Re: [Samba] Another Samba+ACLs thread
$ setfacl -m DOMAIN+andrewfu:rwx myfile setfacl: Option -m: Invalid argument near character 1 I had a similar issue on my Debian box. It seemed that setfacl didn't care for special characters. I changed the separator character to - (dash) instead of + or \ and it worked fine. It looks like that error (invalid argument) is coming up any time the username is not found on the system. This of course includes anything added onto it - like DOMAIN+name, DOMAIN-name, etc. Also, the only mention of a separator that I see in smb.conf is in relation to winbind, which I'm not using at present (need real users due to ownership of files; I'm using add user script instead). Should I in fact be using winbind? If so, how does it fit into the picture? -- ANDREW FUREY [EMAIL PROTECTED] - Sysadmin/developer for Terminus. Providing online networks of Australian lawyers (http://www.ilaw.com.au) and Linux experts (http://www.linuxconsultants.com.au) for instant help! Disclaimer: http://www.terminus.net.au/disclaimer.html. GCS L+++ P++ t++ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Another Samba+ACLs thread
On Wed, 27 Nov 2002 11:22:19 +0800 Andrew Furey [EMAIL PROTECTED] wrote: On further investigation, it appears that I _can_ modify existing ACLs, and I can even remove them (users, at least); but I can't add users to the ACL, which is what I really need. Your w2k-client has to join the Windows-Domain. I only tried this once with the Samba-Server being the domain's PDC and a w2k-client being directly connected to it. As long as the client had not joined the domain, I could not add users which were generally known to the server but only change ACLs of users which were already attached to the file. So long, Max -- The first time any man's freedom is trodden on, we're all damaged. Cpt. Picard, The Drumhead, StarTrek TNG http://homex.subnet.at/~max/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Another Samba+ACLs thread
Your w2k-client has to join the Windows-Domain. I only tried this once with the Samba-Server being the domain's PDC and a w2k-client being directly connected to it. As long as the client had not joined the domain, I could not add users which were generally known to the server but only change ACLs of users which were already attached to the file. Hmm. I don't have a third machine to be a W2k client here (the real setup will have several hundred, both 2k and NT4, but I'm testing at present). Hence I have two machines: * a W2k server which is acting as PDC * a Samba server which is authenticating to the PDC but providing file services and I'm reusing the W2k server as a client - ie. trying to access files on the Samba server from the W2k box. As far as I can tell the Samba machine has already joined - password authentication doesn't work if it doesn't join. -- ANDREW FUREY [EMAIL PROTECTED] - Sysadmin/developer for Terminus. Providing online networks of Australian lawyers (http://www.ilaw.com.au) and Linux experts (http://www.linuxconsultants.com.au) for instant help! Disclaimer: http://www.terminus.net.au/disclaimer.html. GCS L+++ P++ t++ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Another Samba+ACLs thread
- Original Message - From: Andrew Furey [EMAIL PROTECTED] To: David Pullman [EMAIL PROTECTED] Cc: Anthony J. Breeds-Taurima [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 27, 2002 4:08 AM Subject: Re: [Samba] Another Samba+ACLs thread (recipient list getting longer...) snip andrewfu = Andrew Furey and I set the ACL on a file with setfacl -m andrewfu:rwx myfile Now, the permission via the ACL does work correctly (W2k user Andrew Furey can access the file, others can't), but in the W2k ACL list the user is listed as andrewfu (SMBSERVERNAME\andrewfu) snip Shouldn't you be setting setfacl -m DOMAIN+andrewfu:rwx myfile ? Shaolin - IT Systems WB Ltd. .: http://www.security-forums.com :. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Another Samba+ACLs thread
On Wed, Nov 27, 2002 at 12:08:12PM +0800 or thereabouts, Andrew Furey wrote: (recipient list getting longer...) Via username mapping, yes (we're a member server in a 2k mixed domain, but that side of things seems to be working). On further investigation, it appears that I _can_ modify existing ACLs, and I can even remove them (users, at least); but I can't add users to the ACL, which is what I really need. It may be that my post yesterday is about the same issue. I've noted that according to the log.nmbd that I have the same error. I can edit the perms on acl entries, or delete an acl entry, but cannot add a user to a list from the w2k side (I can of course use setfacl from the unix clients of the file server or on the server itself). My tests also were done as the owner of the file. In fact, our NT domain and NIS passwd have identical user names. It just can't determine the uid of the user from the machine SID+RID. Hmm. I've also noticed that it doesn't seem to be mapping the usernames properly in the ACL listing. I can't add users from W2k, so I have yet to see what that would be listed as, but let's say I have a username map andrewfu = Andrew Furey and