[Samba] Can't see or change ACLs on Windows

Stas narezatel at gmail.com
Tue Oct 30 16:44:11 GMT 2007 

i have same compile flags :
HAVE_SYS_ACL_H
HAVE_POSIX_ACLS
i am using SLES10.

try to add "debug level =10" to smb.conf anf then search for "
NT_STATUS_ACCESS_DENIED" in log.smbd .
please  post some lines of log before  NT_STATUS_ACCESS_DENIED message.


On 10/30/07, Eric Diven <eric.diven at edsiohio.com> wrote:
> Okay, here's what I've figured out from trying to do what you suggested:
>
> On CentOS, Administrator appears to be non-magical.  If the shared
> directory of is owned by root, with permissions 770, Administrator can't
> even map the share and gets an access denied error.  If I add
> DOMAIN+administrator to the admin users list for the share in the
> smb.conf file, I can then map the drive AND change ownership on the
> files in the directory, even if I don't own them initially.  I can't,
> however (even once DOMAIN+administrator owns the file) add an entry to
> the acl using the windows properties screen.  I can't add either a user
> or a group to the ACL.  I can modify the unix ugw permissions, for
> example, removing write access to the group of the file.
>
> On Solaris, I'm seeing the same thing when I have it configured the same
> as CentOS.
>
> It's like samba, for some reason, doesn't know it's ass from it's elbow
> about ACLs on either Solaris or Linux.  Both appear to think they know:
>
> (Solaris)
>
> bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL
>    HAVE_SYS_ACL_H
>    HAVE_SOLARIS_ACLS
>    HAVE__ACL
>    HAVE__FACL
> bash-3.00#
>
> (CentOS)
>
> [root at localhost stastest]# /usr/local/samba/sbin/smbd -b | grep ACL
>    HAVE_SYS_ACL_H
>    HAVE_POSIX_ACLS
> [root at localhost stastest]#
>
> As near as I've been able to google up, configuring and compiling with
> --with-acl-support is the only thing you need to do to get samba to
> support them, apart from having a kernel/fs that support ACLs, which
> I've tested on both sides using regular unix tools.
>
> ~Eric
>
> -----Original Message-----
> From: Stas [mailto:narezatel at gmail.com]
> Sent: Tuesday, October 30, 2007 7:03 AM
> To: Eric Diven
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Can't see or change ACLs on Windows
>
> user that logged in to windows is DOMAIN/administrators group member ?
> seems it have some meaning for samba . try to use  the built-in domain
> administrator account as a windows login .
> i removed all ACL's from test directory and changed owner user and group
> to root so getfacl shows :
> # file: mnt/loop/1
> # owner: root
> # group: root
> user::rwx
> group::rwx
> other::---
>
> and no one had access to files .
> but i was still able to take ownership and after that set ACL's from
> windows box if logged in as user that domain administrators group member
> , or administrator itself.
>
> btw , do you try to set file access permissions  or change files owner ?
> if you try to change ownership to some domain group you will always get
> "access denied" error since samba doesn't support group ownership.
>
>
>
>
>
>
> On 10/29/07, Eric Diven <eric.diven at edsiohio.com> wrote:
> >
> >
> > -----Original Message-----
> > From: Stas [mailto:narezatel at gmail.com]
> > Sent: Monday, October 29, 2007 1:37 PM
> > To: Eric Diven
> > Subject: Re: [Samba] Can't see or change ACLs on Windows
> >
> > well , lets's  try again ..
> > create test directory " /samba/testdir run # chmod 777 -R
> > /samba/testdir create share in smb.conf that points to /samba/test
> > create some file in new share from windows box.
> > open file properties and check permissions and owner ( you should see
> > "everyone - full control , CREATOR OWNER - full control  , etc , and
> > owner of created file should be user that logged in ) now try to set
> > permissions , it should work .
> > if you want to restrict users -  remove "everyone" from ACL list ,
> > this will just reset "Everyone" permission to "none" , so no one will
> > able to modify files until you add specific users or groups to ACL
> list .
> > looking strange but it worked for me..
> >
> > Still no luck.
> >
> > Our new directory:
> > drwxrwxrwx   2 W2K3TEST+bobadmin W2K3TEST+awriters     512 Oct 29
> 13:41
> > stastest
> >
> > [stastest]
> >    path = /foo/stastest
> >    writeable = yes
> >    inherit owner = yes
> >    inherit permissions = yes
> >    inherit acls = yes
> >    nt acl support = yes
> >
> > I've tried this with various inherit options on and off (including the
>
> > dir sticky bit for inheriting group ownership)  and still can't get it
>
> > to go.  I've also tried with varying ownerships on the directory with
> > no change.  Also, when I try to remove Everyone (or for that matter,
> > the unix group or owner) from the ACL, it pops right back up.
> > Everyone doesn't have Full Control set either.  Nor for that matter
> > does the group that owns the file.  Both Everyone and the group get rw
>
> > permissions.
> >
> > ~Eric
> >
> > ~Eric
> >
> > On 10/29/07, Eric Diven <eric.diven at edsiohio.com> wrote:
> > >
> > >
> > > -----Original Message-----
> > > From: Stas [mailto:narezatel at gmail.com]
> > > Sent: Friday, October 26, 2007 6:56 PM
> > > To: Eric Diven
> > > Cc: samba at lists.samba.org
> > > Subject: Re: [Samba] Can't see or change ACLs on Windows
> > >
> > > any errors in samba's log?
> > > what error exactly you get at windows box when you try to set
> > > permissions?
> > >
> > > Annoyingly, I'm not getting any logging for clients.  Why, I don't
> > know.
> > > I see start-up messages correctly in the log.smbd file, including
> > > those at log level 10, but not ones from clients.
> > >
> > > Here are the logging-related lines from smbd.conf
> > >
> > > # this tells Samba to use a separate log file for each machine #
> > > that connects
> > >    log file = /var/log/samba/log.%m
> > >
> > > # Put a capping on the size of the log files (in Kb).
> > >    max log size = 50
> > >
> > > The exact text of the error I get in Windows is:
> > >
> > > "Unable to save permission changes on hjkl.txt.
> > >
> > > Access is denied
> > >            [OK]"
> > >
> > > As usual, I'm logged in as the owner of the file.
> > >
> > > Sigh.
> > >
> > > Thanks for your continuing help on this, by the way.  This is
> > > driving me nuts.
> > >
> > > ~Eric
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/listinfo/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list