Re: [Samba] Can't see or change ACLs on Windows
Try to use other fs , ext3 for example ..maybe UFS implementation in centos is broken .. Look into kernel log , maybe you'll find some UFS errors .. If you set ACL with setfacl can you see them in windows box after? btw , better you open the new thread with those error message as a subject.. On 10/30/07, Eric Diven <[EMAIL PROTECTED]> wrote: > Doug, thanks, here's a complete listing of the config file, and some > logging, hopefully this will be illuminating to somebody. > > > Neither of these lines set the log level. > > Yes, I've been setting it in the init script. When I do ps -ef | grep > smbd, I see that logging is enabled. I straightened out that problem > (the one behind the monitor *sheepish grin*), and the logging works as > it's supposed to. > > > Getting windows acl's is a multi step process. > > Tell me about it ;-) > > > You need a file system capable of supporting extended acl's. I > believe you previously said you were using UFS file system. I haven't > used UFS since 1987. Man Mount on linux doesn't suggest extended acl's > are supported. Are they? > > Both Solaris and CentOS support them. Using fsetacl and fgetacl, I can > set acls and see them on files in the FS > > > Once the file system is capable of supporting extended acl's, you need > to mount the filesystem with the appropriate options. By default, > considering the age of UFS, I would assume extended acl's aren't > supported by default, if they are at all. > > Sun has been updating it, acl support is on by default. In fact, as > near as I can tell, you can't turn it off. I'm under the impression > that there are many flavors of UFS, not all of which are compatible. > > > Once the filesystem is mounted with the right options, then samba has > to have been compiled with the correct options, which you've verified. > > It sure looks like it ;-) > > > After all that, samba has top be configured correctly to support acl's > in windows. Samba can be configured to serve files in ms-dos mode, so > it's not a given. > > The smb.conf manpage indicates that nt acl support = yes by default. > Making it explicit doesn't seem to change the behavior. > > > Usually, if someone is asked to show the configuration, put out the > entire conf file. There's been a lot of dribs and drabs, but much has > been missing. First thing I do is run a copy thru testparm. Most of > this thread has been like blind mans bluff. > > Usually I try to keep it to a minimum, because people frequently don't > trim out the stuff when they reply. Result, a *lot* of extraneous crap. > As more and more people don't trim, the signal to noise ratio quickly > approaches zero. As requested, I've put the whole thing in. I've been > using testparm throughout this project, and I've included its output > too, since it strips comments and stuff that's included by default. > > > Just so you know - a lot of people are using acl's in samba. > > I don't doubt it. How I'd love to join them, and I appreciate > everybody's help. > > > Regards, Doug > > Below, there's also a dump of the level 10 logging from trying to add an > entry to the ACL. This covers adding an element to the ACL, but not the > issue of seeing them, I'm guessing the issues may be related. To cut to > the chase, the fatal looking line appears to be the one 3 timestamps > from the bottom: > > [2007/10/30 14:16:53, 3] > smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2579) > convert_canon_ace_to_posix_perms: Too many ACE entries for file > foo.txt to convert to posix perms. > > This looks suspiciously like it's not actually trying to set the > security as an ACL. If it were, I'd expect that it wouldn't be trying > to squeeze everything into posix perms. > > ~Eric > > > The complete config file: > > bash-3.00# cat /usr/local/samba/lib/smb.conf > # This is the main Samba configuration file. You should read the > # smb.conf(5) manual page in order to understand the options listed > # here. Samba has a huge number of configurable options (perhaps too > # many!) most of which are not shown in this example > # > # Any line which starts with a ; (semi-colon) or a # (hash) > # is a comment and is ignored. In this example we will use a # > # for commentry and a ; for parts of the config file that you > # may wish to enable > # > # NOTE: Whenever you modify this file you should run the command > "testparm" > # to check that you have not made any basic syntactic errors. > # > #=== Global Settings > = > [global] > > # workgroup = NT-Domain-Name or Workgroup-Name >workgroup = W2K3TEST >realm = W2K3TEST.LOCAL >preferred master = no >server string = croesus running samba >security = ADS >encrypt passwords = yes >winbind separator = + >winbind use default domain = no >winbind enum users = no >winbind enum groups = no >idmap uid = 1-2 >idmap gid = 1-2 > > # if you want to automatically load
RE: [Samba] Can't see or change ACLs on Windows
Doug, thanks, here's a complete listing of the config file, and some logging, hopefully this will be illuminating to somebody. > Neither of these lines set the log level. Yes, I've been setting it in the init script. When I do ps -ef | grep smbd, I see that logging is enabled. I straightened out that problem (the one behind the monitor *sheepish grin*), and the logging works as it's supposed to. > Getting windows acl's is a multi step process. Tell me about it ;-) > You need a file system capable of supporting extended acl's. I believe you previously said you were using UFS file system. I haven't used UFS since 1987. Man Mount on linux doesn't suggest extended acl's are supported. Are they? Both Solaris and CentOS support them. Using fsetacl and fgetacl, I can set acls and see them on files in the FS > Once the file system is capable of supporting extended acl's, you need to mount the filesystem with the appropriate options. By default, considering the age of UFS, I would assume extended acl's aren't supported by default, if they are at all. Sun has been updating it, acl support is on by default. In fact, as near as I can tell, you can't turn it off. I'm under the impression that there are many flavors of UFS, not all of which are compatible. > Once the filesystem is mounted with the right options, then samba has to have been compiled with the correct options, which you've verified. It sure looks like it ;-) > After all that, samba has top be configured correctly to support acl's in windows. Samba can be configured to serve files in ms-dos mode, so it's not a given. The smb.conf manpage indicates that nt acl support = yes by default. Making it explicit doesn't seem to change the behavior. > Usually, if someone is asked to show the configuration, put out the entire conf file. There's been a lot of dribs and drabs, but much has been missing. First thing I do is run a copy thru testparm. Most of this thread has been like blind mans bluff. Usually I try to keep it to a minimum, because people frequently don't trim out the stuff when they reply. Result, a *lot* of extraneous crap. As more and more people don't trim, the signal to noise ratio quickly approaches zero. As requested, I've put the whole thing in. I've been using testparm throughout this project, and I've included its output too, since it strips comments and stuff that's included by default. > Just so you know - a lot of people are using acl's in samba. I don't doubt it. How I'd love to join them, and I appreciate everybody's help. > Regards, Doug Below, there's also a dump of the level 10 logging from trying to add an entry to the ACL. This covers adding an element to the ACL, but not the issue of seeing them, I'm guessing the issues may be related. To cut to the chase, the fatal looking line appears to be the one 3 timestamps from the bottom: [2007/10/30 14:16:53, 3] smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2579) convert_canon_ace_to_posix_perms: Too many ACE entries for file foo.txt to convert to posix perms. This looks suspiciously like it's not actually trying to set the security as an ACL. If it were, I'd expect that it wouldn't be trying to squeeze everything into posix perms. ~Eric The complete config file: bash-3.00# cat /usr/local/samba/lib/smb.conf # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps too # many!) most of which are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentry and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command "testparm" # to check that you have not made any basic syntactic errors. # #=== Global Settings = [global] # workgroup = NT-Domain-Name or Workgroup-Name workgroup = W2K3TEST realm = W2K3TEST.LOCAL preferred master = no server string = croesus running samba security = ADS encrypt passwords = yes winbind separator = + winbind use default domain = no winbind enum users = no winbind enum groups = no idmap uid = 1-2 idmap gid = 1-2 # if you want to automatically load your printer list rather # than setting them up individually then you'll need this printcap name = /etc/printcap load printers = yes # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 5000 # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # Share Definition
Re: [Samba] Can't see or change ACLs on Windows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Eric Diven wrote: > -Original Message- > From: Eric Diven > Sent: Tuesday, October 30, 2007 11:29 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [Samba] Can't see or change ACLs on Windows > > On Tue, Oct 30, 2007 at 10:59:41AM -0400, Eric Diven wrote: >> Okay, here's what I've figured out from trying to do what you > suggested: > > Well, so far we haven't seen any debug logs. > > Volker > > So far, neither have I. I'm getting nothing in the logs on either > CentOS or Solaris when I do anything from the windows client. Neither > the mtimes nor the file sizes on the logs that get generated at startup > are changing, and I'm not getting any new logfiles for client machines > that log on: > > "Annoyingly, I'm not getting any logging for clients. Why, I don't > know. > I see start-up messages correctly in the log.smbd file, including those > at log level 10, but not ones from clients. > > Here are the logging-related lines from smbd.conf > > # this tells Samba to use a separate log file for each machine # that > connects >log file = /var/log/samba/log.%m > > # Put a capping on the size of the log files (in Kb). >max log size = 50" > > ^ From yesterday ^ > > If I could trouble you with a really stupid question: Do I need to jack > the logging up on nmbd to 10 as well? I'm working under the assumption > that this is an smbd problem, so that's where I've turned up the > logging. We all know of course what happens when you assume ;-) > Neither of these lines set the log level. Getting windows acl's is a multi step process. You need a file system capable of supporting extended acl's. I believe you previously said you were using UFS file system. I haven't used UFS since 1987. Man Mount on linux doesn't suggest extended acl's are supported. Are they? Once the file system is capable of supporting extended acl's, you need to mount the filesystem with the appropriate options. By default, considering the age of UFS, I would assume extended acl's aren't supported by default, if they are at all. Once the filesystem is mounted with the right options, then samba has to have been compiled with the correct options, which you've verified. After all that, samba has top be configured correctly to support acl's in windows. Samba can be configured to serve files in ms-dos mode, so it's not a given. Usually, if someone is asked to show the configuration, put out the entire conf file. There's been a lot of dribs and drabs, but much has been missing. First thing I do is run a copy thru testparm. Most of this thread has been like blind mans bluff. Just so you know - a lot of people are using acl's in samba. Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHJ2iEFqWysr/jOHMRAhuaAKCZ290GjunbtNKkx9azKVDG0BgIzwCg13Mm fFNoMm3bb1wUPfdQvkrM3w4= =QcZo -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't see or change ACLs on Windows
i have same compile flags : HAVE_SYS_ACL_H HAVE_POSIX_ACLS i am using SLES10. try to add "debug level =10" to smb.conf anf then search for " NT_STATUS_ACCESS_DENIED" in log.smbd . please post some lines of log before NT_STATUS_ACCESS_DENIED message. On 10/30/07, Eric Diven <[EMAIL PROTECTED]> wrote: > Okay, here's what I've figured out from trying to do what you suggested: > > On CentOS, Administrator appears to be non-magical. If the shared > directory of is owned by root, with permissions 770, Administrator can't > even map the share and gets an access denied error. If I add > DOMAIN+administrator to the admin users list for the share in the > smb.conf file, I can then map the drive AND change ownership on the > files in the directory, even if I don't own them initially. I can't, > however (even once DOMAIN+administrator owns the file) add an entry to > the acl using the windows properties screen. I can't add either a user > or a group to the ACL. I can modify the unix ugw permissions, for > example, removing write access to the group of the file. > > On Solaris, I'm seeing the same thing when I have it configured the same > as CentOS. > > It's like samba, for some reason, doesn't know it's ass from it's elbow > about ACLs on either Solaris or Linux. Both appear to think they know: > > (Solaris) > > bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL >HAVE_SYS_ACL_H >HAVE_SOLARIS_ACLS >HAVE__ACL >HAVE__FACL > bash-3.00# > > (CentOS) > > [EMAIL PROTECTED] stastest]# /usr/local/samba/sbin/smbd -b | grep ACL >HAVE_SYS_ACL_H >HAVE_POSIX_ACLS > [EMAIL PROTECTED] stastest]# > > As near as I've been able to google up, configuring and compiling with > --with-acl-support is the only thing you need to do to get samba to > support them, apart from having a kernel/fs that support ACLs, which > I've tested on both sides using regular unix tools. > > ~Eric > > -Original Message- > From: Stas [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 30, 2007 7:03 AM > To: Eric Diven > Cc: samba@lists.samba.org > Subject: Re: [Samba] Can't see or change ACLs on Windows > > user that logged in to windows is DOMAIN/administrators group member ? > seems it have some meaning for samba . try to use the built-in domain > administrator account as a windows login . > i removed all ACL's from test directory and changed owner user and group > to root so getfacl shows : > # file: mnt/loop/1 > # owner: root > # group: root > user::rwx > group::rwx > other::--- > > and no one had access to files . > but i was still able to take ownership and after that set ACL's from > windows box if logged in as user that domain administrators group member > , or administrator itself. > > btw , do you try to set file access permissions or change files owner ? > if you try to change ownership to some domain group you will always get > "access denied" error since samba doesn't support group ownership. > > > > > > > On 10/29/07, Eric Diven <[EMAIL PROTECTED]> wrote: > > > > > > -Original Message- > > From: Stas [mailto:[EMAIL PROTECTED] > > Sent: Monday, October 29, 2007 1:37 PM > > To: Eric Diven > > Subject: Re: [Samba] Can't see or change ACLs on Windows > > > > well , lets's try again .. > > create test directory " /samba/testdir run # chmod 777 -R > > /samba/testdir create share in smb.conf that points to /samba/test > > create some file in new share from windows box. > > open file properties and check permissions and owner ( you should see > > "everyone - full control , CREATOR OWNER - full control , etc , and > > owner of created file should be user that logged in ) now try to set > > permissions , it should work . > > if you want to restrict users - remove "everyone" from ACL list , > > this will just reset "Everyone" permission to "none" , so no one will > > able to modify files until you add specific users or groups to ACL > list . > > looking strange but it worked for me.. > > > > Still no luck. > > > > Our new directory: > > drwxrwxrwx 2 W2K3TEST+bobadmin W2K3TEST+awriters 512 Oct 29 > 13:41 > > stastest > > > > [stastest] > >path = /foo/stastest > >writeable = yes > >inherit owner = yes > >inherit permissions = yes > >inherit acls = yes > >nt acl support = yes > > > > I've tried this with various inherit options on and off (including the
Re: [Samba] Can't see or change ACLs on Windows
Eric, I was experiencing the same problem, this link help me view the ACLs. I still can't change them. http://kbase.redhat.com/faq/FAQ_79_4760.shtm Hans Eric Diven wrote: Whoops, meant to go to the list, sorry. ~Eric -Original Message- From: Eric Diven Sent: Tuesday, October 30, 2007 11:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [Samba] Can't see or change ACLs on Windows On Tue, Oct 30, 2007 at 10:59:41AM -0400, Eric Diven wrote: Okay, here's what I've figured out from trying to do what you suggested: Well, so far we haven't seen any debug logs. Volker So far, neither have I. I'm getting nothing in the logs on either CentOS or Solaris when I do anything from the windows client. Neither the mtimes nor the file sizes on the logs that get generated at startup are changing, and I'm not getting any new logfiles for client machines that log on: "Annoyingly, I'm not getting any logging for clients. Why, I don't know. I see start-up messages correctly in the log.smbd file, including those at log level 10, but not ones from clients. Here are the logging-related lines from smbd.conf # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 50" ^ From yesterday ^ If I could trouble you with a really stupid question: Do I need to jack the logging up on nmbd to 10 as well? I'm working under the assumption that this is an smbd problem, so that's where I've turned up the logging. We all know of course what happens when you assume ;-) ~Eric -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Can't see or change ACLs on Windows
Whoops, meant to go to the list, sorry. ~Eric -Original Message- From: Eric Diven Sent: Tuesday, October 30, 2007 11:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [Samba] Can't see or change ACLs on Windows On Tue, Oct 30, 2007 at 10:59:41AM -0400, Eric Diven wrote: > Okay, here's what I've figured out from trying to do what you suggested: Well, so far we haven't seen any debug logs. Volker So far, neither have I. I'm getting nothing in the logs on either CentOS or Solaris when I do anything from the windows client. Neither the mtimes nor the file sizes on the logs that get generated at startup are changing, and I'm not getting any new logfiles for client machines that log on: "Annoyingly, I'm not getting any logging for clients. Why, I don't know. I see start-up messages correctly in the log.smbd file, including those at log level 10, but not ones from clients. Here are the logging-related lines from smbd.conf # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 50" ^ From yesterday ^ If I could trouble you with a really stupid question: Do I need to jack the logging up on nmbd to 10 as well? I'm working under the assumption that this is an smbd problem, so that's where I've turned up the logging. We all know of course what happens when you assume ;-) ~Eric -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't see or change ACLs on Windows
On Tue, Oct 30, 2007 at 10:59:41AM -0400, Eric Diven wrote: > Okay, here's what I've figured out from trying to do what you suggested: Well, so far we haven't seen any debug logs. Volker pgps7PLCZnOTc.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Can't see or change ACLs on Windows
Okay, here's what I've figured out from trying to do what you suggested: On CentOS, Administrator appears to be non-magical. If the shared directory of is owned by root, with permissions 770, Administrator can't even map the share and gets an access denied error. If I add DOMAIN+administrator to the admin users list for the share in the smb.conf file, I can then map the drive AND change ownership on the files in the directory, even if I don't own them initially. I can't, however (even once DOMAIN+administrator owns the file) add an entry to the acl using the windows properties screen. I can't add either a user or a group to the ACL. I can modify the unix ugw permissions, for example, removing write access to the group of the file. On Solaris, I'm seeing the same thing when I have it configured the same as CentOS. It's like samba, for some reason, doesn't know it's ass from it's elbow about ACLs on either Solaris or Linux. Both appear to think they know: (Solaris) bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL HAVE_SYS_ACL_H HAVE_SOLARIS_ACLS HAVE__ACL HAVE__FACL bash-3.00# (CentOS) [EMAIL PROTECTED] stastest]# /usr/local/samba/sbin/smbd -b | grep ACL HAVE_SYS_ACL_H HAVE_POSIX_ACLS [EMAIL PROTECTED] stastest]# As near as I've been able to google up, configuring and compiling with --with-acl-support is the only thing you need to do to get samba to support them, apart from having a kernel/fs that support ACLs, which I've tested on both sides using regular unix tools. ~Eric -Original Message- From: Stas [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 30, 2007 7:03 AM To: Eric Diven Cc: samba@lists.samba.org Subject: Re: [Samba] Can't see or change ACLs on Windows user that logged in to windows is DOMAIN/administrators group member ? seems it have some meaning for samba . try to use the built-in domain administrator account as a windows login . i removed all ACL's from test directory and changed owner user and group to root so getfacl shows : # file: mnt/loop/1 # owner: root # group: root user::rwx group::rwx other::--- and no one had access to files . but i was still able to take ownership and after that set ACL's from windows box if logged in as user that domain administrators group member , or administrator itself. btw , do you try to set file access permissions or change files owner ? if you try to change ownership to some domain group you will always get "access denied" error since samba doesn't support group ownership. On 10/29/07, Eric Diven <[EMAIL PROTECTED]> wrote: > > > -Original Message- > From: Stas [mailto:[EMAIL PROTECTED] > Sent: Monday, October 29, 2007 1:37 PM > To: Eric Diven > Subject: Re: [Samba] Can't see or change ACLs on Windows > > well , lets's try again .. > create test directory " /samba/testdir run # chmod 777 -R > /samba/testdir create share in smb.conf that points to /samba/test > create some file in new share from windows box. > open file properties and check permissions and owner ( you should see > "everyone - full control , CREATOR OWNER - full control , etc , and > owner of created file should be user that logged in ) now try to set > permissions , it should work . > if you want to restrict users - remove "everyone" from ACL list , > this will just reset "Everyone" permission to "none" , so no one will > able to modify files until you add specific users or groups to ACL list . > looking strange but it worked for me.. > > Still no luck. > > Our new directory: > drwxrwxrwx 2 W2K3TEST+bobadmin W2K3TEST+awriters 512 Oct 29 13:41 > stastest > > [stastest] >path = /foo/stastest >writeable = yes >inherit owner = yes >inherit permissions = yes >inherit acls = yes >nt acl support = yes > > I've tried this with various inherit options on and off (including the > dir sticky bit for inheriting group ownership) and still can't get it > to go. I've also tried with varying ownerships on the directory with > no change. Also, when I try to remove Everyone (or for that matter, > the unix group or owner) from the ACL, it pops right back up. > Everyone doesn't have Full Control set either. Nor for that matter > does the group that owns the file. Both Everyone and the group get rw > permissions. > > ~Eric > > ~Eric > > On 10/29/07, Eric Diven <[EMAIL PROTECTED]> wrote: > > > > > > -Original Message- > > From: Stas [mailto:[EMAIL PROTECTED] > > Sent: Friday, October 26, 2007 6:56 PM > > To: Eric Diven > > Cc: samba@lists.samba.org > > Subject: Re: [Samba] Can't see or change ACLs on Windows > &g
Re: [Samba] Can't see or change ACLs on Windows
user that logged in to windows is DOMAIN/administrators group member ? seems it have some meaning for samba . try to use the built-in domain administrator account as a windows login . i removed all ACL's from test directory and changed owner user and group to root so getfacl shows : # file: mnt/loop/1 # owner: root # group: root user::rwx group::rwx other::--- and no one had access to files . but i was still able to take ownership and after that set ACL's from windows box if logged in as user that domain administrators group member , or administrator itself. btw , do you try to set file access permissions or change files owner ? if you try to change ownership to some domain group you will always get "access denied" error since samba doesn't support group ownership. On 10/29/07, Eric Diven <[EMAIL PROTECTED]> wrote: > > > -Original Message- > From: Stas [mailto:[EMAIL PROTECTED] > Sent: Monday, October 29, 2007 1:37 PM > To: Eric Diven > Subject: Re: [Samba] Can't see or change ACLs on Windows > > well , lets's try again .. > create test directory " /samba/testdir > run # chmod 777 -R /samba/testdir > create share in smb.conf that points to /samba/test create some file in > new share from windows box. > open file properties and check permissions and owner ( you should see > "everyone - full control , CREATOR OWNER - full control , etc , and > owner of created file should be user that logged in ) now try to set > permissions , it should work . > if you want to restrict users - remove "everyone" from ACL list , this > will just reset "Everyone" permission to "none" , so no one will able to > modify files until you add specific users or groups to ACL list . > looking strange but it worked for me.. > > Still no luck. > > Our new directory: > drwxrwxrwx 2 W2K3TEST+bobadmin W2K3TEST+awriters 512 Oct 29 13:41 > stastest > > [stastest] >path = /foo/stastest >writeable = yes >inherit owner = yes >inherit permissions = yes >inherit acls = yes >nt acl support = yes > > I've tried this with various inherit options on and off (including the > dir sticky bit for inheriting group ownership) and still can't get it > to go. I've also tried with varying ownerships on the directory with no > change. Also, when I try to remove Everyone (or for that matter, the > unix group or owner) from the ACL, it pops right back up. Everyone > doesn't have Full Control set either. Nor for that matter does the > group that owns the file. Both Everyone and the group get rw > permissions. > > ~Eric > > ~Eric > > On 10/29/07, Eric Diven <[EMAIL PROTECTED]> wrote: > > > > > > -Original Message- > > From: Stas [mailto:[EMAIL PROTECTED] > > Sent: Friday, October 26, 2007 6:56 PM > > To: Eric Diven > > Cc: samba@lists.samba.org > > Subject: Re: [Samba] Can't see or change ACLs on Windows > > > > any errors in samba's log? > > what error exactly you get at windows box when you try to set > > permissions? > > > > Annoyingly, I'm not getting any logging for clients. Why, I don't > know. > > I see start-up messages correctly in the log.smbd file, including > > those at log level 10, but not ones from clients. > > > > Here are the logging-related lines from smbd.conf > > > > # this tells Samba to use a separate log file for each machine # that > > connects > >log file = /var/log/samba/log.%m > > > > # Put a capping on the size of the log files (in Kb). > >max log size = 50 > > > > The exact text of the error I get in Windows is: > > > > "Unable to save permission changes on hjkl.txt. > > > > Access is denied > >[OK]" > > > > As usual, I'm logged in as the owner of the file. > > > > Sigh. > > > > Thanks for your continuing help on this, by the way. This is driving > > me nuts. > > > > ~Eric > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/listinfo/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Can't see or change ACLs on Windows
-Original Message- From: Stas [mailto:[EMAIL PROTECTED] Sent: Monday, October 29, 2007 1:37 PM To: Eric Diven Subject: Re: [Samba] Can't see or change ACLs on Windows well , lets's try again .. create test directory " /samba/testdir run # chmod 777 -R /samba/testdir create share in smb.conf that points to /samba/test create some file in new share from windows box. open file properties and check permissions and owner ( you should see "everyone - full control , CREATOR OWNER - full control , etc , and owner of created file should be user that logged in ) now try to set permissions , it should work . if you want to restrict users - remove "everyone" from ACL list , this will just reset "Everyone" permission to "none" , so no one will able to modify files until you add specific users or groups to ACL list . looking strange but it worked for me.. Still no luck. Our new directory: drwxrwxrwx 2 W2K3TEST+bobadmin W2K3TEST+awriters 512 Oct 29 13:41 stastest [stastest] path = /foo/stastest writeable = yes inherit owner = yes inherit permissions = yes inherit acls = yes nt acl support = yes I've tried this with various inherit options on and off (including the dir sticky bit for inheriting group ownership) and still can't get it to go. I've also tried with varying ownerships on the directory with no change. Also, when I try to remove Everyone (or for that matter, the unix group or owner) from the ACL, it pops right back up. Everyone doesn't have Full Control set either. Nor for that matter does the group that owns the file. Both Everyone and the group get rw permissions. ~Eric ~Eric On 10/29/07, Eric Diven <[EMAIL PROTECTED]> wrote: > > > -Original Message- > From: Stas [mailto:[EMAIL PROTECTED] > Sent: Friday, October 26, 2007 6:56 PM > To: Eric Diven > Cc: samba@lists.samba.org > Subject: Re: [Samba] Can't see or change ACLs on Windows > > any errors in samba's log? > what error exactly you get at windows box when you try to set > permissions? > > Annoyingly, I'm not getting any logging for clients. Why, I don't know. > I see start-up messages correctly in the log.smbd file, including > those at log level 10, but not ones from clients. > > Here are the logging-related lines from smbd.conf > > # this tells Samba to use a separate log file for each machine # that > connects >log file = /var/log/samba/log.