[Samba] Samba43 ACL's issues

Rowland penny rpenny at samba.org
Thu Jun 23 07:40:35 UTC 2016 

On 23/06/16 02:18, Juan Garcia wrote:
> On 21/06/2016 10:22 PM, Mueller wrote:
>> What about this in your global section
>> create mask = 770
>>          force create mode = 770
>>          directory mask = 770
>>          force directory mode = 770
>>
>> Greetings
>> Daniel
>>
>
> Hi Daniel, Thanks for your response. Those settings are already in my 
> smb4.conf
>
>  Global parameters
> [global]
>         interfaces = 192.168.1.100
>         bind interfaces only = yes
>     workgroup = CW1
>     realm = DOMAIN.NAME.COM.AU
>     netbios name = SERVER1
>         server role = active directory domain controller
>         dns forwarder = 192.168.1.1
>         printing = bsd
>         server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, 
> winbind, ntp_signd, kcc, dnsupdate, dns
>         dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, 
> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, 
> eventlog6, backupkey, dnsserver
>         restrict anonymous = 1
>         vfs objects = acl_xattr
>         map acl inherit = Yes
>         store dos attributes = no
>         unix extensions = no
>         inherit acls = yes
>         inherit permissions = yes
>         ea support = no
>         idmap_ldb:use rfc2307 = yes
>         browseable= yes
>         writable = yes
>         read only= no
>         create mask = 770
>         force create mode = 770
>         directory mask = 770
>         force directory mode = 770
>
> The problem is not about accessing folders, we want to be able to 
> assign to an specific folder different permissions inside the same 
> file share
>
> Let's say I have this set up:
>
> Share:
> Public/
>
> Subfloder:
> Public/folder1
>
> Required Permissions:
> DM\user.one -> full access
> DM\user.two -> readonly
>
> So in windows with an administrator account I right click on the 
> folder to assign this permissions on the Security tab, right after I 
> hit "apply" I get:
> An error occurred while applying security information to:
> Public/folder1
> The parameter is incorrect
>
>
> Any ideas?
>
>>
>> EDV Daniel Müller
>>
>> Leitung EDV
>> Tropenklinik Paul-Lechler-Krankenhaus
>> Paul-Lechler-Str. 24
>> 72076 Tübingen
>> Tel.: 07071/206-463, Fax: 07071/206-499
>>  Email: mueller at tropenklinik.de
>>  www.tropenklinik.de
>>  www.bauen-sie-mit.tropenklinik.de
>>
>>
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Juan Garcia [mailto:juan at ish.com.au]
>> Gesendet: Dienstag, 21. Juni 2016 13:47
>> An: samba at lists.samba.org
>> Betreff: [Samba] Samba43 ACL's issues
>>
>> Hi there,
>>
>> I'm having trouble with permissions and ACL's running samba43.
>>
>> I want to be able to set permissions on a folder to an specific user.
>>
>> I'm having a similar issue reported here 
>> https://lists.samba.org/archive/samba/2010-July/156965.html
>>
>> However my error message is slightly different:
>>
>> When I set the permission on an specific user by creating a new 
>> folder inside the share, right click -> properties -> security tab I 
>> get:
>>
>> An error ocurred while applying security information to:
>>
>> \\servername\test
>>
>> The parameter is incorrect
>>
>>
>> I have tried changing the permissions manually with "chmod a+rwx /test/"
>>
>> But this does not look like a permissions problem this looks more 
>> like samba or some setting in smb4.con itself
>>
>>
>> this is my smb4.conf file:
>>
>>   Global parameters
>> [global]
>>          interfaces = 192.168.1.100
>>          bind interfaces only = yes
>>          workgroup = CW1
>>          realm = DOMAIN.NAME.COM.AU
>>          netbios name = SERVER1
>>          server role = active directory domain controller
>>          dns forwarder = 192.168.1.1
>>          printing = bsd
>>          server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
>> winbind, ntp_signd, kcc, dnsupdate, dns
>>          dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
>> eventlog6, backupkey, dnsserver
>>          restrict anonymous = 1
>>          map acl inherit = no
>>          store dos attributes = yes
>>          unix extensions = no
>>          ea support = no
>>          idmap_ldb:use rfc2307 = yes
>>          browseable= yes
>>          writable = yes
>>          read only= no
>>          create mask = 770
>>          force create mode = 770
>>          directory mask = 770
>>          force directory mode = 770
>>          kerberos method = system keytab
>>          client ldap sasl wrapping = sign
>>          allow dns updates = nonsecure and secure
>>
>> [test]
>>          path = /var/fileshare/test
>>          valid users = @DOMAIN.NAME.COM.AU\staff
>>          guest ok = yes
>>          read only = no
>>
>> Not sure what am I missing, I appreciate your help.
>>
>> Regards,
>>
>

OK, can I suggest you remove these lines from your smb.conf:

         restrict anonymous = 1
         vfs objects = acl_xattr
         map acl inherit = Yes
         store dos attributes = no
         unix extensions = no
         inherit acls = yes
         inherit permissions = yes
         ea support = no
         browseable= yes
         writable = yes
         read only= no
         create mask = 770
         force create mode = 770
         directory mask = 770
         force directory mode = 770

you are turning off things you require and if you look closely, you have 
the same line twice, but in different ways.

You might as well also remove this line:

dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, 
lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, 
backupkey, dnsserver

It is the default.

Finally, I would also remove this line:

server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbind, 
ntp_signd, kcc, dnsupdate, dns

It is stopping you using the separate 'winbindd' binary.

Rowland

More information about the samba mailing list