[Samba] Cannot add ACL through windows client

Rowland Penny rowlandpenny at googlemail.com
Wed Oct 22 08:12:26 MDT 2014


On 22/10/14 15:01, Zoddo wrote:
> I don't want to add an ACL on an unknown user from samba but add an 
> ACL on a user that exist in the samba database but unknown by the 
> client machine.
OK, I should also have said that if you try to user a samba user that is 
unknown to windows, this will also fail because the user MUST be known 
everywhere.

>
> The clients machines weren't in a domain.
Yes I know, I said that you were using a workgroup, they are terrible 
things, when you want to add a user, you have to log into every machine 
in the workgroup that they are to be created or will connect to and add 
the user.

Rowland
>
> 2014-10-22 15:54 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com 
> <mailto:rowlandpenny at googlemail.com>>:
>
>     On 22/10/14 14:34, Zoddo wrote:
>
>         Yes, the user exist in //etc/passwd/ and in the samba database
>         with the same password.
>         The user doesn't exist on the windows machine. I just want add
>         a permission on directories/files for an another user that
>         exist in the unix/samba database.
>
>
>     You are running a workgroup and if you attempt to connect to a
>     samba share, you will probably be asked who to connect as, at this
>     point, you can use a username & password of a user that samba
>     knows and you should be connected as the samba user. If you now
>     try to change the ACL's of a file on the share from windows and
>     try to use a windows user that is unknown to samba, this will fail
>     because, to samba, it is an unknown user.
>
>     Rowland
>
>         2014-10-22 15:15 GMT+02:00 Rowland Penny
>         <rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>
>         <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>>>:
>
>             On 22/10/14 13:47, Zoddo wrote:
>
>                 up !
>
>                 2014-10-20 23:19 GMT+02:00 Zoddo <zoddo.ino at gmail.com
>         <mailto:zoddo.ino at gmail.com>
>                 <mailto:zoddo.ino at gmail.com
>         <mailto:zoddo.ino at gmail.com>> <mailto:zoddo.ino at gmail.com
>         <mailto:zoddo.ino at gmail.com>
>                 <mailto:zoddo.ino at gmail.com
>         <mailto:zoddo.ino at gmail.com>>>>:
>
>                     Yes, it's this !
>
>                     2014-10-20 23:17 GMT+02:00 Rowland Penny
>                     <rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>
>                 <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>>
>                 <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>
>                 <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>>>>:
>
>                         On 20/10/14 22:11, Zoddo wrote:
>
>                             Yes, the users is UNIX accounts "imported" in
>                 samba via
>                             /smbpasswd/.
>
>                             Windows machines are in the same workgroup.
>
>                             2014-10-20 22:56 GMT+02:00 Rowland Penny
>                             <rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>
>                 <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>>
>                             <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>
>                 <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>>>
>                             <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>
>                 <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>>
>                             <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>
>                 <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>>>>>:
>
>
>                                 On 20/10/14 21:43, Zoddo wrote:
>
>                                     Samba has been installed via Debian
>                 repositories
>                             (apt-get).
>
>                                     Here is my /smb.conf/ :
>
>
>                                         #
>                                         # Sample configuration file
>         for the Samba
>                             suite for Debian
>                                     GNU/Linux.
>                                         #
>                                         #
>                                         # This is the main Samba
>         configuration
>                 file.
>                             You should
>                                     read the
>                                         # smb.conf(5) manual page in
>         order to
>                             understand the
>                                     options listed
>                                         # here. Samba has a huge number of
>                             configurable options
>                                     most of which
>                                         # are not shown in this example
>                                         #
>                                         # Some options that are often
>         worth tuning
>                             have been
>                                     included as
>                                         # commented-out examples in
>         this file.
>                                         #  - When such options are
>         commented
>                 with ";", the
>                                     proposed setting
>                                         #    differs from the default
>         Samba
>                 behaviour
>                                         #  - When commented with "#",
>         the proposed
>                             setting is the
>                                     default
>                                         #    behaviour of Samba but
>         the option is
>                             considered important
>                                         #    enough to be mentioned here
>                                         #
>                                         # NOTE: Whenever you modify
>         this file you
>                             should run the
>                                     command
>                                         # "testparm" to check that you
>         have
>                 not made
>                             any basic
>                                     syntactic
>                                         # errors.
>                                         # A well-established practice
>         is to
>                 name the
>                             original file
>                                         # "smb.conf.master" and create
>         the "real"
>                             config file with
>                                         # testparm -s smb.conf.master
>         >smb.conf
>                                         # This minimizes the size of the
>                 really used
>                             smb.conf file
>                                         # which, according to the
>         Samba Team,
>                 impacts
>                             performance
>                                         # However, use this with
>         caution if your
>                             smb.conf file
>                                     contains nested
>                                         # "include" statements. See
>         Debian bug
>                 #483187
>                             for a case
>                                         # where using a master file is
>         not a
>                 good idea.
>                                         #
>                                         #=======================
>         Global Settings
>                                     =======================
>                                         [global]
>                                         username map =
>                 /etc/samba/samba_usermapping
>                                         ## Browsing/Identification ###
>                                         # Change this to the
>                 workgroup/NT-domain name
>                             your Samba
>                                     server
>                                         will part of
>                                            workgroup = WORKGROUP
>                                         # server string is the
>         equivalent of
>                 the NT
>                             Description field
>                                            server string = %h server
>                                         # Windows Internet Name Serving
>                 Support Section:
>                                         # WINS Support - Tells the NMBD
>                 component of
>                             Samba to
>                                     enable its
>                                         WINS Server
>                                         #   wins support = no
>                                         # WINS Server - Tells the NMBD
>                 components of
>                             Samba to be a
>                                     WINS Client
>                                         # Note: Samba can be either a WINS
>                 Server, or
>                             a WINS
>                                     Client, but
>                                         NOT both
>                                         ;   wins server = w.x.y.z
>                                         # This will prevent nmbd to
>         search for
>                 NetBIOS
>                             names
>                                     through DNS.
>                                            dns proxy = no
>                                         # What naming service and in what
>                 order should
>                             we use to
>                                     resolve
>                                         host names
>                                         # to IP addresses
>                                         ;   name resolve order =
>         lmhosts host
>                 wins bcast
>                                         #### Networking ####
>                                         # The specific set of interfaces /
>                 networks to
>                             bind to
>                                         # This can be either the interface
>                 name or an IP
>                                     address/netmask;
>                                         # interface names are normally
>         preferred
>                                         ;   interfaces = 127.0.0.0/8
>         <http://127.0.0.0/8>
>                 <http://127.0.0.0/8>
>                             <http://127.0.0.0/8> <http://127.0.0.0/8>
>                                     <http://127.0.0.0/8> eth0
>
>                                         # Only bind to the named
>         interfaces and/or
>                             networks; you
>                                     must use the
>                                         # 'interfaces' option above to
>         use this.
>                                         # It is recommended that you
>         enable this
>                             feature if your Samba
>                                         machine is
>                                         # not protected by a firewall
>         or is a
>                 firewall
>                             itself.         However, this
>                                         # option cannot handle dynamic or
>                             non-broadcast interfaces
>                                     correctly.
>                                         ;   bind interfaces only = yes
>
>
>                                         #### Debugging/Accounting ####
>                                         # This tells Samba to use a
>         separate
>                 log file
>                             for each machine
>                                         # that connects
>                                            log file =
>         /var/log/samba/log.%m
>                                         # Cap the size of the
>         individual log
>                 files (in
>                             KiB).
>                                            max log size = 1000
>                                         # If you want Samba to only log
>                 through syslog
>                             then set
>                                     the following
>                                         # parameter to 'yes'.
>                                         #   syslog only = no
>                                         # We want Samba to log a
>         minimum amount of
>                             information to
>                                     syslog.
>                                         Everything
>                                         # should go to
>                 /var/log/samba/log.{smbd,nmbd}
>                             instead. If
>                                     you want
>                                         to log
>                                         # through syslog you should
>         set the
>                 following
>                             parameter to
>                                         something higher.
>                                            syslog = 0
>                                         # Do something sensible when Samba
>                 crashes:
>                             mail the admin
>                                     a backtrace
>                                            panic action =
>                 /usr/share/samba/panic-action %d
>
>                                         ####### Authentication #######
>                                         # "security = user" is always
>         a good idea.
>                             This will require a
>                                         Unix account
>                                         # in this server for every user
>                 accessing the
>                             server. See
>                                         #
>                
>          /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
>                                         # in the samba-doc package for
>         details.
>                                         #   security = user
>                                         # You may wish to use password
>                 encryption.             See the section on
>                                         # 'encrypt passwords' in the
>         smb.conf(5)
>                             manpage before
>                                     enabling.
>                                            encrypt passwords = true
>                                         # If you are using encrypted
>                 passwords, Samba
>                             will need to
>                                     know what
>                                         # password database type you
>         are using.
>                                            passdb backend = tdbsam
>                                            obey pam restrictions = yes
>                                         # This boolean parameter
>         controls whether
>                             Samba attempts
>                                     to sync
>                                         the Unix
>                                         # password with the SMB
>         password when the
>                             encrypted SMB
>                                     password
>                                         in the
>                                         # passdb is changed.
>                                            unix password sync = yes
>                                         # For Unix password sync to
>         work on a
>                 Debian
>                             GNU/Linux
>                                     system, the
>                                         following
>                                         # parameters must be set
>         (thanks to
>                 Ian Kahan
>                                        
>         <<kahan at informatik.tu-muenchen.de
>         <mailto:kahan at informatik.tu-muenchen.de>
>                 <mailto:kahan at informatik.tu-muenchen.de
>         <mailto:kahan at informatik.tu-muenchen.de>>
>                             <mailto:kahan at informatik.tu-muenchen.de
>         <mailto:kahan at informatik.tu-muenchen.de>
>                 <mailto:kahan at informatik.tu-muenchen.de
>         <mailto:kahan at informatik.tu-muenchen.de>>>
>                                    
>         <mailto:kahan at informatik.tu-muenchen.de
>         <mailto:kahan at informatik.tu-muenchen.de>
>                 <mailto:kahan at informatik.tu-muenchen.de
>         <mailto:kahan at informatik.tu-muenchen.de>>
>                             <mailto:kahan at informatik.tu-muenchen.de
>         <mailto:kahan at informatik.tu-muenchen.de>
>                 <mailto:kahan at informatik.tu-muenchen.de
>         <mailto:kahan at informatik.tu-muenchen.de>>>>
>                                              
>          <mailto:kahan at informatik.tu-muenchen.de
>         <mailto:kahan at informatik.tu-muenchen.de>
>                 <mailto:kahan at informatik.tu-muenchen.de
>         <mailto:kahan at informatik.tu-muenchen.de>>
>                             <mailto:kahan at informatik.tu-muenchen.de
>         <mailto:kahan at informatik.tu-muenchen.de>
>                 <mailto:kahan at informatik.tu-muenchen.de
>         <mailto:kahan at informatik.tu-muenchen.de>>>
>
>                                    
>         <mailto:kahan at informatik.tu-muenchen.de
>         <mailto:kahan at informatik.tu-muenchen.de>
>                 <mailto:kahan at informatik.tu-muenchen.de
>         <mailto:kahan at informatik.tu-muenchen.de>>
>                             <mailto:kahan at informatik.tu-muenchen.de
>         <mailto:kahan at informatik.tu-muenchen.de>
>                 <mailto:kahan at informatik.tu-muenchen.de
>         <mailto:kahan at informatik.tu-muenchen.de>>>>>> for
>
>                                         # sending the correct chat
>         script for the
>                             passwd program
>                                     in Debian
>                                         Sarge).
>                                            passwd program =
>         /usr/bin/passwd %u
>                                            passwd chat =
>                 *Enter\snew\s*\spassword:* %n\n
>         *Retype\snew\s*\spassword:* %n\n
>                                     *password\supdated\ssuccessfully* .
>                                         # This boolean controls
>         whether PAM
>                 will be
>                             used for
>                                     password changes
>                                         # when requested by an SMB client
>                 instead of
>                             the program
>                                     listed in
>                                         # 'passwd program'. The
>         default is 'no'.
>                                            pam password change = yes
>                                         # This option controls how
>         unsuccessful
>                             authentication
>                                     attempts
>                                         are mapped
>                                         # to anonymous connections
>                                            map to guest = bad user
>                                         ########## Domains ###########
>                                         # Is this machine able to
>         authenticate
>                 users.
>                             Both PDC and BDC
>                                         # must have this setting
>         enabled. If
>                 you are
>                             the BDC you must
>                                         # change the 'domain master'
>         setting to no
>                                         #
>                                         ;   domain logons = yes
>                                         #
>                                         # The following setting only takes
>                 effect if
>                             'domain
>                                     logons' is set
>                                         # It specifies the location of
>         the user's
>                             profile directory
>                                         # from the client point of view)
>                                         # The following required a
>         [profiles]
>                 share to
>                             be setup on the
>                                         # samba server (see below)
>                                         ;   logon path = \\%N\profiles\%U
>                                         # Another common choice is
>         storing the
>                 profile
>                             in the
>                                     user's home
>                                         directory
>                                         # (this is Samba's default)
>                                         #   logon path = \\%N\%U\profile
>                                         # The following setting only takes
>                 effect if
>                             'domain
>                                     logons' is set
>                                         # It specifies the location of a
>                 user's home
>                             directory
>                                     (from the
>                                         client
>                                         # point of view)
>                                         ;   logon drive = H:
>                                         #   logon home = \\%N\%U
>                                         # The following setting only takes
>                 effect if
>                             'domain
>                                     logons' is set
>                                         # It specifies the script to run
>                 during logon.
>                             The script
>                                     must be
>                                         stored
>                                         # in the [netlogon] share
>                                         # NOTE: Must be store in 'DOS'
>         file format
>                             convention
>                                         ;   logon script = logon.cmd
>                                         # This allows Unix users to be
>         created
>                 on the
>                             domain
>                                     controller
>                                         via the SAMR
>                                         # RPC pipe.  The example
>         command creates a
>                             user account with a
>                                         disabled Unix
>                                         # password; please adapt to
>         your needs
>                                         ; add user script =
>         /usr/sbin/adduser
>                 --quiet
>                                     --disabled-password
>                                         --gecos "" %u
>                                         # This allows machine accounts
>         to be
>                 created
>                             on the domain
>                                         controller via the
>                                         # SAMR RPC pipe.
>                                         # The following assumes a
>         "machines" group
>                             exists on the
>                                     system
>                                         ; add machine script  =
>                 /usr/sbin/useradd -g
>                             machines -c "%u
>                                         machine account" -d
>         /var/lib/samba -s
>                             /bin/false %u
>                                         # This allows Unix groups to be
>                 created on the
>                             domain
>                                     controller
>                                         via the SAMR
>                                         # RPC pipe.
>                                         ; add group script =
>         /usr/sbin/addgroup
>                             --force-badname %g
>                                         ########## Printing ##########
>                                         # If you want to automatically
>         load your
>                             printer list rather
>                                         # than setting them up
>         individually then
>                             you'll need this
>                                         #   load printers = yes
>                                         # lpr(ng) printing. You may
>         wish to
>                 override
>                             the location
>                                     of the
>                                         # printcap file
>                                         ;   printing = bsd
>                                         ;   printcap name = /etc/printcap
>                                         # CUPS printing.  See also the
>                 cupsaddsmb(8)
>                             manpage in the
>                                         # cupsys-client package.
>                                         ;   printing = cups
>                                         ;   printcap name = cups
>                                         ############ Misc ############
>                                         # Using the following line
>         enables you to
>                             customise your
>                                     configuration
>                                         # on a per machine basis. The
>         %m gets
>                 replaced
>                             with the
>                                     netbios name
>                                         # of the machine that is
>         connecting
>                                         ;   include =
>         /home/samba/etc/smb.conf.%m
>                                         # Most people will find that this
>                 option gives
>                             better
>                                     performance.
>                                         # See smb.conf(5) and
>                  /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html
>                                         # for details
>                                         # You may want to add the
>         following on
>                 a Linux
>                             system:
>                                         # SO_RCVBUF=8192 SO_SNDBUF=8192
>                                         #   socket options = TCP_NODELAY
>                                         # The following parameter is
>         useful
>                 only if
>                             you have the
>                                     linpopup
>                                         package
>                                         # installed. The samba
>         maintainer and
>                 the linpopup
>                                     maintainer are
>                                         # working to ease installation and
>                             configuration of
>                                     linpopup and
>                                         samba.