%m > > # Put a capping on the size of the log files (in Kb). >max log size = 50 > > The exact text of the error I get in Windows is: > > "Unable to save permission changes on hjkl.txt. > > Access is denied >[OK]" > > As usual, I'm logged in as the owner of the file. > > Sigh. > > Thanks for your continuing help on this, by the way. This is driving > me nuts. > > ~Eric > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Can't see or change ACLs on Windows
-Original Message- From: Stas [mailto:[EMAIL PROTECTED] Sent: Friday, October 26, 2007 6:56 PM To: Eric Diven Cc: samba@lists.samba.org Subject: Re: [Samba] Can't see or change ACLs on Windows any errors in samba's log? what error exactly you get at windows box when you try to set permissions? Annoyingly, I'm not getting any logging for clients. Why, I don't know. I see start-up messages correctly in the log.smbd file, including those at log level 10, but not ones from clients. Here are the logging-related lines from smbd.conf # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 50 The exact text of the error I get in Windows is: "Unable to save permission changes on hjkl.txt. Access is denied [OK]" As usual, I'm logged in as the owner of the file. Sigh. Thanks for your continuing help on this, by the way. This is driving me nuts. ~Eric -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't see or change ACLs on Windows
any errors in samba's log? what error exactly you get at windows box when you try to set permissions? On 10/22/07, Eric Diven <[EMAIL PROTECTED]> wrote: > Here's what I have set up. The ACLs on the directory afiles currently > do pretty much what I need them to do with samba, which is set up > permissions and acls on any files created in the directory by a windows > client. It needs a little fine-tuning, but it's close. > > bash-3.00# ls -l ; getfacl afiles > total 2 > drwxrws---+ 2 W2K3TEST+bobadmin W2K3TEST+awriters 512 Oct 17 17:07 > afiles > > # file: afiles > # owner: W2K3TEST+bobadmin > # group: W2K3TEST+awriters > user::rwx > user:afile:rwx #effective:rwx > group::rwx #effective:rwx > group:afile:rwx #effective:rwx > group:W2K3TEST+areaders:r-x #effective:r-x > group:W2K3TEST+awriters:rwx #effective:rwx > group:W2K3TEST+admins:rwx #effective:rwx > mask:rwx > other:--- > default:user::rwx > default:group::rwx > default:group:W2K3TEST+areaders:r-x > default:group:W2K3TEST+awriters:rwx > default:group:W2K3TEST+admins:rwx > default:mask:rwx > default:other:--- > bash-3.00# > > ~Eric > > -Original Message- > From: Stas [mailto:[EMAIL PROTECTED] > Sent: Friday, October 19, 2007 6:22 PM > To: Eric Diven > Cc: samba@lists.samba.org > Subject: Re: [Samba] Can't see or change ACLs on Windows > > strange ... > please post getfacl output . > > On 10/19/07, Eric Diven <[EMAIL PROTECTED]> wrote: > > Whoops, these were both supposed to go to the list. > > > > If I log on as the owner of the file, I still can't add another entry > > to the ACL. I can change the permissions set on the user, group and > > world permissions, but that's it. I do see that that the owner is > > identified as the user I'm logged in as. > > > > ~Eric > > > > -Original Message- > > From: Stas [mailto:[EMAIL PROTECTED] > > Sent: Friday, October 19, 2007 12:13 AM > > To: Eric Diven > > Cc: samba@lists.samba.org > > Subject: Re: [Samba] Can't see or change ACLs on Windows > > > > make sure that user logged in to windows box is an owner of files . > > as i know , only owner can change permissions . > > try # chown "administrator/DOMAIN" /samba/test.txt , after that try > > to set permissions on this file from windows . > > > > > > On 10/18/07, Eric Diven <[EMAIL PROTECTED]> wrote: > > > None when I open the security tab, but when I try to add an entry to > > > > the ACL, I get: > > > > > > "Unable to save permission changes on directory on 'croesus running > > > samba (ipaddress)' (driveletter:). > > > > > > Access is denied." > > > > > > The smb.conf file is set up to allow admin access to both an AD user > > > > and > > > group: > > > > > > the relevant sections of the smb.conf file: > > > > > > [global] > > > workgroup = W2K3TEST > > > realm = W2K3TEST.LOCAL > > > server string = croesus running samba > > > security = ADS > > > log file = /var/log/samba/log.%m > > > max log size = 50 > > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > > printcap name = /etc/printcap > > > preferred master = No > > > dns proxy = No > > > idmap uid = 1-2 > > > idmap gid = 1-2 > > > winbind separator = + > > > > > > [afiles] > > > path = /foo/afiles > > > admin users = W2K3TEST+bobadmin, @W2K3TEST+admins > > > read only = No > > > > > > I've logged in both as another member of the W2K3TEST+admins group, > > > and as W2K3TEST+bobadmin, and that doesn't seem to have any effect > > > on whether or not it works. I've also tried adding a non-domain > > > user and > > > > > group to the ACL on the Solaris side to see if that would make an > > > entry other that the standard permissions appear on Windows, but to > > > no > > avail. > > > > > > ~Eric > > > > > > -Original Message- > > > From: Stas [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, October 18, 2007 3:39 PM > > > To: [EMAIL PROTECTED] > > > Cc: Eric Diven; samba@lists.samba.org > > > Subject: Re: [Samba] Can't s
RE: [Samba] Can't see or change ACLs on Windows
Here's what I have set up. The ACLs on the directory afiles currently do pretty much what I need them to do with samba, which is set up permissions and acls on any files created in the directory by a windows client. It needs a little fine-tuning, but it's close. bash-3.00# ls -l ; getfacl afiles total 2 drwxrws---+ 2 W2K3TEST+bobadmin W2K3TEST+awriters 512 Oct 17 17:07 afiles # file: afiles # owner: W2K3TEST+bobadmin # group: W2K3TEST+awriters user::rwx user:afile:rwx #effective:rwx group::rwx #effective:rwx group:afile:rwx #effective:rwx group:W2K3TEST+areaders:r-x #effective:r-x group:W2K3TEST+awriters:rwx #effective:rwx group:W2K3TEST+admins:rwx #effective:rwx mask:rwx other:--- default:user::rwx default:group::rwx default:group:W2K3TEST+areaders:r-x default:group:W2K3TEST+awriters:rwx default:group:W2K3TEST+admins:rwx default:mask:rwx default:other:--- bash-3.00# ~Eric -Original Message- From: Stas [mailto:[EMAIL PROTECTED] Sent: Friday, October 19, 2007 6:22 PM To: Eric Diven Cc: samba@lists.samba.org Subject: Re: [Samba] Can't see or change ACLs on Windows strange ... please post getfacl output . On 10/19/07, Eric Diven <[EMAIL PROTECTED]> wrote: > Whoops, these were both supposed to go to the list. > > If I log on as the owner of the file, I still can't add another entry > to the ACL. I can