Forgot to include some more info that might be helpful. OS: Fedora Core 4 (up-to-date) Kernel 2.6.14-1.1653_FC4smp Samba 3.0.14a-2 Hostname: sand (192.168.0.8)
Windows server 2003 Std. (up-to-date) *running on a VMWare workstation, running on a generic AMD 1.8Ghz system Domain: mrpartyka.domain Hostname: server01 (192.168.0.7) *the Active Directory server and Samba server and both using NTP and are within one minute of one another The join seems to be functioning correctly, i get the expected output when performing: net ads info net ads status -UAdministrator getent passwd getent group wbinfo -u wbinfo -g I have not used those parameters other than the "nt acl support". I have tried to keep it as simple as possible, and i did not understand those settings to be necesssary to achieve the ability to modify ACL's from the MMC. (i did set those parameters you mentioned and restarted the server, but i continue to get "changes could not be saved, access is denied") I set the baseline permissions from the linux console, that is the directory is owned by root but i did a chgrp "MRPARTYKA\Domain Users" /ftproot && chmod g+x /ftproot to give any "domain users" to ability to write to the shared directory. I know i can adjust permissions in this manner but a windows admin will be administering going forward, which is why the ability to adjust through the use of an MMC is valuable. Thanks for the response Louis, On 1/3/06, Louis van Belle <[EMAIL PROTECTED]> wrote: > > does your kernel support ACL and Extended Attributes. > > Also you can set the following settings > > inherit acls = (yes/no) > nt acl support = > map hidden = no > map system = no > map achieve = no > store dos attributes = yes > ea support = yes > > u combine above settings for your enviroment. > Als dit you set the privileges for the samba server > or do you set the rights as root > > Louis > > > >-----Oorspronkelijk bericht----- > >Van: Mike Partyka [mailto:[EMAIL PROTECTED] > >Verzonden: dinsdag 3 januari 2006 13:56 > >Aan: Louis van Belle > >CC: samba@lists.samba.org > >Onderwerp: Re: [Samba] Windows ACL modify ability? > > > >Samba 3.0.14a server which is a domain member server of a 2003 > >Active Directory and Domain Controller. > > > >There are no errors that appear in the windows servers event > >log, and my smb.conf is pretty simple: > > > >[global] > > unix charset = LOCALE > > workgroup = mrpartyka > > realm = MRPARTYKA.DOMAIN > > server string = SMBv3.0.14a/MS ADS/winbindd > > security = ads > > log level = 1 > > syslog = 0 > > log file = /var/log/samba/%m > > max log size = 50 > > printcap name = CUPS > > ldap ssl = No > > idmap uid = 10000-40000000 > > idmap gid = 10000-40000000 > > template primary group = "Domain Users" > > template shell = /bin/bash > > nt acl support = Yes > > printing = cups > > # winbind trusted domains only = Yes > > winbind separator = \# > > > >[ftp] > > comment = All users share > > path = /ftproot > > valid users = @"MRPARTYKA\Domain Users" > > writeable = Yes > > browseable = Yes > > > >As i said originally, my goal here is to manage > >permissions's/ACL's from the server 2003 MMC, but any time i > >try to add or remove groups for access on either the Security > >tab or the Permissions tab, i get the message "changes could > >not be saved, access is denied". Also, though the message > >indicates the changes are not saved, if you open the share > >properties window again and go to the same permission you just > >tried to adjust, the group is there, but when you selected the > >group from the AD container, it looked like "MRPARTYA\Domain > >Users" and now it's liked as "SAND\Domain Users". SAND is the > >hostname of the samba server. > > > >Is this expected behavior? Due to winbindd making AD groups > >and users appear as though they are local groups/users of the > >Samba server? Samba logging indicates this: > > > >[2006/01/03 06:43:18, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993) > > api_pipe_bind_req: unknown auth type 9 requested. > >[2006/01/03 06:43:18, 1] smbd/service.c:make_connection_snum(642) > > 192.168.0.7 (192.168.0.7) connect to service ftp initially > >as user MRPARTYKA\administrator (uid=10000, gid=10000) (pid 3343) > >[2006/01/03 06:43:18, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993) > > api_pipe_bind_req: unknown auth type 9 requested. > >[2006/01/03 06:43:22, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993) > > api_pipe_bind_req: unknown auth type 9 requested. > >[2006/01/03 06:43:29, 1] smbd/service.c:close_cnum(830) > > 192.168.0.7 (192.168.0.7) closed connection to service ftp > > > >I have many messages in the Samba archive asking about enties > >like this, but i did not see any responses explaining it. > > > >Any ideas about how i can correct this problem and manage > >share permissions from the server MMC? > > > >TIA, > > > > > > > >On 1/3/06, Louis van Belle <[EMAIL PROTECTED] > wrote: > > > > Hi, > > > > first which version of samba are you running? > > are you running pdc or AD Member ? > > > > etc etc. > > need more input ;-) > > > > Louis > > > > > > > > >-----Oorspronkelijk bericht----- > > >Van: samba-bounces+louis= [EMAIL PROTECTED] > ><mailto:[EMAIL PROTECTED]> > > >[mailto: > >[EMAIL PROTECTED] > ><mailto:[EMAIL PROTECTED]> ] > > >Namens Mike Partyka > > >Verzonden: maandag 2 januari 2006 23:50 > > >Aan: samba@lists.samba.org <mailto:samba@lists.samba.org> > > >Onderwerp: [Samba] Windows ACL modify ability? > > > > > >I have posted several questions now and have ben unsuccessful > > >in getting any > > >responses, so i thought i would take a different tack. > > > > > >I know adjusting permissions on Samba shares, through the > > >Microsoft MMC is > > >possible when you have POSIX ACL support compiled in your > > >kernel. I don't > > >think that level of control is necessary for me and short of > > >recompiling the > > >kernel for that support i have been unable to adjust > > >permissions on Samba > > >shares through the MMC, i keep getting "Access is denied". > > > > > >Could someone just toss out a couple ideas about > >whether adjustments to > > >ACL's ar possible without kernel POSIX ACL support and > >if so, what some > > >causes of the "Access is denied" could be? > > > > > >TIA, > > > > > >-MIKE > > >-- > > >To unsubscribe from this list go to the following URL > >and read the > > >instructions: > >https://lists.samba.org/mailman/listinfo/samba > ><https://lists.samba.org/mailman/listinfo/samba> > > > > > > > -- > > To unsubscribe from this list go to the following URL > >and read the > > instructions: > >https://lists.samba.org/mailman/listinfo/samba > ><https://lists.samba.org/mailman/listinfo/samba> > > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba