[Samba] Can't see or change ACLs on Windows

Eric Diven eric.diven at edsiohio.com
Tue Oct 30 14:59:41 GMT 2007 

Okay, here's what I've figured out from trying to do what you suggested:

On CentOS, Administrator appears to be non-magical.  If the shared
directory of is owned by root, with permissions 770, Administrator can't
even map the share and gets an access denied error.  If I add
DOMAIN+administrator to the admin users list for the share in the
smb.conf file, I can then map the drive AND change ownership on the
files in the directory, even if I don't own them initially.  I can't,
however (even once DOMAIN+administrator owns the file) add an entry to
the acl using the windows properties screen.  I can't add either a user
or a group to the ACL.  I can modify the unix ugw permissions, for
example, removing write access to the group of the file.

On Solaris, I'm seeing the same thing when I have it configured the same
as CentOS.

It's like samba, for some reason, doesn't know it's ass from it's elbow
about ACLs on either Solaris or Linux.  Both appear to think they know:

(Solaris) 

bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL
   HAVE_SYS_ACL_H
   HAVE_SOLARIS_ACLS
   HAVE__ACL
   HAVE__FACL
bash-3.00#

(CentOS)

[root at localhost stastest]# /usr/local/samba/sbin/smbd -b | grep ACL
   HAVE_SYS_ACL_H
   HAVE_POSIX_ACLS
[root at localhost stastest]# 

As near as I've been able to google up, configuring and compiling with
--with-acl-support is the only thing you need to do to get samba to
support them, apart from having a kernel/fs that support ACLs, which
I've tested on both sides using regular unix tools.

~Eric

-----Original Message-----
From: Stas [mailto:narezatel at gmail.com] 
Sent: Tuesday, October 30, 2007 7:03 AM
To: Eric Diven
Cc: samba at lists.samba.org
Subject: Re: [Samba] Can't see or change ACLs on Windows

user that logged in to windows is DOMAIN/administrators group member ?
seems it have some meaning for samba . try to use  the built-in domain
administrator account as a windows login .
i removed all ACL's from test directory and changed owner user and group
to root so getfacl shows :
# file: mnt/loop/1
# owner: root
# group: root
user::rwx
group::rwx
other::---

and no one had access to files .
but i was still able to take ownership and after that set ACL's from
windows box if logged in as user that domain administrators group member
, or administrator itself.

btw , do you try to set file access permissions  or change files owner ?
if you try to change ownership to some domain group you will always get
"access denied" error since samba doesn't support group ownership.






On 10/29/07, Eric Diven <eric.diven at edsiohio.com> wrote:
>
>
> -----Original Message-----
> From: Stas [mailto:narezatel at gmail.com]
> Sent: Monday, October 29, 2007 1:37 PM
> To: Eric Diven
> Subject: Re: [Samba] Can't see or change ACLs on Windows
>
> well , lets's  try again ..
> create test directory " /samba/testdir run # chmod 777 -R 
> /samba/testdir create share in smb.conf that points to /samba/test 
> create some file in new share from windows box.
> open file properties and check permissions and owner ( you should see 
> "everyone - full control , CREATOR OWNER - full control  , etc , and 
> owner of created file should be user that logged in ) now try to set 
> permissions , it should work .
> if you want to restrict users -  remove "everyone" from ACL list , 
> this will just reset "Everyone" permission to "none" , so no one will 
> able to modify files until you add specific users or groups to ACL
list .
> looking strange but it worked for me..
>
> Still no luck.
>
> Our new directory:
> drwxrwxrwx   2 W2K3TEST+bobadmin W2K3TEST+awriters     512 Oct 29
13:41
> stastest
>
> [stastest]
>    path = /foo/stastest
>    writeable = yes
>    inherit owner = yes
>    inherit permissions = yes
>    inherit acls = yes
>    nt acl support = yes
>
> I've tried this with various inherit options on and off (including the

> dir sticky bit for inheriting group ownership)  and still can't get it

> to go.  I've also tried with varying ownerships on the directory with 
> no change.  Also, when I try to remove Everyone (or for that matter, 
> the unix group or owner) from the ACL, it pops right back up.  
> Everyone doesn't have Full Control set either.  Nor for that matter 
> does the group that owns the file.  Both Everyone and the group get rw

> permissions.
>
> ~Eric
>
> ~Eric
>
> On 10/29/07, Eric Diven <eric.diven at edsiohio.com> wrote:
> >
> >
> > -----Original Message-----
> > From: Stas [mailto:narezatel at gmail.com]
> > Sent: Friday, October 26, 2007 6:56 PM
> > To: Eric Diven
> > Cc: samba at lists.samba.org
> > Subject: Re: [Samba] Can't see or change ACLs on Windows
> >
> > any errors in samba's log?
> > what error exactly you get at windows box when you try to set 
> > permissions?
> >
> > Annoyingly, I'm not getting any logging for clients.  Why, I don't
> know.
> > I see start-up messages correctly in the log.smbd file, including 
> > those at log level 10, but not ones from clients.
> >
> > Here are the logging-related lines from smbd.conf
> >
> > # this tells Samba to use a separate log file for each machine # 
> > that connects
> >    log file = /var/log/samba/log.%m
> >
> > # Put a capping on the size of the log files (in Kb).
> >    max log size = 50
> >
> > The exact text of the error I get in Windows is:
> >
> > "Unable to save permission changes on hjkl.txt.
> >
> > Access is denied
> >            [OK]"
> >
> > As usual, I'm logged in as the owner of the file.
> >
> > Sigh.
> >
> > Thanks for your continuing help on this, by the way.  This is 
> > driving me nuts.
> >
> > ~Eric
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list