[Samba] setfacl: Option -m: Invalid argument near character 3

L.P.H. van Belle belle at bazuin.nl
Fri Dec 19 07:08:32 MST 2014 

Wel its up to you. 

sssd has it advantages, but in using debian and sssd on debian it a bit old. 
So i did stick to winbind. 

The settings i did send are set on ALL my server, DC and Member servers. 


I use de ADUC for setting the unix attributes 
https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC 


and the sernet package is : sernet-samba-winbind  ( on debian ) 

I have to go out of the office.. 

Good luck, hope this helped a bit. 

Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: rwebb at zylatech.com [mailto:samba-bounces at lists.samba.org] 
>Namens Rich Webb
>Verzonden: vrijdag 19 december 2014 14:59
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] setfacl: Option -m: Invalid argument 
>near character 3
>
>The only thing I have in my smb.conf that is related is this:
>
> idmap_ldb:use rfc2307 = yes
>
>I don't have any of that other stuff for mapping ids.  
>
>Is there a howto on that somewhere? 
>
>and my nsswitch.conf I have:
>
>passwd:     files sss
>shadow:     files
>group:      files sss
>
>the sss was only because I was trying sss but it was ONLY "files" to
>start with.
>
>Rich
>
>-----Original Message-----
>From: samba-bounces at lists.samba.org
>[mailto:samba-bounces at lists.samba.org] On Behalf Of L.P.H. van Belle
>Sent: Friday, December 19, 2014 8:53 AM
>To: samba at lists.samba.org
>Subject: Re: [Samba] setfacl: Option -m: Invalid argument near 
>character
>3
>
>Im did not follow the complete thread, but you can check the following.
>
>smb.conf 
>
>   ## map id's outside to domain to tdb files.
>   idmap config *:backend = tdb
>   idmap config *:range = 50001-80000
>   ## map ids from the domain  the range may not overlap !
>   idmap config DOMAIN:backend = ad
>   idmap config DOMAIN:schema_mode = rfc2307
>   idmap config DOMAIN:range = 10000-40000
>
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users  = yes
>   winbind enum groups = yes
>   winbind refresh tickets = yes
>   winbind offline logon = yes
> 
>
>nsswich.conf
>passwd:         compat winbind
>group:          compat winbind
>
>optional. : idmapd.conf :  add : 
>[Translation]
>
>Method = nsswitch
>
>
>test: 
>
>wbinfo -u
>wbinfo -g
>wbinfo -p
>
>
>hostname -s
>hostname -f
>hostname -d
>( optional hostname -y )
>hostname -i  ( should return the ip or your server ) 
>
>( optional )
>dig -x IP_OF_PROBLEM_MACHINE @YOURDC.domain.tld (or @AD_DC_IP ) 
>
>
>for me : 
>getent group "domain users"
>domain users:x:10000:
>
>and You did set the UNIX id on the "Domain Users" group? 
>
>
>Greetz, 
>
>Louis
>
>
>>-----Oorspronkelijk bericht-----
>>Van: rwebb at zylatech.com [mailto:samba-bounces at lists.samba.org] 
>>Namens Rich Webb
>>Verzonden: vrijdag 19 december 2014 14:40
>>Aan: samba at lists.samba.org
>>Onderwerp: Re: [Samba] setfacl: Option -m: Invalid argument 
>>near character 3
>>
>>Running CentOS 6.6
>>Using the Sernet Enterprise packages - sernet-samba-ad.
>>
>>Just tried:   
>>
>>getent group "Domain Users"
>>getent group DOMAIN\\Domain\ Users 
>>
>>and neither command returned any entries.
>>
>>Rich
>>
>>-----Original Message-----
>>From: samba-bounces at lists.samba.org
>>[mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>>Sent: Friday, December 19, 2014 8:37 AM
>>To: samba at lists.samba.org
>>Subject: Re: [Samba] setfacl: Option -m: Invalid argument near 
>>character
>>3
>>
>>On 19/12/14 13:22, Rich Webb wrote:
>>> Matt,
>>>
>>> Thanks for the reply.  I'm not trying to add the "users" 
>group.  I'm 
>>> trying to add the "Domain Users" group.  That is the reason 
>>for the \ 
>>> in front of the space.  It's translated as a literal.  I 
>>think I could
>>
>>> also put quotes around it and not have to use the \ and the space.
>>>
>>> The problem is getent group only is listing local unix groups.  I 
>>> think that is why setfacl is not able to add active 
>directory groups 
>>> to the acl.
>>
>>That may be your problem, 'getent group' will not show any 
