[Samba] ACL Problems with Samba and ADS Integration

Mike Theory theory.mike at yahoo.com
Fri Nov 26 02:22:08 MST 2010

I am running a Samba Box as a Domain Member in a Windows ADS Domain (Windows Server 2003). The Box has joined the ADS domain and the kerberos authentication works, I can see "smbd" processes running with AD user accounts.
But I can not set ACLs on the directories or the files located on the share. If I change them using Windows Explorer, they either will be ignored by samba, or I get the Message:
Unable to save Permission Changes on [Directory]
The parameter is incorrect
This message comes if I want to grant "Full Control" permissions on files or directories.
I am not the in depth pro configuring samba, so maybe I did some configuration mistakes. I read about an ACL patch for samba. I did not build samba from the sources, I installed the packages and updates supplied by the OpenSUSE 11.3 distro.

My smb.conf file looks like this:
        workgroup = [MyDomain]
        security = ADS
        realm = [My.Kerberos.Realm]
        password server = pdc.emulator.at.my.domain
        server string = %L server (OpenSUSE, Samba)
        dns proxy = No
        disable spoolss = Yes
        show add printer wizard = No
        map to guest = Bad User
        domain logons = No
        domain master = No
        local master = No
        netbios name = [ThisServersName]
        wins support = No
        client use spnego = Yes
        idmap uid = 15000 - 25000
        idmap gid = 15000 - 25000
        template homedir = /home/%D/%U
        template shell = /bin/bash
        usershare allow guests = No
        winbind use default domain = Yes
        winbind refresh tickets = Yes
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind nested groups = Yes
        acl group control = Yes
        acl map full control = True
        ntlm auth = No
        lanman auth = No
        interfaces = bond0
        log level = 3 acls:5 winbind:5

        comment = All groups
        path = /raid
        read only = No
        inherit acls = Yes
        force directory security mode = 0770
        admin users = [MyDomain]\[DelegatedAdminUser]
        hide dot files = Yes
        hide unreadable = Yes

Can anyone figure out where the problem is. Do I need to compile from source and include some patches, or is the configuration the problem.
I did no group or user bindings with the "net" command.

Best Regards, Mike


More information about the samba mailing list