[Samba] windows acl not saving, no error, nothing in log file

Rowland Penny rowlandpenny at googlemail.com
Fri Jun 19 07:27:44 MDT 2015 

On 19/06/15 13:50, Thomas Bauserman wrote:
> I'm running samba 4.1.6 as a PDC on ubuntu 14.04.

OK, are you actually running samba as an NT4-style PDC, or are running 
samba as an AD DC ? they are very different.

> I'm following these guides to setup print shares
>
> https://wiki.samba.org/index.php/Samba_as_a_print_server
> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>
> When I go to my windows workstation to change the ACL's on the print$ share
> I can get into the security tab and I can change the security options but
> when I click apply or ok they don't save. There is no error. I did tailf on
> /var/log/samba/log.samba while doing this and nothing shows up in the log
> file.

Have you followed the wiki pages fully ?

> Here is my fstab entry
>
> /dev/mapper/homer--vg-root /               ext4
>   defaults,user_xattr,acl,barrier=1,errors=remount-ro 0       1

You do not need 'user_xattr,acl', they are included by 'defaults' on ext4.

>
> the only thing I noticed and I wasn't sure if it was an issue or not. When
> I run
>
> "lsof | grep /srv/samba/Printer_drivers"
>
>   it gives me this
>
> lsof: no pwd entry for UID 3000019
> lsof: no pwd entry for UID 3000019
> lsof: no pwd entry for UID 3000019
> lsof: no pwd entry for UID 3000019
> lsof: no pwd entry for UID 3000019
> lsof: no pwd entry for UID 3000019
> lsof: no pwd entry for UID 3000019
> lsof: no pwd entry for UID 3000019

Try giving 'Domain Admins' a gidNumber attribute.

> I was a little confused by the guide because in one section the group is
> listed as Domain Admins and in another it's domain_admins so I
> added SeDiskOperatorPrivilege to both. It wouldn't let me set the group on
> the folder to Domain Admins it said it was an invalid group so I set it to
> domain_admins.

'Domain Admins' and domain_admins are usually interchangeable, except on 
a samba4 AD DC, anywhere else you can set 'winbind normalize names = 
Yes' in smb.conf and then use the lowercase names. On a DC, you need to 
escape the space, either by quotes around the entire name i.e. "Domain 
Admins" or 'Domain Admins', or by using a backslash: Domain\ Admins. If 
you don't use anything, it tries to use just 'Domain'.

Rowland
> Other than the Windows ACL's on the shares. Everything else is working
> great. I've got all my users setup and I'm applying GPO's successfully.
>
> I've been hitting my head against the wall for a couple of days now. Any
> help would be appreciated. Let me know if you need anything else from me.
>
> Thanks,
> Tom Bauserman
> Technical Support Specialist
> Teutopolis Unit #50 School District

More information about the samba mailing list