>>domain group,
>>but 'getent group <a domain group>' should show the domain group.
>>
>>If you are running samba4 in AD mode, then you are running winbind,
>>though you may not be **using** it.
>>
>>Can you post what OS & samba packages you are using.
>>
>>Rowland
>>>
>>> Rich.
>>>
>>> -----Original Message-----
>>> From: Mattias Zhabinskiy [mailto:mattiasz at thinklogical.com]
>>> Sent: Friday, December 19, 2014 12:15 AM
>>> To: Rich Webb
>>> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near 
>>> character
>>> 3
>>>
>>> Hello Rich,
>>>
>>> First of all remove space in front of the group name "users":
>>>
>>> setfacl -R -m g:MYDOM\\domain\users:rwx ./shared
>>>
>>> For example, following command works for me:
>>>
>>> [root at vmtest007 tmp]# ls -ld test4
>>> drwxrwsr-x. 2 root g-sales       4096 Dec 19 00:10 test4
>>>
>>> [root at vmtest007 tmp]# setfacl -Rm g:MYDOMAIN\\g-admin:rwx test4
>>>
>>> [root at vmtest007 tmp]# getfacl test4
>>> # file: test4
>>> # owner: root
>>> # group: g-sales
>>> # flags: -s-
>>> user::rwx
>>> group::rwx
>>> group:g-admin:rwx
>>> mask::rwx
>>> other::r-x
>>>
>>> [root at vmtest007 tmp]# ls -ld test4
>>> drwxrwsr-x+ 2 root g-sales 4096 Dec 19 00:10 test4
>>>
>>> where MYDOMAIN is windows domain name and g-admin is a 
>group name in 
>>> MYDOMAIN.
>>> Make sure that group "users" exists by running "getent group users"
>>> command, for e.g. in my case:
>>> [root at vmtest007 tmp]# getent group g-admin 
>>> g-admin:x:91608:alex,bill,joe,kevin
>>>
>>> Regards,
>>> Matt
>>>
>>> ________________________________________
>>> From: samba-bounces at lists.samba.org 
>><samba-bounces at lists.samba.org> on
>>
>>> behalf of Rich Webb <rwebb at zylatech.com>
>>> Sent: Thursday, December 18, 2014 8:33 PM
>>> To: samba at lists.samba.org
>>> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near 
>>> character
>>> 3
>>>
>>> Please is there anyone who has an answer on why this might be
>>happening?
>>> Do I need some sort of sssd support or winbind or 
>something?  In the 
>>> wiki about setting up acl's it doesn't say anything about any other 
>>> requirements, only that you have to have acl support and 
>>xattr support
>>
>>> in your filesystem which I do.
>>>
>>> I'm trying to deploy this server and I need a working solution 
>>> tomorrow
>>> - kind of in a bind.. I hope someone can help.
>>>
>>> Thanks,
>>> Rich
>>>
>>> -----Original Message-----
>>> From: samba-bounces at lists.samba.org
>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rich Webb
>>> Sent: Thursday, December 18, 2014 6:29 PM
>>> To: samba at lists.samba.org
>>> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near 
>>> character
>>> 3
>>>
>>> I just tried that and I got the same error.  I think there is some 
>>> extended acl support that I'm missing somewhere.
>>>
>>> It's like the setfacl command is not recognizing the AD groups as 
>>> valid groups.
>>>
>>> I should also add the following information:
>>>
>>> This server is built up on CentOS 6.6 Minimal using the 
>Sernet-Samba 
>>> Enterprise packages.
>>>
>>> It looks like the binary that is running is /usr/sbin/samba 
>and that 
>>> is started with /etc/rc.d/init.d/sernet-samba-ad start
>>>
>>> Rich
>>>
>>> -----Original Message-----
>>> From: samba-bounces at lists.samba.org
>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Miguel Medalha
>>> Sent: Thursday, December 18, 2014 4:42 PM
>>> To: Rich Webb; samba at lists.samba.org
>>> Subject: Re: [Samba] setfacl: Option -m: Invalid argument near 
>>> character
>>> 3
>>>
>>>
>>>> I tried setting the permissions from the command line using:
>>>>
>>>> setfacl -R -m g:MYDOM\\domain\ users:rwx ./shared
>>>>
>>>> and it gives me:
>>>>
>>>> setfacl: Option -m: Invalid argument near character 3
>>>>
>>> You should enter:
>>>
>>> setfacl -Rm g:MYDOM\\domain\ users:rwx ./shared
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  https://lists.samba.org/mailman/options/samba
>>-- 
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list