[Samba] Samba 3 joined to samba 4 - problems with permissions on S3 server

Mark Rutherford mark at lowcountrybilling.com
Sat Oct 23 21:19:43 MDT 2010 

Hi all,
I am testing samba3 joined to a samba 4 domain controller.
Most things appear to be working okay - just not printer drivers and 
file permissions.
Machines can join the domain and use resources on the Samba 3 server, etc.
I can change permissions to my hearts content on the Samba4 shares, just 
not Samba3.
I cannot however set any permissions on shares or add printer drivers to 
the Samba 3 server.
Winbind appears to be working fine and getent group,passwd lists users 
and groups from the S4 server.
Samba 3 config is at the end of this email, the Samba 4 config is what I 
got in the provisioning step, with a test share added only.

The printer issue appears odd to me... I can browse to \\server\print$ 
and write to the folders there.
The typical folders: W32X86, IA64, etc etc. are all there and I can 
write to those as well.
When I look in the 'printers and faxes' share the printers are all 
listed there.
If i right-click in that share and go to server properties - > drivers 
tab the 4 buttons on the bottom are greyed out
as well as everything in the advanced tab.
If I right-click one of the printers a question is asked "the '' print 
driver is not installed.... would you like to add it"
There is a single quote in between 'the' and 'print' as above, which 
seemed strange.
If I answer 'no' I get the properties screen.
Answering yes appears to go thru the motions of moving files around once 
I select the driver.
No files are ever moved to the server, but to \windows\system32 
someplace on the workstation.
I can manipulate settings on the advanced tab without it complaining and 
it appears to save them EXCEPT the 'new driver' button which is greyed out.
Now, the file permissions on shares might be related to this, but I 
don't know.
I don't see anything in the logs that looks fatal when trying to 
manipulate printer settings or when opening the properties of a printer.

Now, setting file/folder permissions on shares does yield some 
complaints in the log.
(Excerpt is at the bottom)
It seems to be complaining about acl stuff.
I checked the mount options and remounted it as such:
/dev/drbd0 on /srv type ext3 (rw,user_xattr,acl)
(I don't know if it's supposed to be 'user_xttr' OR 'acl' - I tried one, 
then the other then both but no change)

Using 'getfacl' on the directory returns:
# file: files
# owner: mark
# group: domain\040users
# flags: ss-
user::rwx
group::rwx
group:domain\040admins:rwx
mask::rwx
other::rwx

I don't know if this is a good test or not....

Here is the log excerpt when changing permissions:

[2010/10/23 22:57:04,  3] smbd/process.c:1459(process_smb)
   Transaction 46157 of length 112 (0 toread)
[2010/10/23 22:57:04,  3] smbd/process.c:1273(switch_message)
   switch message SMBntcreateX (pid 2814) conn 0x7f618f683c60
[2010/10/23 22:57:04,  3] smbd/vfs.c:865(check_reduced_name)
   reduce_name [files/test] [/srv/servroot]
[2010/10/23 22:57:04,  3] smbd/vfs.c:974(check_reduced_name)
   reduce_name: files/test reduced to /srv/servroot/files/test
[2010/10/23 22:57:04,  3] smbd/dosmode.c:149(unix_mode)
   unix_mode(files/test) returning 0766
[2010/10/23 22:57:04,  3] smbd/vfs.c:865(check_reduced_name)
   reduce_name [files/test] [/srv/servroot]
[2010/10/23 22:57:04,  3] smbd/vfs.c:974(check_reduced_name)
   reduce_name: files/test reduced to /srv/servroot/files/test
[2010/10/23 22:57:04,  3] smbd/process.c:1459(process_smb)
   Transaction 46158 of length 172 (0 toread)
[2010/10/23 22:57:04,  3] smbd/process.c:1273(switch_message)
   switch message SMBnttrans (pid 2814) conn 0x7f618f683c60
[2010/10/23 22:57:04,  3] 
smbd/nttrans.c:1818(call_nt_transact_set_security_desc)
   call_nt_transact_set_security_desc: file = files/test, sent 0x4
[2010/10/23 22:57:04,  3] smbd/dosmode.c:149(unix_mode)
   unix_mode(files/test) returning 0766
[2010/10/23 22:57:04,  2] smbd/posix_acls.c:2796(set_canon_ace_list)
   set_canon_ace_list: sys_acl_set_file type file failed for file 
files/test (Operation not permitted).
[2010/10/23 22:57:04,  3] smbd/posix_acls.c:3846(set_nt_acl)
   set_nt_acl: failed to set file acl on file files/test (Operation not 
permitted).
[2010/10/23 22:57:04,  3] smbd/error.c:60(error_packet_set)
   error packet at smbd/nttrans.c(1828) cmd=160 (SMBnttrans) 
NT_STATUS_ACCESS_DENIED
[2010/10/23 22:57:04,  3] smbd/process.c:1459(process_smb)
   Transaction 46159 of length 45 (0 toread)
[2010/10/23 22:57:04,  3] smbd/process.c:1273(switch_message)
   switch message SMBclose (pid 2814) conn 0x7f618f683c60
[2010/10/23 22:57:04,  3] smbd/reply.c:4478(reply_close)
   close directory fnum=10795


Samba3 smb.conf:
[global]
workgroup = TEST
netbios name = test
realm = TEST.REALM.COM
preferred master = no
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
winbind separator = +
printcap name = cups
printing = cups
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes

[homes]
     comment = Home Directories
     read only = No
     browseable = No


[print$]
         comment = Printer Drivers
         path = /var/lib/samba/printers
         browseable = yes
         read only = yes
         guest ok = yes
         use client driver = yes
         write list = administrator, @"domain admins"

[printers]
         printable = yes
         writable = no
         path = /var/spool/samba
         comment = All Printers
         public = yes
         create mode = 0700
         printer admin = @"domain admins"

More information about the samba mailing list