change the permissions set on the user, group and > world permissions, but that's it. I do see that that the owner is > identified as the user I'm logged in as. > > ~Eric > > -Original Message- > From: Stas [mailto:[EMAIL PROTECTED] > Sent: Friday, October 19, 2007 12:13 AM > To: Eric Diven > Cc: samba@lists.samba.org > Subject: Re: [Samba] Can't see or change ACLs on Windows > > make sure that user logged in to windows box is an owner of files . > as i know , only owner can change permissions . > try # chown "administrator/DOMAIN" /samba/test.txt , after that try > to set permissions on this file from windows . > > > On 10/18/07, Eric Diven <[EMAIL PROTECTED]> wrote: > > None when I open the security tab, but when I try to add an entry to > > the ACL, I get: > > > > "Unable to save permission changes on directory on 'croesus running > > samba (ipaddress)' (driveletter:). > > > > Access is denied." > > > > The smb.conf file is set up to allow admin access to both an AD user > > and > > group: > > > > the relevant sections of the smb.conf file: > > > > [global] > > workgroup = W2K3TEST > > realm = W2K3TEST.LOCAL > > server string = croesus running samba > > security = ADS > > log file = /var/log/samba/log.%m > > max log size = 50 > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > printcap name = /etc/printcap > > preferred master = No > > dns proxy = No > > idmap uid = 1-2 > > idmap gid = 1-2 > > winbind separator = + > > > > [afiles] > > path = /foo/afiles > > admin users = W2K3TEST+bobadmin, @W2K3TEST+admins > > read only = No > > > > I've logged in both as another member of the W2K3TEST+admins group, > > and as W2K3TEST+bobadmin, and that doesn't seem to have any effect > > on whether or not it works. I've also tried adding a non-domain > > user and > > > group to the ACL on the Solaris side to see if that would make an > > entry other that the standard permissions appear on Windows, but to > > no > avail. > > > > ~Eric > > > > -Original Message- > > From: Stas [mailto:[EMAIL PROTECTED] > > Sent: Thursday, October 18, 2007 3:39 PM > > To: [EMAIL PROTECTED] > > Cc: Eric Diven; samba@lists.samba.org > > Subject: Re: [Samba] Can't see or change ACLs on Windows > > > > any errors on windows side when you try to set permissions? > > > > On 10/18/07, Volker Lendecke <[EMAIL PROTECTED]> wrote: > > > On Thu, Oct 18, 2007 at 09:11:59AM -0400, Eric Diven wrote: > > > > Here you go: > > > > > > > > bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL > > > >HAVE_SYS_ACL_H > > > >HAVE_SOLARIS_ACLS > > > >HAVE__ACL > > > >HAVE__FACL > > > > > > > > It looks plausible to me, but I'm assuming you know better than > > > > I what > > > > > > That indeed looks right. No idea then, sorry. Maybe you want to > > > look > > > > in a debug level 10 log of smbd, search for > > > call_nt_transact_query_security_desc, maybe you find something > > > obvious. > > > > > > Volker > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't see or change ACLs on Windows
strange ... please post getfacl output . On 10/19/07, Eric Diven <[EMAIL PROTECTED]> wrote: > Whoops, these were both supposed to go to the list. > > If I log on as the owner of the file, I still can't add another entry to > the ACL. I can change the permissions set on the user, group and world > permissions, but that's it. I do see that that the owner is identified > as the user I'm logged in as. > > ~Eric > > -Original Message- > From: Stas [mailto:[EMAIL PROTECTED] > Sent: Friday, October 19, 2007 12:13 AM > To: Eric Diven > Cc: samba@lists.samba.org > Subject: Re: [Samba] Can't see or change ACLs on Windows > > make sure that user logged in to windows box is an owner of files . > as i know , only owner can change permissions . > try # chown "administrator/DOMAIN" /samba/test.txt , after that try to > set permissions on this file from windows . > > > On 10/18/07, Eric Diven <[EMAIL PROTECTED]> wrote: > > None when I open the security tab, but when I try to add an entry to > > the ACL, I get: > > > > "Unable to save permission changes on directory on 'croesus running > > samba (ipaddress)' (driveletter:). > > > > Access is denied." > > > > The smb.conf file is set up to allow admin access to both an AD user > > and > > group: > > > > the relevant sections of the smb.conf file: > > > > [global] > > workgroup = W2K3TEST > > realm = W2K3TEST.LOCAL > > server string = croesus running samba > > security = ADS > > log file = /var/log/samba/log.%m > > max log size = 50 > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > printcap name = /etc/printcap > > preferred master = No > > dns proxy = No > > idmap uid = 1-2 > > idmap gid = 1-2 > > winbind separator = + > > > > [afiles] > > path = /foo/afiles > > admin users = W2K3TEST+bobadmin, @W2K3TEST+admins > > read only = No > > > > I've logged in both as another member of the W2K3TEST+admins group, > > and as W2K3TEST+bobadmin, and that doesn't seem to have any effect on > > whether or not it works. I've also tried adding a non-domain user and > > > group to the ACL on the Solaris side to see if that would make an > > entry other that the standard permissions appear on Windows, but to no > avail. > > > > ~Eric > > > > -Original Message- > > From: Stas [mailto:[EMAIL PROTECTED] > > Sent: Thursday, October 18, 2007 3:39 PM > > To: [EMAIL PROTECTED] > > Cc: Eric Diven; samba@lists.samba.org > > Subject: Re: [Samba] Can't see or change ACLs on Windows > > > > any errors on windows side when you try to set permissions? > > > > On 10/18/07, Volker Lendecke <[EMAIL PROTECTED]> wrote: > > > On Thu, Oct 18, 2007 at 09:11:59AM -0400, Eric Diven wrote: > > > > Here you go: > > > > > > > > bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL > > > >HAVE_SYS_ACL_H > > > >HAVE_SOLARIS_ACLS > > > >HAVE__ACL > > > >HAVE__FACL > > > > > > > > It looks plausible to me, but I'm assuming you know better than I > > > > what > > > > > > That indeed looks right. No idea then, sorry. Maybe you want to look > > > > in a debug level 10 log of smbd, search for > > > call_nt_transact_query_security_desc, maybe you find something > > > obvious. > > > > > > Volker > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Can't see or change ACLs on Windows
Whoops, these were both supposed to go to the list. If I log on as the owner of the file, I still can't add another entry to the ACL. I can change the permissions set on the user, group and world permissions, but that's it. I do see that that the owner is identified as the user I'm logged in as. ~Eric -Original Message- From: Stas [mailto:[EMAIL PROTECTED] Sent: Friday, October 19, 2007 12:13 AM To: Eric Diven Cc: samba@lists.samba.org Subject: Re: [Samba] Can't see or change ACLs on Windows make sure that user logged in to windows box is an owner of files . as i know , only owner can change permissions . try # chown "administrator/DOMAIN" /samba/test.txt , after that try to set permissions on this file from windows . On 10/18/07, Eric Diven <[EMAIL PROTECTED]> wrote: > None when I open the security tab, but when I try to add an entry to > the ACL, I get: > > "Unable to save permission changes on directory on 'croesus running > samba (ipaddress)' (driveletter:). > > Access is denied." > > The smb.conf file is set up to allow admin access to both an AD user > and > group: > > the relevant sections of the smb.conf file: > > [global] > workgroup = W2K3TEST > realm = W2K3TEST.LOCAL > server string = croesus running samba > security = ADS > log file = /var/log/samba/log.