[Samba] setfacl: Option -m: Invalid argument near character 3

Tim rintimtim at gmx.net
Sat Dec 20 01:43:44 MST 2014 

I also have two DCs and I am using them also as filers.
Built-In users and groups are normally mapped by idmap.ldb

I also got issues with mapping of built-in users. I needed the same idmap.ldb on both of my DCs.
I also don't see these groups by hitting getent group.

I followed another stragedy: Every new group that will have filesystem access has a name starting with GGF (Group Global File). These new GGF groups all have rfc2307 attributes. Built-In groups are members of these GGF groups if needed. It's just a kind of naming convention.

Users will always have rfc2307 attributes due to file system access like profiles or home.

It's a workaround but it works fine for me.

Am 20. Dezember 2014 01:02:38 MEZ, schrieb Rich Webb <rwebb at zylatech.com>:
>lol tim it's okay.  Thanks you nailed it right away though.  That was
>the issue.  Only thing I'm battling now is that I can't seem to use the
>built in groups such as Authenticated Users or Network Service or
>System
>- do you know why that would be?  Maybe not supported by the internal
>winbind for samba4?  
> 
>I realize it would probably be better to have the DC be a DC and have a
>FS be a FS which is doable since I'm running a vmware platform.  
> 
>Rich
> 
>
>________________________________
>
>From: Tim [mailto:rintimtim at gmx.net] 
>Sent: Friday, December 19, 2014 5:38 PM
>To: Rich Webb; samba at lists.samba.org
>Subject: Re: [Samba] setfacl: Option -m: Invalid argument near
>character
>3
>
>
>Sorry, ignore me. I didn't read the rest...
>
>
>Am 19. Dezember 2014 23:29:54 MEZ, schrieb Tim <rintimtim at gmx.net>: 
>
>	What's the content of your /etc/nsswitch.conf?
>	
>	Am 19. Dezember 2014 14:22:56 MEZ, schrieb Rich Webb
><rwebb at zylatech.com>:
>
>		Matt,
>		
>		Thanks for the reply.  I'm not trying to add the "users"
>group.  I'm
>		trying to add the "Domain Users" group.  That is the
>reason for the \
>		in
>		front of the space.  It's translated as a literal.  I
>think I could
>		also
>		put quotes around it and not have to use the \ and the
>space.  
>		
>		The problem is getent group only is listing local unix
>groups.  I think
>		that is why setfacl is not able to add active directory
>groups to the
>		acl.
>		
>		Rich. 
>		
>		-----Original Message-----
>		From: Mattias Zhabinskiy
>[mailto:mattiasz at thinklogical.com] 
>		Sent: Friday, December 19, 2014 12:15 AM
>		To: Rich Webb
>		Subject: Re: [Samba] setfacl: Option -m: Invalid
>argument near
>		character
>		3
>		
>		Hello Rich,
>		
>		First of all remove space in front of the group name
>"users":
>		
>		setfacl -R -m g:MYDOM\\domain\users:rwx ./shared
>		
>		For example, following command works for me:
>		
>		[root at vmtest007 tmp]# ls -ld test4
>		drwxrwsr-x. 2 root g-sales       4096 Dec 19 00:10 test4
>		
>		[root at vmtest007 tmp]# setfacl -Rm
>g:MYDOMAIN\\g-admin:rwx test4
>		
>		[root at vmtest007 tmp]# getfacl test4
>		# file: test4
>		# owner: root
>		# group: g-sales
>		# flags: -s-
>		user::rwx
>		group::rwx
>		group:g-admin:rwx
>		mask::rwx
>		other::r-x
>		
>		[root at vmtest007 tmp]# ls -ld test4
>		drwxrwsr-x+ 2 root g-sales 4096 Dec 19 00:10 test4
>		
>		where MYDOMAIN is windows domain name and g-admin is a
>group name in
>		MYDOMAIN.
>		Make sure that group "users" exists by running "getent
>group users"
>		command, for e.g. in my case:
>		[root at vmtest007 tmp]# getent group g-admin
>		g-admin:x:91608:alex,bill,joe,kevin
>		
>		Regards,
>		Matt
>		
>________________________________
>
>
>		From: samba-bounces at lists.samba.org
><samba-bounces at lists.samba.org> on
>		behalf of Rich Webb <rwebb at zylatech.com>
>		Sent: Thursday, December 18, 2014 8:33 PM
>		To: samba at lists.samba.org
>		Subject: Re: [Samba] setfacl: Option -m: Invalid
>argument near
>		character
>		3
>		
>		Please is there anyone who has an answer on why this
>might be
>		happening?
>		Do I need some sort of sssd support or winbind or
>something?  In the
>		wiki about setting up acl's it doesn't say anything
>about any other
>		requirements, only that you have to have acl support and
>xattr support
>		in your filesystem which I do.
>		
>		I'm trying to deploy this server and I need a working
>solution tomorrow
>		- kind of in a bind.. I hope someone can help.
>		
>		Thanks,
>		Rich
>		
>		-----Original Message-----
>		From: samba-bounces at lists.samba.org
>		[mailto:samba-bounces at lists.samba.org] On Behalf Of Rich
>Webb
>		Sent: Thursday, December 18, 2014 6:29 PM
>		To: samba at lists.samba.org
>		Subject: Re: [Samba] setfacl: Option -m: Invalid
>argument near
>		character
>		3
>		
>		I just tried that and I got the same error.  I think
>there is some
>		extended acl support that I'm missing somewhere.
>		
>		It's like the setfacl command is not recognizing the AD
>groups as valid
>		groups.
>		
>		I should also add the following information:
>		
>		This server is built up on CentOS 6.6 Minimal using the
>Sernet-Samba
>		Enterprise packages.
>		
>		It looks like the binary that is running is
>/usr/sbin/samba and that is
>		started with /etc/rc.d/init.d/sernet-samba-ad start
>		
>		Rich
>		
>		-----Original Message-----
>		From: samba-bounces at lists.samba.org
>		[mailto:samba-bounces at lists.samba.org] On Behalf Of
>Miguel Medalha
>		Sent: Thursday, December 18, 2014 4:42 PM
>		To: Rich Webb; samba at lists.samba.org
>		Subject: Re: [Samba] setfacl: Option -m: Invalid
>argument near
>		character
>		3
>		
>		
>
>			 I tried setting the permissions from the
>command line using:
>			
>			 setfacl -R -m g:MYDOM\\domain\ users:rwx
>./shared
>			
>			 and it gives me:
>			
>			 setfacl: Option -m: Invalid argument near
>character 3
>
>
>
>		You should enter:
>		
>		setfacl -Rm g:MYDOM\\domain\ users:rwx ./shared
>		
>		--
>		To unsubscribe from this list go to the following URL
>and read the
>		instructions:
>https://lists.samba.org/mailman/options/samba
>		--
>		To unsubscribe from this list go to the following URL
>and read the
>		instructions:
>https://lists.samba.org/mailman/options/samba
>		--
>		To unsubscribe from this list go to the following URL
>and read the
>		instructions:
>https://lists.samba.org/mailman/options/samba
>		-- 
>		To unsubscribe from this list go to the following URL
>and read the
>		instructions:
>https://lists.samba.org/mailman/options/samba
>
>	-- 
>	To unsubscribe from this list go to the following URL and read
>the
>	instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list