[Samba] SOLVED: Re: Samba 3 to 4 AD migration - extensive permissions problems
Jason Ostermann
oddball at oddworld.org
Sun Feb 9 20:22:32 MST 2014
Yes, it turned out to be a few stupid mistakes:
each share needed "read only = no" (that was obvious!)
The Unix attributes for Domain Users needs to match the users gid
Using the correct flag to setfacl (--set-file)
All good now. Thanks, Samba team! This is an incredible upgrade.
Jason
On 2/8/2014 11:05 PM, Chan Min Wai wrote:
> On Sun, Feb 9, 2014 at 7:55 AM, Jason Ostermann
> <oddball at oddworld.org <mailto:oddball at oddworld.org>
> <mailto:oddball at oddworld.org <mailto:oddball at oddworld.org>>> wrote:
>
> Finally biting the bullet and upgrading home machines to
> Windows 7 but
> experiencing many problems.
> Server is a Debian Lenny, old Samba 3.2.5, new Samba 4.1.4
> built from
> source. My setup has been doing roaming profiles for XP
> since 2003 or so
> with almost no changes. I want to keep roaming profiles
> going plus
> do some
> folder redirection (Desktop (my wife doesn't believe in
> file shares for
> pictures) and AppData (I find new ways to hate iTunes every
> day)
> particularly). Took a while to find that my passdb was still
> smbpasswd and
> the passdb had the default system accounts. Got the
> smbpasswd converted
> over, user accounts in place, and the new Win7 machine was
> able to
> join the
> domain.
> I was able to set the *share* permissions per the "Setting
> up a home
> share"
> without issue. However, attempting to set any permissions
> to the
> files or
> directories fails with "Access denied". I have tried all
> manner of unix
> modes on the files/directories to no avail. I made a new
> directory for
> redirected folders and that one can be used properly. So I
> tried to copy
> the acls (getfacl /home/redir | setfact --set=- /home) but that
> fails with
> setfacl: Option -s: Invalid argument near character 1.
> The permissions problems exist across all my file shares. I
> did grant
> SeDiskOperatorPrivilege to domain\Administrators, then also
> domain\Administrator and domain\root just in case. Both
> Administrator and
> root are in the Domain Admins group. I can access the
> policy and users
> nicely through the RSAT mmc plugins.
>
> Is there a baseline permission/acl/mode/attr that I need to
> lay down
> across
> the entire filesystem? I've worked on this for a couple of
> days, so I've
> tried every stupid idea I could think up. Nothing particularly
> useful has
> come up in my searches.
>
> Thanks!
>
More information about the samba
mailing list