[Samba] ACL Problems with Samba and ADS Integration
Mike Theory
theory.mike at yahoo.com
Fri Nov 26 02:22:08 MST 2010
I am running a Samba Box as a Domain Member in a Windows ADS Domain (Windows Server 2003). The Box has joined the ADS domain and the kerberos authentication works, I can see "smbd" processes running with AD user accounts.
But I can not set ACLs on the directories or the files located on the share. If I change them using Windows Explorer, they either will be ignored by samba, or I get the Message:
Unable to save Permission Changes on [Directory]
The parameter is incorrect
This message comes if I want to grant "Full Control" permissions on files or directories.
I am not the in depth pro configuring samba, so maybe I did some configuration mistakes. I read about an ACL patch for samba. I did not build samba from the sources, I installed the packages and updates supplied by the OpenSUSE 11.3 distro.
My smb.conf file looks like this:
------------------------------------------------
[global]
workgroup = [MyDomain]
security = ADS
realm = [My.Kerberos.Realm]
password server = pdc.emulator.at.my.domain
server string = %L server (OpenSUSE, Samba)
dns proxy = No
disable spoolss = Yes
show add printer wizard = No
map to guest = Bad User
domain logons = No
domain master = No
local master = No
netbios name = [ThisServersName]
wins support = No
client use spnego = Yes
idmap uid = 15000 - 25000
idmap gid = 15000 - 25000
template homedir = /home/%D/%U
template shell = /bin/bash
usershare allow guests = No
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
acl group control = Yes
acl map full control = True
ntlm auth = No
lanman auth = No
interfaces = bond0
log level = 3 acls:5 winbind:5
[groups]
comment = All groups
path = /raid
read only = No
inherit acls = Yes
force directory security mode = 0770
admin users = [MyDomain]\[DelegatedAdminUser]
hide dot files = Yes
hide unreadable = Yes
------------------------------------------------
Can anyone figure out where the problem is. Do I need to compile from source and include some patches, or is the configuration the problem.
I did no group or user bindings with the "net" command.
Best Regards, Mike
More information about the samba
mailing list