[Samba] manage permissions from windows security tab

Mike Rambo mrambo at lsd.k12.mi.us
Thu Apr 1 10:01:21 MDT 2010 

We have been changing stand alone servers at remote buildings from being 
PDCs in their own domain to being members of an AD domain.

After some initial hiccups I think we are most of the way there. The 
boxes are joining the domain and users are mostly able to access their 
files. The last remaining issue (so far) is that we find we are unable 
to manage permissions via the windows security tab. All attempts to do 
so are met with "unable to save permissions" along with either "access 
denied" or "the parameter is incorrect". The latter only occurs on the 
public share. I have read that new users and groups cannot be added via 
that interface but that permission changes themselves should work.

acls are activated and look like they are working on the shared areas 
(at least getfacl/setfacl appear to work ok).

[root at franks-dc1 opt]# ll
drwxrws---+ 3 LPSD+cisitadmin LPSD+enterprise admins  4096 Nov 28  2006 
appinstalls
drwxrws---+ 2 LPSD+cisitadmin LPSD+franks-staff       4096 Aug  3  2004 
bldgshrs
drwxrwsrwx+ 8 LPSD+cisitadmin LPSD+domain users       4096 May 18  2009 
public

[root at franks-dc1 opt]# getfacl public
# file: public
# owner: LPSD+cisitadmin
# group: LPSD+domain\040users
user::rwx
group::rwx
other::rwx
default:user::rwx
default:user:LPSD+cisitadmin:rwx
default:group::rwx
default:group:LPSD+domain\040users:rwx
default:mask::rwx
default:other::---

I did level 10 logs but my untrained eyes found only the following and 
have been unable to figure out why. The test involved setting the level 
10 logging and then connecting via Computer Management from a 2003 
server on the AD domain to the already joined Linux/Samba box. Then I 
tried to set permissions first on the Bldgshare share and followed by 
the Public share. Following are the only errors/failures I saw.

log.evrt-dc1:  acl_set_file failed: Operation not permitted
log.evrt-dc1:  set_canon_ace_list: sys_acl_set_file type file failed for 
file . (Operation not permitted).
log.evrt-dc1:  set_nt_acl: failed to set file acl on file . (Operation 
not permitted).
log.evrt-dc1:  acl_set_file failed: Operation not permitted
log.evrt-dc1:  set_canon_ace_list: sys_acl_set_file type file failed for 
file . (Operation not permitted).
log.evrt-dc1:  set_nt_acl: failed to set file acl on file . (Operation 
not permitted).

Full logs are at http://hgrepo.lansingschools.net as they are large.

Samba version is 3.5.1 on CentOS 4.8.

Samba configuration:

[global]
    workgroup = LPSD
    netbios name = FRANKS-DC1
    realm = LPSD.LOCAL
    server string = Samba PDC %v
    printcap name = CUPS
    load printers = yes
    printing = cups
    printcap = cups
    log file = /var/log/samba/log.%m
    log level = 10
;   max log size = 100
    security = ADS
    syslog = 0
    ldap ssl = no
    template shell = /bin/bash
    winbind separator = +
    enable privileges = yes
    allow trusted domains = No
    idmap backend = idmap_rid:LPSD=500-100000000
    idmap uid = 500-100000000
    idmap gid = 500-100000000
    winbind use default domain = Yes
    winbind enum users = No
    winbind enum groups = No
    winbind nested groups = Yes
    encrypt passwords = yes
    smb passwd file = /etc/samba/smbpasswd
    passdb backend = tdbsam
    username map = /etc/samba/smbusers
    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
    os level = 63
    preferred master = yes
    logon home =
    logon path =
    wins support = yes
    dns proxy = no

[Public]
    comment = Public Stuff
    path = /opt/public
    public = yes
    guest ok = yes
    writable = yes
    create mask = 0777
    directory mask = 0777
    force security mode = 0
    directory security mask = 0777
    force directory security mode = 0
    browseable = yes
    printable = no
    nt acl support = yes
    write list = @"LPSD+Enterprise Admins", @LPSD+technicians, root
    admin users = @"LPSD+Enterprise Admins"

[Bldgshare]
    path = /opt/bldgshrs
    comment = Building share
    create mask = 0777
    directory mask = 0777
    force security mode = 0
    directory security mask = 0777
    force directory security mode = 0
    read only = yes
    printable = no
    nt acl support = yes
    valid users = @LPSD+franks-teachers, @LPSD+franks-staff, 
@"LPSD+Enterprise Admins", @LPSD+technicians, @LPSD+netmgrs
    write list = @LPSD+franks-teachers, @LPSD+franks-staff, 
@"LPSD+Enterprise Admins", @LPSD+technicians, @LPSD+netmgrs


Any and all advice would be greatly appreciated. I'm beginning to feel 
like I've read half the web over the last two days and am no closer to a 
solution.

Regards,


-- 
Mike Rambo


NOTE: In order to control energy costs the light at the end
of the tunnel has been shut off until further notice...

More information about the samba mailing list