Here's what I have set up. The ACLs on the directory afiles currently do pretty much what I need them to do with samba, which is set up permissions and acls on any files created in the directory by a windows client. It needs a little fine-tuning, but it's close.
bash-3.00# ls -l ; getfacl afiles total 2 drwxrws---+ 2 W2K3TEST+bobadmin W2K3TEST+awriters 512 Oct 17 17:07 afiles # file: afiles # owner: W2K3TEST+bobadmin # group: W2K3TEST+awriters user::rwx user:afile:rwx #effective:rwx group::rwx #effective:rwx group:afile:rwx #effective:rwx group:W2K3TEST+areaders:r-x #effective:r-x group:W2K3TEST+awriters:rwx #effective:rwx group:W2K3TEST+admins:rwx #effective:rwx mask:rwx other:--- default:user::rwx default:group::rwx default:group:W2K3TEST+areaders:r-x default:group:W2K3TEST+awriters:rwx default:group:W2K3TEST+admins:rwx default:mask:rwx default:other:--- bash-3.00# ~Eric -----Original Message----- From: Stas [mailto:[EMAIL PROTECTED] Sent: Friday, October 19, 2007 6:22 PM To: Eric Diven Cc: samba@lists.samba.org Subject: Re: [Samba] Can't see or change ACLs on Windows strange ... please post getfacl output . On 10/19/07, Eric Diven <[EMAIL PROTECTED]> wrote: > Whoops, these were both supposed to go to the list. > > If I log on as the owner of the file, I still can't add another entry > to the ACL. I can change the permissions set on the user, group and > world permissions, but that's it. I do see that that the owner is > identified as the user I'm logged in as. > > ~Eric > > -----Original Message----- > From: Stas [mailto:[EMAIL PROTECTED] > Sent: Friday, October 19, 2007 12:13 AM > To: Eric Diven > Cc: samba@lists.samba.org > Subject: Re: [Samba] Can't see or change ACLs on Windows > > make sure that user logged in to windows box is an owner of files . > as i know , only owner can change permissions . > try # chown "administrator/DOMAIN" /samba/test.txt , after that try > to set permissions on this file from windows . > > > On 10/18/07, Eric Diven <[EMAIL PROTECTED]> wrote: > > None when I open the security tab, but when I try to add an entry to > > the ACL, I get: > > > > "Unable to save permission changes on directory on 'croesus running > > samba (ipaddress)' (driveletter:). > > > > Access is denied." > > > > The smb.conf file is set up to allow admin access to both an AD user > > and > > group: > > > > the relevant sections of the smb.conf file: > > > > [global] > > workgroup = W2K3TEST > > realm = W2K3TEST.LOCAL > > server string = croesus running samba > > security = ADS > > log file = /var/log/samba/log.%m > > max log size = 50 > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > printcap name = /etc/printcap > > preferred master = No > > dns proxy = No > > idmap uid = 10000-20000 > > idmap gid = 10000-20000 > > winbind separator = + > > > > [afiles] > > path = /foo/afiles > > admin users = W2K3TEST+bobadmin, @W2K3TEST+admins > > read only = No > > > > I've logged in both as another member of the W2K3TEST+admins group, > > and as W2K3TEST+bobadmin, and that doesn't seem to have any effect > > on whether or not it works. I've also tried adding a non-domain > > user and > > > group to the ACL on the Solaris side to see if that would make an > > entry other that the standard permissions appear on Windows, but to > > no > avail. > > > > ~Eric > > > > -----Original Message----- > > From: Stas [mailto:[EMAIL PROTECTED] > > Sent: Thursday, October 18, 2007 3:39 PM > > To: [EMAIL PROTECTED] > > Cc: Eric Diven; samba@lists.samba.org > > Subject: Re: [Samba] Can't see or change ACLs on Windows > > > > any errors on windows side when you try to set permissions? > > > > On 10/18/07, Volker Lendecke <[EMAIL PROTECTED]> wrote: > > > On Thu, Oct 18, 2007 at 09:11:59AM -0400, Eric Diven wrote: > > > > Here you go: > > > > > > > > bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL > > > > HAVE_SYS_ACL_H > > > > HAVE_SOLARIS_ACLS > > > > HAVE__ACL > > > > HAVE__FACL > > > > > > > > It looks plausible to me, but I'm assuming you know better than > > > > I what > > > > > > That indeed looks right. No idea then, sorry. Maybe you want to > > > look > > > > in a debug level 10 log of smbd, search for > > > call_nt_transact_query_security_desc, maybe you find something > > > obvious. > > > > > > Volker > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba