>
> > group to the ACL on the Solaris side to see if that would make an
> > entry other that the standard permissions appear on Windows, but to
> > no
> avail.
> >
> > ~Eric
> >
> > -----Original Message-----
> > From: Stas [mailto:narezatel at gmail.com]
> > Sent: Thursday, October 18, 2007 3:39 PM
> > To: Volker.Lendecke at sernet.de
> > Cc: Eric Diven; samba at lists.samba.org
> > Subject: Re: [Samba] Can't see or change ACLs on Windows
> >
> > any errors on windows side when you try to set permissions?
> >
> > On 10/18/07, Volker Lendecke <Volker.Lendecke at sernet.de> wrote:
> > > On Thu, Oct 18, 2007 at 09:11:59AM -0400, Eric Diven wrote:
> > > > Here you go:
> > > >
> > > > bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL
> > > > HAVE_SYS_ACL_H
> > > > HAVE_SOLARIS_ACLS
> > > > HAVE__ACL
> > > > HAVE__FACL
> > > >
> > > > It looks plausible to me, but I'm assuming you know better than
> > > > I what
> > >
> > > That indeed looks right. No idea then, sorry. Maybe you want to
> > > look
>
> > > in a debug level 10 log of smbd, search for
> > > call_nt_transact_query_security_desc, maybe you find something
> > > obvious.
> > >
> > > Volker
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/listinfo/samba
> > >
> > >
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list