%m > max log size = 50 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > printcap name = /etc/printcap > preferred master = No > dns proxy = No > idmap uid = 1-2 > idmap gid = 1-2 > winbind separator = + > > [afiles] > path = /foo/afiles > admin users = W2K3TEST+bobadmin, @W2K3TEST+admins > read only = No > > I've logged in both as another member of the W2K3TEST+admins group, > and as W2K3TEST+bobadmin, and that doesn't seem to have any effect on > whether or not it works. I've also tried adding a non-domain user and > group to the ACL on the Solaris side to see if that would make an > entry other that the standard permissions appear on Windows, but to no avail. > > ~Eric > > -----Original Message----- > From: Stas [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 18, 2007 3:39 PM > To: [EMAIL PROTECTED] > Cc: Eric Diven; samba@lists.samba.org > Subject: Re: [Samba] Can't see or change ACLs on Windows > > any errors on windows side when you try to set permissions? > > On 10/18/07, Volker Lendecke <[EMAIL PROTECTED]> wrote: > > On Thu, Oct 18, 2007 at 09:11:59AM -0400, Eric Diven wrote: > > > Here you go: > > > > > > bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL > > >HAVE_SYS_ACL_H > > >HAVE_SOLARIS_ACLS > > >HAVE__ACL > > >HAVE__FACL > > > > > > It looks plausible to me, but I'm assuming you know better than I > > > what > > > > That indeed looks right. No idea then, sorry. Maybe you want to look > > in a debug level 10 log of smbd, search for > > call_nt_transact_query_security_desc, maybe you find something > > obvious. > > > > Volker > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't see or change ACLs on Windows
On Thursday 18 October 2007 03:29:59 Eric Diven wrote: > I have samba server joined to a domain that I'm trying to use ads > security and acls on. I can set acls on the Unix file system, and > access from a windows client seems to honor them. I can't view the acls > under the security tab, all I see are the standard Unix permissions > instead. If I try to add an entry to the acl, I get an access denied > error, even if the user is on the list of admin users. Samba version is > 3.0.24, OS is Solars 10. Winbind works smoothly, I can set an entry in > an ACL to a domain user or group using setfacl on the unix side, and I > see it correctly with getfacl. Any ideas please? Hi Eric, Isn't it normal that Windows cannot see Unix ACL? As far as I know, since it cannot see it, it will then just translate the ACL into a more general ones. -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 17:58:23 up 4:52, 2.6.20-16-generic GNU/Linux Let's use OpenOffice. http://www.openoffice.org The real challenge of teaching is getting your students motivated to learn. pgpk3kCLK8PG2.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't see or change ACLs on Windows
make sure that user logged in to windows box is an owner of files . as i know , only owner can change permissions . try # chown "administrator/DOMAIN" /samba/test.txt , after that try to set permissions on this file from windows . On 10/18/07, Eric Diven <[EMAIL PROTECTED]> wrote: > None when I open the security tab, but when I try to add an entry to the > ACL, I get: > > "Unable to save permission changes on directory on 'croesus running > samba (ipaddress)' (driveletter:). > > Access is denied." > > The smb.conf file is set up to allow admin access to both an AD user and > group: > > the relevant sections of the smb.conf file: > > [global] > workgroup = W2K3TEST > realm = W2K3TEST.LOCAL > server string = croesus running samba > security = ADS > log file = /var/log/samba/log.%m > max log size = 50 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > printcap name = /etc/printcap > preferred master = No > dns proxy = No > idmap uid = 1-2 > idmap gid = 1-2 > winbind separator = + > > [afiles] > path = /foo/afiles > admin users = W2K3TEST+bobadmin, @W2K3TEST+admins > read only = No > > I've logged in both as another member of the W2K3TEST+admins group, and > as W2K3TEST+bobadmin, and that doesn't seem to have any effect on > whether or not it works. I've also tried adding a non-domain user and > group to the ACL on the Solaris side to see if that would make an entry > other that the standard permissions appear on Windows, but to no avail. > > ~Eric > > -Original Message----- > From: Stas [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 18, 2007 3:39 PM > To: [EMAIL PROTECTED] > Cc: Eric Diven; samba@lists.samba.org > Subject: Re: [Samba] Can't see or change ACLs on Windows > > any errors on windows side when you try to set permissions? > > On 10/18/07, Volker Lendecke <[EMAIL PROTECTED]> wrote: > > On Thu, Oct 18, 2007 at 09:11:59AM -0400, Eric Diven wrote: > > > Here you go: > > > > > > bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL > > >HAVE_SYS_ACL_H > > >HAVE_SOLARIS_ACLS > > >HAVE__ACL > > >HAVE__FACL > > > > > > It looks plausible to me, but I'm assuming you know better than I > > > what > > > > That indeed looks right. No idea then, sorry. Maybe you want to look > > in a debug level 10 log of smbd, search for > > call_nt_transact_query_security_desc, maybe you find something > > obvious. > > > > Volker > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't see or change ACLs on Windows
any errors on windows side when you try to set permissions? On 10/18/07, Volker Lendecke <[EMAIL PROTECTED]> wrote: > On Thu, Oct 18, 2007 at 09:11:59AM -0400, Eric Diven wrote: > > Here you go: > > > > bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL > >HAVE_SYS_ACL_H > >HAVE_SOLARIS_ACLS > >HAVE__ACL > >HAVE__FACL > > > > It looks plausible to me, but I'm assuming you know better than I what > > That indeed looks right. No idea then, sorry. Maybe you want > to look in a debug level 10 log of smbd, search for > call_nt_transact_query_security_desc, maybe you find > something obvious. > > Volker > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Can't see or change ACLs on Windows
On Thu, Oct 18, 2007 at 09:11:59AM -0400, Eric Diven wrote: > Here you go: > > bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL >HAVE_SYS_ACL_H >HAVE_SOLARIS_ACLS >HAVE__ACL >HAVE__FACL > > It looks plausible to me, but I'm assuming you know better than I what That indeed looks right. No idea then, sorry. Maybe you want to look in a debug level 10 log of smbd, search for call_nt_transact_query_security_desc, maybe you find something obvious. Volker Thanks, I'll take a crack at the logs with the high debug level and see if I can see anything strange happening. I'll agree that everything "looks right", at least as near as I can tell. ~Eric -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't see or change ACLs on Windows
On Thu, Oct 18, 2007 at 09:11:59AM -0400, Eric Diven wrote: > Here you go: > > bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL >HAVE_SYS_ACL_H >HAVE_SOLARIS_ACLS >HAVE__ACL >HAVE__FACL > > It looks plausible to me, but I'm assuming you know better than I what That indeed looks right. No idea then, sorry. Maybe you want to look in a debug level 10 log of smbd, search for call_nt_transact_query_security_desc, maybe you find something obvious. Volker pgpFXilmHSpUl.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Can't see or change ACLs on Windows
Here you go: bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL HAVE_SYS_ACL_H HAVE_SOLARIS_ACLS HAVE__ACL HAVE__FACL It looks plausible to me, but I'm assuming you know better than I what it should say. Also, I did just check, and that is the binary that the init script is starting. If I've done something stupid again, it isn't that ;-) ~Eric -Original Message- From: Volker Lendecke [mailto:[EMAIL PROTECTED] Sent: Thursday, October 18, 2007 2:10 AM To: Eric Diven Cc: samba@lists.samba.org Subject: Re: [Samba] Can't see or change ACLs on Windows On Wed, Oct 17, 2007 at 06:25:06PM -0400, Eric Diven wrote: > I added nt acl support = yes to the config file and restarted with no > effect. The manpage for smb.conf said yes is the default, so I had > been omitting it, but I suppose it can't hurt. The share is on a UFS > volume on Solaris, I couldn't find a documented acl option, so I tried > doing a remount with it anyway, but mount just issued a warning saying > it was ignoring it. On the Linux box, I remounted with acl, and it > also didn't have any effect. I still can't see or set acls on either from windows. > I can set the acls from the command line in either with setfacl, and > see them with getfacl. What does "smbd -b | grep ACL" say? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't see or change ACLs on Windows
On Wed, Oct 17, 2007 at 06:25:06PM -0400, Eric Diven wrote: > I added nt acl support = yes to the config file and restarted with no > effect. The manpage for smb.conf said yes is the default, so I had been > omitting it, but I suppose it can't hurt. The share is on a UFS volume > on Solaris, I couldn't find a documented acl option, so I tried doing a > remount with it anyway, but mount just issued a warning saying it was > ignoring it. On the Linux box, I remounted with acl, and it also didn't > have any effect. I still can't see or set acls on either from windows. > I can set the acls from the command line in either with setfacl, and see > them with getfacl. What does "smbd -b | grep ACL" say? Volker pgpkmBdcS3pDV.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Can't see or change ACLs on Windows
I added nt acl support = yes to the config file and restarted with no effect. The manpage for smb.conf said yes is the default, so I had been omitting it, but I suppose it can't hurt. The share is on a UFS volume on Solaris, I couldn't find a documented acl option, so I tried doing a remount with it anyway, but mount just issued a warning saying it was ignoring it. On the Linux box, I remounted with acl, and it also didn't have any effect. I still can't see or set acls on either from windows. I can set the acls from the command line in either with setfacl, and see them with getfacl. ~Eric -Original Message- From: Stas [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 17, 2007 5:05 PM To: Eric Diven Cc: samba@lists.samba.org Subject: Re: [Samba] Can't see or change ACLs on Windows do you have " nt acl support = yes" in smb.conf ? i'm not sure , but seems you have to mount the volume that contains shared files with "-o acl" .. check it out. On 10/17/07, Eric Diven <[EMAIL PROTECTED]> wrote: > I've tested this on CentOS 4.3 and am seeing the same issue. It seems > like it's probably a configuration problem, but I'll be damned if I > can figure it out. > > ~Eric > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Eric Diven > Sent: Wednesday, October 17, 2007 4:30 PM > To: samba@lists.samba.org > Subject: [Samba] Can't see or change ACLs on Windows > > I have samba server joined to a domain that I'm trying to use ads > security and acls on. I can set acls on the Unix file system, and > access from a windows client seems to honor them. I can't view the > acls under the security tab, all I see are the standard Unix > permissions instead. If I try to add an entry to the acl, I get an > access denied error, even if the user is on the list of admin users. > Samba version is 3.0.24, OS is Solars 10. Winbind works smoothly, I > can set an entry in an ACL to a domain user or group using setfacl on > the unix side, and I see it correctly with getfacl. Any ideas please? > > ~Eric > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > man/listinfo/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't see or change ACLs on Windows
do you have " nt acl support = yes" in smb.conf ? i'm not sure , but seems you have to mount the volume that contains shared files with "-o acl" .. check it out. On 10/17/07, Eric Diven <[EMAIL PROTECTED]> wrote: > I've tested this on CentOS 4.3 and am seeing the same issue. It seems > like it's probably a configuration problem, but I'll be damned if I can > figure it out. > > ~Eric > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Eric Diven > Sent: Wednesday, October 17, 2007 4:30 PM > To: samba@lists.samba.org > Subject: [Samba] Can't see or change ACLs on Windows > > I have samba server joined to a domain that I'm trying to use ads > security and acls on. I can set acls on the Unix file system, and > access from a windows client seems to honor them. I can't view the acls > under the security tab, all I see are the standard Unix permissions > instead. If I try to add an entry to the acl, I get an access denied > error, even if the user is on the list of admin users. Samba version is > 3.0.24, OS is Solars 10. Winbind works smoothly, I can set an entry in > an ACL to a domain user or group using setfacl on the unix side, and I > see it correctly with getfacl. Any ideas please? > > ~Eric > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > man/listinfo/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Can't see or change ACLs on Windows
I've tested this on CentOS 4.3 and am seeing the same issue. It seems like it's probably a configuration problem, but I'll be damned if I can figure it out. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Diven Sent: Wednesday, October 17, 2007 4:30 PM To: samba@lists.samba.org Subject: [Samba] Can't see or change ACLs on Windows I have samba server joined to a domain that I'm trying to use ads security and acls on. I can set acls on the Unix file system, and access from a windows client seems to honor them. I can't view the acls under the security tab, all I see are the standard Unix permissions instead. If I try to add an entry to the acl, I get an access denied error, even if the user is on the list of admin users. Samba version is 3.0.24, OS is Solars 10. Winbind works smoothly, I can set an entry in an ACL to a domain user or group using setfacl on the unix side, and I see it correctly with getfacl. Any ideas please? ~Eric -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba man/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can't see or change ACLs on Windows
I have samba server joined to a domain that I'm trying to use ads security and acls on. I can set acls on the Unix file system, and access from a windows client seems to honor them. I can't view the acls under the security tab, all I see are the standard Unix permissions instead. If I try to add an entry to the acl, I get an access denied error, even if the user is on the list of admin users. Samba version is 3.0.24, OS is Solars 10. Winbind works smoothly, I can set an entry in an ACL to a domain user or group using setfacl on the unix side, and I see it correctly with getfacl. Any ideas please? ~Eric -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba