[Samba] Can't see or change ACLs on Windows

Eric Diven eric.diven at edsiohio.com
Mon Oct 22 13:12:42 GMT 2007 

Here's what I have set up.  The ACLs on the directory afiles currently
do pretty much what I need them to do with samba, which is set up
permissions and acls on any files created in the directory by a windows
client.  It needs a little fine-tuning, but it's close.

bash-3.00# ls -l ; getfacl afiles
total 2
drwxrws---+  2 W2K3TEST+bobadmin W2K3TEST+awriters     512 Oct 17 17:07
afiles

# file: afiles
# owner: W2K3TEST+bobadmin
# group: W2K3TEST+awriters
user::rwx
user:afile:rwx          #effective:rwx
group::rwx              #effective:rwx
group:afile:rwx         #effective:rwx
group:W2K3TEST+areaders:r-x             #effective:r-x
group:W2K3TEST+awriters:rwx             #effective:rwx
group:W2K3TEST+admins:rwx               #effective:rwx
mask:rwx
other:---
default:user::rwx
default:group::rwx
default:group:W2K3TEST+areaders:r-x
default:group:W2K3TEST+awriters:rwx
default:group:W2K3TEST+admins:rwx
default:mask:rwx
default:other:---
bash-3.00# 

~Eric

-----Original Message-----
From: Stas [mailto:narezatel at gmail.com] 
Sent: Friday, October 19, 2007 6:22 PM
To: Eric Diven
Cc: samba at lists.samba.org
Subject: Re: [Samba] Can't see or change ACLs on Windows

strange ...
please post  getfacl output .

On 10/19/07, Eric Diven <eric.diven at edsiohio.com> wrote:
> Whoops, these were both supposed to go to the list.
>
> If I log on as the owner of the file, I still can't add another entry 
> to the ACL.  I can change the permissions set on the user, group and 
> world permissions, but that's it.  I do see that that the owner is 
> identified as the user I'm logged in as.
>
> ~Eric
>
> -----Original Message-----
> From: Stas [mailto:narezatel at gmail.com]
> Sent: Friday, October 19, 2007 12:13 AM
> To: Eric Diven
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Can't see or change ACLs on Windows
>
> make sure that user logged in to windows box is an owner of files .
> as i know , only owner can change permissions .
> try  # chown "administrator/DOMAIN" /samba/test.txt  , after that try 
> to set permissions on this file from windows .
>
>
> On 10/18/07, Eric Diven <eric.diven at edsiohio.com> wrote:
> > None when I open the security tab, but when I try to add an entry to

> > the ACL, I get:
> >
> > "Unable to save permission changes on directory on 'croesus running 
> > samba (ipaddress)' (driveletter:).
> >
> > Access is denied."
> >
> > The smb.conf file is set up to allow admin access to both an AD user

> > and
> > group:
> >
> > the relevant sections of the smb.conf file:
> >
> > [global]
> >         workgroup = W2K3TEST
> >         realm = W2K3TEST.LOCAL
> >         server string = croesus running samba
> >         security = ADS
> >         log file = /var/log/samba/log.%m
> >         max log size = 50
> >         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> >         printcap name = /etc/printcap
> >         preferred master = No
> >         dns proxy = No
> >         idmap uid = 10000-20000
> >         idmap gid = 10000-20000
> >         winbind separator = +
> >
> > [afiles]
> >         path = /foo/afiles
> >         admin users = W2K3TEST+bobadmin, @W2K3TEST+admins
> >         read only = No
> >
> > I've logged in both as another member of the W2K3TEST+admins group, 
> > and as W2K3TEST+bobadmin, and that doesn't seem to have any effect 
> > on whether or not it works.  I've also tried adding a non-domain 
> > user and
>
> > group to the ACL on the Solaris side to see if that would make an 
> > entry other that the standard permissions appear on Windows, but to 
> > no
> avail.
> >
> > ~Eric
> >
> > -----Original Message-----
> > From: Stas [mailto:narezatel at gmail.com]
> > Sent: Thursday, October 18, 2007 3:39 PM
> > To: Volker.Lendecke at sernet.de
> > Cc: Eric Diven; samba at lists.samba.org
> > Subject: Re: [Samba] Can't see or change ACLs on Windows
> >
> >  any errors on windows side when you try to set permissions?
> >
> > On 10/18/07, Volker Lendecke <Volker.Lendecke at sernet.de> wrote:
> > > On Thu, Oct 18, 2007 at 09:11:59AM -0400, Eric Diven wrote:
> > > > Here you go:
> > > >
> > > > bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL
> > > >    HAVE_SYS_ACL_H
> > > >    HAVE_SOLARIS_ACLS
> > > >    HAVE__ACL
> > > >    HAVE__FACL
> > > >
> > > > It looks plausible to me, but I'm assuming you know better than 
> > > > I what
> > >
> > > That indeed looks right. No idea then, sorry. Maybe you want to 
> > > look
>
> > > in a debug level 10 log of smbd, search for 
> > > call_nt_transact_query_security_desc, maybe you find something 
> > > obvious.
> > >
> > > Volker
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/listinfo/samba
> > >
> > >
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list