>                                         ;   message command = /bin/sh -c
>                             '/usr/bin/linpopup "%f"
>                                     "%m" %s;
>                                         rm %s' &
>                                         # Domain Master specifies
>         Samba to be the
>                             Domain Master
>                                     Browser.
>                                         If this
>                                         # machine will be configured
>         as a BDC (a
>                             secondary logon
>                                     server), you
>                                         # must set this to 'no';
>         otherwise, the
>                             default behavior is
>                                         recommended.
>                                         #   domain master = auto
>                                         # Some defaults for winbind
>         (make sure
>                 you're
>                             not using
>                                     the ranges
>                                         # for something else.)
>                                         ;   idmap uid = 10000-20000
>                                         ;   idmap gid = 10000-20000
>                                         ;   template shell = /bin/bash
>                                         # The following was the default
>                 behaviour in
>                             sarge,
>                                         # but samba upstream reverted
>         the default
>                             because it might
>                                     induce
>                                         # performance issues in large
>                 organizations.
>                                         # See Debian bug #368251 for
>         some of the
>                             consequences of *not*
>                                         # having this setting and
>         smb.conf(5)
>                 for details.
>                                         ;   winbind enum groups = yes
>                                         ;   winbind enum users = yes
>                                         # Setup usershare options to
>         enable
>                 non-root
>                             users to
>                                     share folders
>                                         # with the net usershare command.
>                                         # Maximum number of usershare.
>         0 (default)
>                             means that
>                                     usershare is
>                                         disabled.
>                                         ;   usershare max shares = 100
>                                         # Allow users who've been granted
>                 usershare
>                             privileges to
>                                     create
>                                         # public shares, not just
>                 authenticated ones
>                                            usershare allow guests = yes
>                                         #======================= Share
>         Definitions
>                                     =======================
>                                         [homes]
>                                            comment = Home Directories
>                                            browseable = no
>                                         # By default, the home
>         directories are
>                             exported read-only.
>                                     Change the
>                                         # next parameter to 'no' if
>         you want to be
>                             able to write
>                                     to them.
>                                            read only = yes
>                                         # File creation mask is set to
>         0700 for
>                             security reasons.
>                                     If you
>                                         want to
>                                         # create files with group=rw
>                 permissions, set next
>                                     parameter to 0775.
>                                            create mask = 0700
>                                         # Directory creation mask is
>         set to
>                 0700 for
>                             security
>                                     reasons. If
>                                         you want to
>                                         # create dirs. with group=rw
>                 permissions, set next
>                                     parameter to 0775.
>                                            directory mask = 0700
>                                         # By default,
>         \\server\username shares
>                 can be
>                             connected to
>                                     by anyone
>                                         # with access to the samba server.
>                                         # The following parameter
>         makes sure
>                 that only
>                             "username"
>                                     can connect
>                                         # to \\server\username
>                                         # This might need tweaking
>         when using
>                 external
>                                     authentication schemes
>                                            valid users = %S
>                                         # Un-comment the following and
>         create
>                 the netlogon
>                                     directory for
>                                         Domain Logons
>                                         # (you need to configure Samba
>         to act
>                 as a domain
>                                     controller too.)
>                                         ;[netlogon]
>                                         ;   comment = Network Logon
>         Service
>                                         ;   path = /home/samba/netlogon
>                                         ;   guest ok = yes
>                                         ;   read only = yes
>                                         # Un-comment the following and
>         create
>                 the profiles
>                                     directory to store
>                                         # users profiles (see the
>         "logon path"
>                 option
>                             above)
>                                         # (you need to configure Samba
>         to act
>                 as a domain
>                                     controller too.)