I set the ACL on a file with setfacl -m andrewfu:rwx myfile Now, the permission via the ACL does work correctly (W2k user Andrew Furey can access the file, others can't), but in the W2k ACL list the user is listed as andrewfu (SMBSERVERNAME\andrewfu) rather than Andrew Furey (Andrew [EMAIL PROTECTED]) as it does on the (same) W2k machine. Not sure if this is relevant, but it may be linked... -- ANDREW FUREY [EMAIL PROTECTED] - Sysadmin/developer for Terminus. Providing online networks of Australian lawyers (http://www.ilaw.com.au) and Linux experts (http://www.linuxconsultants.com.au) for instant help! Disclaimer: http://www.terminus.net.au/disclaimer.html. GCS L+++ P++ t++ A thought that occurs to me when looking at the two ways of displaying the name above is that I've heard that a W2K domain will record machine name more like a dns domain (with its emphasis on ddns and all that). So it makes me wonder if you have a W2K PDC. We're using an NT PDC still with a mix of W2K and NT 40 clients (we have a half dozen BDCs and about 500 windows clients, and a couple of hundred mixed UNIX platform clients). All of our file servers are samba on solaris. So we only see something like andrewfu (SMBSERVERNAME\andrewfu) on a NT security dialog acl. On a setfacl on the UNIX side it is stictly username, the UNIX systems have no idea about the NT domain. This is of course excepting the samba server itself, which has security = domain. This lets a user map a drive using their NT passwd, which might be different than their NIS passwd. Dave -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Another Samba+ACLs thread
(offlist replies discontinued due to increasing large number of people involved) Gareth Davies wrote: Shouldn't you be setting setfacl -m DOMAIN+andrewfu:rwx myfile ? I tried that, but it didn't work: setfacl: Option -m: Invalid argument near character 1 I also tried escaping/quoting the + in various ways, replacing with \ or /, etc. No joy. Tom Hallewell wrote: You should be able to find the server in W2K's server manager and confirm that it is a trusted member of the Domain. It sounds like smbd isn't linking to the acl libs-have you run ldd to see if you are linking to libacl.so.1? My recent problem was similar and I found that I wasn't compiling against the acl libs. [snip various deb-src specific instructions] a) I presume I should be looking in Active Directory Users Computers - domain - Computers - smbserver name ? If so, it's listed as a WinNT 4 workstation or server, as a member of Domain Computers (we're in a mixed domain, not native, so that makes sense to me). b) (grepped for brevity) $ ldd /usr/local/samba/bin/smbd | grep -i acl libacl.so.1 = /lib/libacl.so.1 (0x40015000) $ nm /usr/local/samba/bin/smbd | grep -i acl | wc 88 244 2655 c) The Debian compilation instructions aren't used, since 2.2.7 isn't available yet so I'm compiling from the tarball. However I used the following configure line: configure --disable-nls --with-acl-support=yes --with-configdir=/etc/samba --with-logfilebase=/var/log/samba That way I can have the Debian 2.2.3a-12 (or whatever it is) and the 2.2.7 compiled ones use the same logfiles and config files. David Pullman wrote: A thought that occurs to me when looking at the two ways of displaying the name above is that I've heard that a W2K domain will record machine name more like a dns domain (with its emphasis on ddns and all that). So it makes me wonder if you have a W2K PDC. We're using an NT PDC still with a mix of W2K and NT 40 clients (we have a half dozen BDCs and about 500 windows clients, and a couple of hundred mixed UNIX platform clients). All of our file servers are samba on solaris. So we only see something like andrewfu (SMBSERVERNAME\andrewfu) on a NT security dialog acl. On a setfacl on the UNIX side it is stictly username, the UNIX systems have no idea about the NT domain. This is of course excepting the samba server itself, which has security = domain. This lets a user map a drive using their NT passwd, which might be different than their NIS passwd. The test machine here is a fairly standard / minimal install of W2k server, which seems to be workign as expected otherwise (although I haven't had much experience with W2k, and I don't have any other W2k machines around to test. Your thoughts about the usernames seems to make sense, except, does that mean that the Windows ACL dialog will _always_ show the UNIX username? I would have thought that the username mapping would apply to that part also. Although admittedly, if one UNIX name maps to more than one Windows name, there would be problems... although it won't, in my case. Hopefully the mapping can be worked out in some way... the system will have ~500 users, and given that 50% - 75% of them are username-map-required style names, it would get mighty annoying mighty fast, trying to map them in your head... (phew!) -- ANDREW FUREY [EMAIL PROTECTED] - Sysadmin/developer for Terminus. Providing online networks of Australian lawyers (http://www.ilaw.com.au) and Linux experts (http://www.linuxconsultants.com.au) for instant help! Disclaimer: http://www.terminus.net.au/disclaimer.html. GCS L+++ P++ t++ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Another Samba+ACLs thread
On Wed, 27 Nov 2002, Andrew Furey wrote: Hi all, I'm having trouble making Samba recognise ACLs properly - a W2k client isn't using them fully. I have patched the kernel, recompiled Samba, etc. I've gotten it working to the point where the kernel-side of things seems to work fine (with getfacl, etc). Also, the W2k machine (via Samba) can see the ACL settings that are applied to a file. The problem arises when I try to change them from W2k. It silently fails (from 2k's point of view), but in the log files I see something like unable to map SID [blah] to uid or gid. All my Googling simply suggests that ACLs are not installed at all, which appears to be false... Is the win2k user the owner (in the unix sense) of the file. ? Even though you have ACL's only the owner or root can actually change them. Yours Tony Jan 22-25 2003 Linux.Conf.AUhttp://linux.conf.au/ The Australian Linux Technical Conference! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Another Samba+ACLs thread
The problem arises when I try to change them from W2k. It silently fails (from 2k's point of view), but in the log files I see something like unable to map SID [blah] to uid or gid. Is the win2k user the owner (in the unix sense) of the file. ? Even though you have ACL's only the owner or root can actually change them. Via username mapping, yes (we're a member server in a 2k mixed domain, but that side of things seems to be working). On further investigation, it appears that I _can_ modify existing ACLs, and I can even remove them (users, at least); but I can't add users to the ACL, which is what I really need. -- ANDREW FUREY [EMAIL PROTECTED] - Sysadmin/developer for Terminus. Providing online networks of Australian lawyers (http://www.ilaw.com.au) and Linux experts (http://www.linuxconsultants.com.au) for instant help! Disclaimer: http://www.terminus.net.au/disclaimer.html. GCS L+++ P++ t++ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Another Samba+ACLs thread
Andrew Furey wrote: The problem arises when I try to change them from W2k. It silently fails (from 2k's point of view), but in the log files I see something like unable to map SID [blah] to uid or gid. Is the win2k user the owner (in the unix sense) of the file. ? Even though you have ACL's only the owner or root can actually change them. Via username mapping, yes (we're a member server in a 2k mixed domain, but that side of things seems to be working). On further investigation, it appears that I _can_ modify existing ACLs, and I can even remove them (users, at least); but I can't add users to the ACL, which is what I really need. Andrew, It may be that my post yesterday is about the same issue. I've noted that according to the log.nmbd that I have the same error. I can edit the perms on acl entries, or delete an acl entry, but cannot add a user to a list from the w2k side (I can of course use setfacl from the unix clients of the file server or on the server itself). My tests also were done as the owner of the file. In fact, our NT domain and NIS passwd have identical user names. It just can't determine the uid of the user from the machine SID+RID. Dave -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Another Samba+ACLs thread
(recipient list getting longer...) Via username mapping, yes (we're a member server in a 2k mixed domain, but that side of things seems to be working). On further investigation, it appears that I _can_ modify existing ACLs, and I can even remove them (users, at least); but I can't add users to the ACL, which is what I really need. It may be that my post yesterday is about the same issue. I've noted that according to the log.nmbd that I have the same error. I can edit the perms on acl entries, or delete an acl entry, but cannot add a user to a list from the w2k side (I can of course use setfacl from the unix clients of the file server or on the server itself). My tests also were done as the owner of the file. In fact, our NT domain and NIS passwd have identical user names. It just can't determine the uid of the user from the machine SID+RID. Hmm. I've also noticed that it doesn't seem to be mapping the usernames properly in the ACL listing. I can't add users from W2k, so I have yet to see what that would be listed as, but let's say I have a username map andrewfu = Andrew Furey and I set the ACL on a file with setfacl -m andrewfu:rwx myfile Now, the permission via the ACL does work correctly (W2k user Andrew Furey can access the file, others can't), but in the W2k ACL list the user is listed as andrewfu (SMBSERVERNAME\andrewfu) rather than Andrew Furey (Andrew [EMAIL PROTECTED]) as it does on the (same) W2k machine. Not sure if this is relevant, but it may be linked... -- ANDREW FUREY [EMAIL PROTECTED] - Sysadmin/developer for Terminus. Providing online networks of Australian lawyers (http://www.ilaw.com.au) and Linux experts (http://www.linuxconsultants.com.au) for instant help! Disclaimer: http://www.terminus.net.au/disclaimer.html. GCS L+++ P++ t++ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
