[Samba] Samba43 ACL's issues
Data Control Systems - Mike Elkevizth
mike at datacontrolsystems.com
Thu Jun 23 02:28:27 UTC 2016
DCs seem to do odd things, that member servers don't, when it comes to file
serving. That's why the Samba team recommends to not do file serving on a
DC.
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Introduction
I've found that on a DC, the create mask, force create mode, directory
mask, and force directory mode will be ignored unless nt acl support option
is set to no.
nt acl support = no
I'm not sure what other consequences this may have with your setup, so
you'll just have to experiment.
Mike E.
On Wed, Jun 22, 2016, 9:32 PM Juan Garcia <juan at ish.com.au> wrote:
> On 21/06/2016 10:22 PM, Mueller wrote:
> > What about this in your global section
> > create mask = 770
> > force create mode = 770
> > directory mask = 770
> > force directory mode = 770
> >
> > Greetings
> > Daniel
> >
>
> Hi Daniel, Thanks for your response. Those settings are already in my
> smb4.conf
>
> Global parameters
> [global]
> interfaces = 192.168.1.100
> bind interfaces only = yes
> workgroup = CW1
> realm = DOMAIN.NAME.COM.AU
> netbios name = SERVER1
> server role = active directory domain controller
> dns forwarder = 192.168.1.1
> printing = bsd
> server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, dns
> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
> eventlog6, backupkey, dnsserver
> restrict anonymous = 1
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = no
> unix extensions = no
> inherit acls = yes
> inherit permissions = yes
> ea support = no
> idmap_ldb:use rfc2307 = yes
> browseable= yes
> writable = yes
> read only= no
> create mask = 770
> force create mode = 770
> directory mask = 770
> force directory mode = 770
>
> The problem is not about accessing folders, we want to be able to assign
> to an specific folder different permissions inside the same file share
>
> Let's say I have this set up:
>
> Share:
> Public/
>
> Subfloder:
> Public/folder1
>
> Required Permissions:
> DM\user.one -> full access
> DM\user.two -> readonly
>
> So in windows with an administrator account I right click on the folder
> to assign this permissions on the Security tab, right after I hit
> "apply" I get:
> An error occurred while applying security information to:
> Public/folder1
> The parameter is incorrect
>
>
> Any ideas?
>
> >
> > EDV Daniel Müller
> >
> > Leitung EDV
> > Tropenklinik Paul-Lechler-Krankenhaus
> > Paul-Lechler-Str. 24
> > 72076 Tübingen
> > Tel.: 07071/206-463, Fax: 07071/206-499
> > Email: mueller at tropenklinik.de
> > www.tropenklinik.de
> > www.bauen-sie-mit.tropenklinik.de
> >
> >
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Juan Garcia [mailto:juan at ish.com.au]
> > Gesendet: Dienstag, 21. Juni 2016 13:47
> > An: samba at lists.samba.org
> > Betreff: [Samba] Samba43 ACL's issues
> >
> > Hi there,
> >
> > I'm having trouble with permissions and ACL's running samba43.
> >
> > I want to be able to set permissions on a folder to an specific user.
> >
> > I'm having a similar issue reported here
> https://lists.samba.org/archive/samba/2010-July/156965.html
> >
> > However my error message is slightly different:
> >
> > When I set the permission on an specific user by creating a new folder
> inside the share, right click -> properties -> security tab I get:
> >
> > An error ocurred while applying security information to:
> >
> > \\servername\test
> >
> > The parameter is incorrect
> >
> >
> > I have tried changing the permissions manually with "chmod a+rwx /test/"
> >
> > But this does not look like a permissions problem this looks more like
> samba or some setting in smb4.con itself
> >
> >
> > this is my smb4.conf file:
> >
> > Global parameters
> > [global]
> > interfaces = 192.168.1.100
> > bind interfaces only = yes
> > workgroup = CW1
> > realm = DOMAIN.NAME.COM.AU
> > netbios name = SERVER1
> > server role = active directory domain controller
> > dns forwarder = 192.168.1.1
> > printing = bsd
> > server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
> > winbind, ntp_signd, kcc, dnsupdate, dns
> > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> > netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
> > eventlog6, backupkey, dnsserver
> > restrict anonymous = 1
> > map acl inherit = no
> > store dos attributes = yes
> > unix extensions = no
> > ea support = no
> > idmap_ldb:use rfc2307 = yes
> > browseable= yes
> > writable = yes
> > read only= no
> > create mask = 770
> > force create mode = 770
> > directory mask = 770
> > force directory mode = 770
> > kerberos method = system keytab
> > client ldap sasl wrapping = sign
> > allow dns updates = nonsecure and secure
> >
> > [test]
> > path = /var/fileshare/test
> > valid users = @DOMAIN.NAME.COM.AU\staff
> > guest ok = yes
> > read only = no
> >
> > Not sure what am I missing, I appreciate your help.
> >
> > Regards,
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list