>                                         # The path below should be
>         writable by all
>                             users so that their
>                                         # profile directory may be
>         created the
>                 first
>                             time they log on
>                                         ;[profiles]
>                                         ;   comment = Users profiles
>                                         ;   path = /home/samba/profiles
>                                         ;   guest ok = no
>                                         ;   browseable = no
>                                         ;   create mask = 0600
>                                         ;   directory mask = 0700
>                                         [printers]
>                                            comment = All Printers
>                                            browseable = no
>                                            path = /var/spool/samba
>                                            printable = yes
>                                            guest ok = no
>                                            read only = yes
>                                            create mask = 0700
>                                         # Windows clients look for
>         this share
>                 name as
>                             a source of
>                                     downloadable
>                                         # printer drivers
>                                         [print$]
>                                            comment = Printer Drivers
>                                            path = /var/lib/samba/printers
>                                            browseable = yes
>                                            read only = yes
>                                            guest ok = no
>                                         # Uncomment to allow remote
>                 administration of
>                             Windows
>                                     print drivers.
>                                         # You may need to replace
>         'lpadmin'
>                 with the
>                             name of the
>                                     group your
>                                         # admin users are members of.
>                                         # Please note that you also
>         need to set
>                             appropriate Unix
>                                     permissions
>                                         # to the drivers directory for
>         these
>                 users to
>                             have write
>                                     rights in it
>                                         ;   write list = root, @lpadmin
>                                         # A sample share for sharing your
>                 CD-ROM with
>                             others.
>                                         ;[cdrom]
>                                         ;   comment = Samba server's
>         CD-ROM
>                                         ;   read only = yes
>                                         ;   locking = no
>                                         ;   path = /cdrom
>                                         ;   guest ok = yes
>                                         # The next two parameters show
>         how to
>                             auto-mount a CD-ROM
>                                     when the
>                                         #cdrom share is accesed. For
>         this to work
>                             /etc/fstab must
>                                     contain
>                                         #an entry like this:
>                                         #
>                                         #       /dev/scd0 /cdrom iso9660
>                             defaults,noauto,ro,user          0 0
>                                         #
>                                         # The CD-ROM gets unmounted
>         automatically
>                             after the
>                                     connection to the
>                                         #
>                                         # If you don't want to use
>                             auto-mounting/unmounting make
>                                     sure the CD
>                                         #is mounted on /cdrom
>                                         #
>                                         ;   preexec = /bin/mount /cdrom
>                                         ;   postexec = /bin/umount /cdrom
>
>                                         [data]
>                                         writeable = yes
>                                         path = /data
>
>
>
>                                     2014-10-20 22:26 GMT+02:00 Rowland
>         Penny
>                                     <rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>
>                 <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>>
>                             <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>
>                 <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>>>
>                                    
>         <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>
>                 <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>>
>                             <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>
>                 <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>>>>
>                                    
>         <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>
>                 <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>>
>                             <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>
>                 <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>>>
>                                    
>         <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>
>                 <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>>
>                             <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>
>                 <mailto:rowlandpenny at googlemail.com
>         <mailto:rowlandpenny at googlemail.com>>>>>>:
>
>                                         On 20/10/14 21:19, Zoddo wrote:
>
>                                             It doesn't work
>                 (NT_STATUS_ACCESS_DENIED).
>
>                                             What's the administrator's
>                 password ? It's
>                             the root's
>                                     password
>                                             ? When I
>                                             installed samba, it hasn't
>         ask me
>                 for an
>                                     administrative password.
>
>                                             2014-10-20 8:50 GMT+02:00
>         L.P.H.
