[Samba] manage permissions from windows security tab
Mike Rambo
mrambo at lsd.k12.mi.us
Thu Apr 1 10:01:21 MDT 2010
We have been changing stand alone servers at remote buildings from being
PDCs in their own domain to being members of an AD domain.
After some initial hiccups I think we are most of the way there. The
boxes are joining the domain and users are mostly able to access their
files. The last remaining issue (so far) is that we find we are unable
to manage permissions via the windows security tab. All attempts to do
so are met with "unable to save permissions" along with either "access
denied" or "the parameter is incorrect". The latter only occurs on the
public share. I have read that new users and groups cannot be added via
that interface but that permission changes themselves should work.
acls are activated and look like they are working on the shared areas
(at least getfacl/setfacl appear to work ok).
[root at franks-dc1 opt]# ll
drwxrws---+ 3 LPSD+cisitadmin LPSD+enterprise admins 4096 Nov 28 2006
appinstalls
drwxrws---+ 2 LPSD+cisitadmin LPSD+franks-staff 4096 Aug 3 2004
bldgshrs
drwxrwsrwx+ 8 LPSD+cisitadmin LPSD+domain users 4096 May 18 2009
public
[root at franks-dc1 opt]# getfacl public
# file: public
# owner: LPSD+cisitadmin
# group: LPSD+domain\040users
user::rwx
group::rwx
other::rwx
default:user::rwx
default:user:LPSD+cisitadmin:rwx
default:group::rwx
default:group:LPSD+domain\040users:rwx
default:mask::rwx
default:other::---
I did level 10 logs but my untrained eyes found only the following and
have been unable to figure out why. The test involved setting the level
10 logging and then connecting via Computer Management from a 2003
server on the AD domain to the already joined Linux/Samba box. Then I
tried to set permissions first on the Bldgshare share and followed by
the Public share. Following are the only errors/failures I saw.
log.evrt-dc1: acl_set_file failed: Operation not permitted
log.evrt-dc1: set_canon_ace_list: sys_acl_set_file type file failed for
file . (Operation not permitted).
log.evrt-dc1: set_nt_acl: failed to set file acl on file . (Operation
not permitted).
log.evrt-dc1: acl_set_file failed: Operation not permitted
log.evrt-dc1: set_canon_ace_list: sys_acl_set_file type file failed for
file . (Operation not permitted).
log.evrt-dc1: set_nt_acl: failed to set file acl on file . (Operation
not permitted).
Full logs are at http://hgrepo.lansingschools.net as they are large.
Samba version is 3.5.1 on CentOS 4.8.
Samba configuration:
[global]
workgroup = LPSD
netbios name = FRANKS-DC1
realm = LPSD.LOCAL
server string = Samba PDC %v
printcap name = CUPS
load printers = yes
printing = cups
printcap = cups
log file = /var/log/samba/log.%m
log level = 10
; max log size = 100
security = ADS
syslog = 0
ldap ssl = no
template shell = /bin/bash
winbind separator = +
enable privileges = yes
allow trusted domains = No
idmap backend = idmap_rid:LPSD=500-100000000
idmap uid = 500-100000000
idmap gid = 500-100000000
winbind use default domain = Yes
winbind enum users = No
winbind enum groups = No
winbind nested groups = Yes
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
passdb backend = tdbsam
username map = /etc/samba/smbusers
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
os level = 63
preferred master = yes
logon home =
logon path =
wins support = yes
dns proxy = no
[Public]
comment = Public Stuff
path = /opt/public
public = yes
guest ok = yes
writable = yes
create mask = 0777
directory mask = 0777
force security mode = 0
directory security mask = 0777
force directory security mode = 0
browseable = yes
printable = no
nt acl support = yes
write list = @"LPSD+Enterprise Admins", @LPSD+technicians, root
admin users = @"LPSD+Enterprise Admins"
[Bldgshare]
path = /opt/bldgshrs
comment = Building share
create mask = 0777
directory mask = 0777
force security mode = 0
directory security mask = 0777
force directory security mode = 0
read only = yes
printable = no
nt acl support = yes
valid users = @LPSD+franks-teachers, @LPSD+franks-staff,
@"LPSD+Enterprise Admins", @LPSD+technicians, @LPSD+netmgrs
write list = @LPSD+franks-teachers, @LPSD+franks-staff,
@"LPSD+Enterprise Admins", @LPSD+technicians, @LPSD+netmgrs
Any and all advice would be greatly appreciated. I'm beginning to feel
like I've read half the web over the last two days and am no closer to a
solution.
Regards,
--
Mike Rambo
NOTE: In order to control energy costs the light at the end
of the tunnel has been shut off until further notice...
More information about the samba
mailing list