>                 van Belle
>                                     <belle at bazuin.nl
>         <mailto:belle at bazuin.nl> <mailto:belle at bazuin.nl
>         <mailto:belle at bazuin.nl>>
>                 <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>
>         <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>>
>                             <mailto:belle at bazuin.nl
>         <mailto:belle at bazuin.nl> <mailto:belle at bazuin.nl
>         <mailto:belle at bazuin.nl>>
>                 <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>
>         <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>>>
>                                             <mailto:belle at bazuin.nl
>         <mailto:belle at bazuin.nl>
>                 <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>
>                             <mailto:belle at bazuin.nl
>         <mailto:belle at bazuin.nl> <mailto:belle at bazuin.nl
>         <mailto:belle at bazuin.nl>>>
>                 <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>
>         <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>
>                             <mailto:belle at bazuin.nl
>         <mailto:belle at bazuin.nl> <mailto:belle at bazuin.nl
>         <mailto:belle at bazuin.nl>>>>>>:
>
>                                                 Is this is on a member
>         server
>                 try :
>
>                                                 net rpc rights grant
>                 'TEST_IMGDSK\test'
>                 SeDiskOperatorPrivilege
>                                                 -Uadministrator -S
>         SERVERNAME
>                                                 or
>                                                 net rpc rights grant
>                 'TEST_IMGDSK\test'
>                 SeDiskOperatorPrivilege
>         -UDOMAIN\administrator -S
>                 SERVERNAME
>
>                                                 ( as i dont thinks
>         this is a
>                 DC above
>                             should work. )
>                                                 and last option is add
>                                                 the to smb.conf
>                                                 username map =
>                             /etc/samba/samba_usermapping
>                                                 and add : !root =
>                 DOMAIN\Administrator
>                                     DOMAIN\administrator
>                                                 in it.
>
>
>                                                 Louis
>
>
>                 -----Oorspronkelijk bericht-----
>                                                     Van:
>         mmuehlfeld at samba.org <mailto:mmuehlfeld at samba.org>
>                 <mailto:mmuehlfeld at samba.org
>         <mailto:mmuehlfeld at samba.org>>
>                             <mailto:mmuehlfeld at samba.org
>         <mailto:mmuehlfeld at samba.org>
>                 <mailto:mmuehlfeld at samba.org
>         <mailto:mmuehlfeld at samba.org>>>
>                                     <mailto:mmuehlfeld at samba.org
>         <mailto:mmuehlfeld at samba.org>
>                 <mailto:mmuehlfeld at samba.org
>         <mailto:mmuehlfeld at samba.org>>
>                             <mailto:mmuehlfeld at samba.org
>         <mailto:mmuehlfeld at samba.org>
>                 <mailto:mmuehlfeld at samba.org
>         <mailto:mmuehlfeld at samba.org>>>>
>                             <mailto:mmuehlfeld at samba.org
>         <mailto:mmuehlfeld at samba.org>
>                 <mailto:mmuehlfeld at samba.org
>         <mailto:mmuehlfeld at samba.org>> <mailto:mmuehlfeld at samba.org
>         <mailto:mmuehlfeld at samba.org>
>                 <mailto:mmuehlfeld at samba.org
>         <mailto:mmuehlfeld at samba.org>>>
>
>
>                                     <mailto:mmuehlfeld at samba.org
>         <mailto:mmuehlfeld at samba.org>
>                 <mailto:mmuehlfeld at samba.org
>         <mailto:mmuehlfeld at samba.org>>
>                             <mailto:mmuehlfeld at samba.org
>         <mailto:mmuehlfeld at samba.org>
>                 <mailto:mmuehlfeld at samba.org
>         <mailto:mmuehlfeld at samba.org>>>>>
>                  [mailto:samba-bounces at lists.samba.org
>         <mailto:samba-bounces at lists.samba.org>
>                 <mailto:samba-bounces at lists.samba.org
>         <mailto:samba-bounces at lists.samba.org>>
>                             <mailto:samba-bounces at lists.samba.org
>         <mailto:samba-bounces at lists.samba.org>
>                 <mailto:samba-bounces at lists.samba.org
>         <mailto:samba-bounces at lists.samba.org>>>
>                                    
>         <mailto:samba-bounces at lists.samba.org
>         <mailto:samba-bounces at lists.samba.org>
>                 <mailto:samba-bounces at lists.samba.org
>         <mailto:samba-bounces at lists.samba.org>>
>                             <mailto:samba-bounces at lists.samba.org
>         <mailto:samba-bounces at lists.samba.org>
>                 <mailto:samba-bounces at lists.samba.org
>         <mailto:samba-bounces at lists.samba.org>>>>
>
>                  <mailto:samba-bounces at lists.samba.org
>         <mailto:samba-bounces at lists.samba.org>
>                 <mailto:samba-bounces at lists.samba.org
>         <mailto:samba-bounces at lists.samba.org>>
>                             <mailto:samba-bounces at lists.samba.org
>         <mailto:samba-bounces at lists.samba.org>
>                 <mailto:samba-bounces at lists.samba.org
>         <mailto:samba-bounces at lists.samba.org>>>
>                                    
>         <mailto:samba-bounces at lists.samba.org
>         <mailto:samba-bounces at lists.samba.org>
>                 <mailto:samba-bounces at lists.samba.org
>         <mailto:samba-bounces at lists.samba.org>>
>                             <mailto:samba-bounces at lists.samba.org
>         <mailto:samba-bounces at lists.samba.org>
>                 <mailto:samba-bounces at lists.samba.org
>         <mailto:samba-bounces at lists.samba.org>>>>>] Namens Marc
>                                                     Muehlfeld
>                                                     Verzonden: zondag 19
>                 oktober 2014
>                             11:28
>                                                     Aan: Zoddo
>                                                     CC: samba
>                                                     Onderwerp: Re: [Samba]
>                 Cannot add
>                             ACL through
>                                     windows
>                                                     client
>
>                                                     Am 19.10.2014 um 01:07
>                 schrieb Zoddo:
>
>                                                         I've a problem
>         : I'm
>                 unable to
>                             add the
>
>                             *SeDiskOperatorPrivilege* to my user
>
>                                                         *test*.
>
>                             root at test-imgdsk:~# net rpc rights grant
>                             'TEST_IMGDSK\test'
>
>                             SeDiskOperatorPrivilege -Uadministrator
>                                                             Enter
>         administrator's
>                             password:
>                                                             Failed to
>         grant
>                 privileges for
>                                     TEST_IMGDSK\test
>
>                             (NT_STATUS_ACCESS_DENIED)
>
>
>                                                     OK. We're comming
>         closer -
>                 slowly.
>
>
>                                                     But if you don't
>         give us more
>                             information
>                                     about your
>                                                     environment
>                                                     everything else is
>         just
>                 guessing.
>                                                     - Samba version
>                                                     - smb.conf
>                                                     - Permissions
>         about the
>                 account
>                             (is Administrator
>                                                     mapped to root, etc.)
>                                                     - Type of Server
>         (DC, PDC,
>                 Member,
>                             Standalone,
>                                     etc.)
>
>
>                                                     Regards,
>                                                     Marc
>
>                                                     --
>                                                     To unsubscribe
>         from this
>                 list go
>                             to the
>                                     following URL
>                                                     and read the
>                                                     instructions:
>         https://lists.samba.org/mailman/options/samba
>
>
>                                                 --
>                                                 To unsubscribe from
>         this list
>                 go to
>                             the following
>                                     URL and
>                                                 read the
>                                                 instructions:
>         https://lists.samba.org/mailman/options/samba
>
>                                         I don't think this has been
>         asked yet,
>                 but how
>                             did you install
>                                         samba and what is in smb.conf.
>
>                                         Rowland
>
>
>                                         --     To unsubscribe from
>         this list
>                 go to the
>                             following
>                                     URL and read the
>                                         instructions:
>         https://lists.samba.org/mailman/options/samba
>
>
>                                 No, this is your smb.conf:
>
>                                     [global]
>                                     username map =
>         /etc/samba/samba_usermapping
>                                        workgroup = WORKGROUP
>                                        server string = %h server
>                                        dns proxy = no
>                                        log file = /var/log/samba/log.%m
>                                        max log size = 1000
>                                        syslog = 0
>                                        panic action =
>                 /usr/share/samba/panic-action %d
>                                        encrypt passwords = true
>                                        passdb backend = tdbsam
>                                        obey pam restrictions = yes
>                                        unix password sync = yes
>                                        passwd program = /usr/bin/passwd %u
>                                        passwd chat =
>                 *Enter\snew\s*\spassword:* %n\n
>                                 *Retype\snew\s*\spassword:* %n\n
>                             *password\supdated\ssuccessfully* .
>                                        pam password change = yes
>                                        map to guest = bad user
>                                        usershare allow guests = yes
>
>                                     [homes]
>                                        comment = Home Directories
>                                        browseable = no
>                                        read only = yes
>                                        create mask = 0700
>                                        directory mask = 0700
>                                        valid users = %S
>
>                                     [printers]
>                                        comment = All Printers
>
>



More information about the samba mailing list