Re: [Samba] Windows ACL modify ability?
y groups [2006/01/03 16:15:27, 5] smbd/uid.c:change_to_root_user(296) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/01/03 16:15:27, 2] smbd/server.c:exit_server(609) Closing connections [2006/01/03 16:15:27, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/01/03 16:15:27, 5] smbd/oplock.c:receive_local_message(107) receive_local_message: doing select with timeout of 1 ms [2006/01/03 16:15:27, 3] smbd/server.c:exit_server(652) Server exit (normal exit) Could someone briefly translate? BTW, i do have the usermap file entry like this: root "MRPARTYKA/Administrator" Do others here have similar entries that equivalate root to the domain administrator account? Here is my smb.conf file: # Global parameters, created by Mike Partyka, Agostoinc, 12302005:1230 [global] unix charset = LOCALE workgroup = mrpartyka realm = MRPARTYKA.DOMAIN server string = SMBv3.0.14a/MS ADS/winbindd security = ads log level = 10 syslog = 0 log file = /var/log/samba/%m max log size = 50 printcap name = CUPS idmap uid = 1-4000 idmap gid = 1-4000 template primary group = "MRPARTYKA/Domain Users" template shell = /bin/bash printing = cups # winbind trusted domains only = Yes winbind separator = / [ftp] comment = All users share path = /ftproot valid users = @"MRPARTYKA/Domain Users" writeable = Yes browseable = Yes nt acl support = Yes inherit acls = Yes map hidden = No map system = No map archive = No store dos attributes = Yes ea support = Yes > > > On 1/3/06, Louis van Belle <[EMAIL PROTECTED]> wrote: > > > > Your welkom, its my bosses time ;-) > > > > Louis > > > > > > >-Oorspronkelijk bericht- > > >Van: Mike Partyka [mailto:[EMAIL PROTECTED] > > >Verzonden: dinsdag 3 januari 2006 16:15 > > >Aan: Louis van Belle > > >CC: samba@lists.samba.org > > >Onderwerp: Re: [Samba] Windows ACL modify ability? > > > > > >Interesting, i was not aware of that, the kernel does have the > > >necessary support in it for POSIX ACL's and Extended > > >attributes, but i was lacking the entry in /etc/fstab i added > > >it and will test it this afternoon and report back. > > > > > >Thanks for taking the time to respond, Louis! > > > > > > > > >On 1/3/06, Louis van Belle <[EMAIL PROTECTED]> wrote: > > > > > > wel, is there in /boot a config- file > > > > > > open it with you favorite editor, > > > search for XATTR or POSIX_CAL > > > > > > if set M its possible you still have to load the modules > > > if set Y its in kernel, then kernel is ok. > > > > > > check you fstab > > > i added for /home only the acl and EA. > > > like this. > > > > > > dev/sda12 /home ext3defaults,acl,user_xattr > > > 0 2 > > > > > > if there is no acl,user_xattr > > > then there is no windows rights management. > > > > > > i set right with the explorer and this is working ok on > > > my samba. ( als 3.0.14a debian) > > > > > > Louis > > > > > > > > > > > > > > > >-Oorspronkelijk bericht- > > > >Van: Mike Partyka [mailto:[EMAIL PROTECTED] > > > >Verzonden: dinsdag 3 januari 2006 15:00 > > > >Aan: Louis van Belle > > > >CC: samba@lists.samba.org > > > >Onderwerp: Re: [Samba] Windows ACL modify ability? > > > > > > > >Your referring to POSIX ACL support in the kernel? I am not > > > >entirely sure how to check for this in the standard > > > >precompliled kernel, and i believe that support not to be > > > >common in most linux distro's so i would guess that, POSIX ACL > > > >support is not enabled. > > > > > > > >My understanding is that POSIX ACL support will get you a > > > >closer approximation to windows ACL's,that is, finer grained > > > >control over the UNIX permissions, but i think standard UNIX > > > >perms should be adequet. > > > > > > > >That was my original question though, "Is POSIX ACL kernel > > > >support necessary to perform ACL
Re: [Samba] Windows ACL modify ability?
Interesting, i was not aware of that, the kernel does have the necessary support in it for POSIX ACL's and Extended attributes, but i was lacking the entry in /etc/fstab i added it and will test it this afternoon and report back. Thanks for taking the time to respond, Louis! On 1/3/06, Louis van Belle <[EMAIL PROTECTED]> wrote: > > wel, is there in /boot a config- file > > open it with you favorite editor, > search for XATTR or POSIX_CAL > > if set M its possible you still have to load the modules > if set Y its in kernel, then kernel is ok. > > check you fstab > i added for /home only the acl and EA. > like this. > > dev/sda12 /home ext3defaults,acl,user_xattr 0 2 > > if there is no acl,user_xattr > then there is no windows rights management. > > i set right with the explorer and this is working ok on > my samba. ( als 3.0.14a debian) > > Louis > > > > > >-Oorspronkelijk bericht- > >Van: Mike Partyka [mailto:[EMAIL PROTECTED] > >Verzonden: dinsdag 3 januari 2006 15:00 > >Aan: Louis van Belle > >CC: samba@lists.samba.org > >Onderwerp: Re: [Samba] Windows ACL modify ability? > > > >Your referring to POSIX ACL support in the kernel? I am not > >entirely sure how to check for this in the standard > >precompliled kernel, and i believe that support not to be > >common in most linux distro's so i would guess that, POSIX ACL > >support is not enabled. > > > >My understanding is that POSIX ACL support will get you a > >closer approximation to windows ACL's,that is, finer grained > >control over the UNIX permissions, but i think standard UNIX > >perms should be adequet. > > > >That was my original question though, "Is POSIX ACL kernel > >support necessary to perform ACL adjustments through a windows > >MMC?". It does not seem to be from the documentation i have > >read but i was not certain which was why i thought i would > >toss the question out to the mailing list. > > > >Thanks again, Louis > > > > > >On 1/3/06, Louis van Belle <[EMAIL PROTECTED]> wrote: > > > > does your kernel support ACL and Extended Attributes. > > > > > > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows ACL modify ability?
Thanks Tom! Evidently Fedora Core 4 kernel's DO have POSIX ACL and Extemded attributes support. On 1/3/06, Thomas Bork <[EMAIL PROTECTED]> wrote: > > Mike Partyka wrote: > > > Your referring to POSIX ACL support in the kernel? I am not entirely > sure > > how to check for this in the standard precompliled kernel, and i believe > > that support not to be common in most linux distro's so i would guess > that, > > POSIX ACL support is not enabled. > > for pseudofile in /proc/{ksyms,kallsyms} > do >if [ -e "$pseudofile" ] >then >if grep -q 'posix_acl_' "$pseudofile" >then >echo "posix acl support available :)" >fi >fi > done > > > der tom > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Windows ACL modify ability?
wel, is there in /boot a config- file open it with you favorite editor, search for XATTR or POSIX_CAL if set M its possible you still have to load the modules if set Y its in kernel, then kernel is ok. check you fstab i added for /home only the acl and EA. like this. dev/sda12 /home ext3defaults,acl,user_xattr 0 2 if there is no acl,user_xattr then there is no windows rights management. i set right with the explorer and this is working ok on my samba. ( als 3.0.14a debian) Louis >-Oorspronkelijk bericht- >Van: Mike Partyka [mailto:[EMAIL PROTECTED] >Verzonden: dinsdag 3 januari 2006 15:00 >Aan: Louis van Belle >CC: samba@lists.samba.org >Onderwerp: Re: [Samba] Windows ACL modify ability? > >Your referring to POSIX ACL support in the kernel? I am not >entirely sure how to check for this in the standard >precompliled kernel, and i believe that support not to be >common in most linux distro's so i would guess that, POSIX ACL >support is not enabled. > >My understanding is that POSIX ACL support will get you a >closer approximation to windows ACL's,that is, finer grained >control over the UNIX permissions, but i think standard UNIX >perms should be adequet. > >That was my original question though, "Is POSIX ACL kernel >support necessary to perform ACL adjustments through a windows >MMC?". It does not seem to be from the documentation i have >read but i was not certain which was why i thought i would >toss the question out to the mailing list. > >Thanks again, Louis > > >On 1/3/06, Louis van Belle <[EMAIL PROTECTED]> wrote: > > does your kernel support ACL and Extended Attributes. > > > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows ACL modify ability?
Mike Partyka wrote: Your referring to POSIX ACL support in the kernel? I am not entirely sure how to check for this in the standard precompliled kernel, and i believe that support not to be common in most linux distro's so i would guess that, POSIX ACL support is not enabled. for pseudofile in /proc/{ksyms,kallsyms} do if [ -e "$pseudofile" ] then if grep -q 'posix_acl_' "$pseudofile" then echo "posix acl support available :)" fi fi done der tom -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows ACL modify ability?
Your referring to POSIX ACL support in the kernel? I am not entirely sure how to check for this in the standard precompliled kernel, and i believe that support not to be common in most linux distro's so i would guess that, POSIX ACL support is not enabled. My understanding is that POSIX ACL support will get you a closer approximation to windows ACL's,that is, finer grained control over the UNIX permissions, but i think standard UNIX perms should be adequet. That was my original question though, "Is POSIX ACL kernel support necessary to perform ACL adjustments through a windows MMC?". It does not seem to be from the documentation i have read but i was not certain which was why i thought i would toss the question out to the mailing list. Thanks again, Louis On 1/3/06, Louis van Belle <[EMAIL PROTECTED]> wrote: > > does your kernel support ACL and Extended Attributes. > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows ACL modify ability?
Forgot to include some more info that might be helpful. OS: Fedora Core 4 (up-to-date) Kernel 2.6.14-1.1653_FC4smp Samba 3.0.14a-2 Hostname: sand (192.168.0.8) Windows server 2003 Std. (up-to-date) *running on a VMWare workstation, running on a generic AMD 1.8Ghz system Domain: mrpartyka.domain Hostname: server01 (192.168.0.7) *the Active Directory server and Samba server and both using NTP and are within one minute of one another The join seems to be functioning correctly, i get the expected output when performing: net ads info net ads status -UAdministrator getent passwd getent group wbinfo -u wbinfo -g I have not used those parameters other than the "nt acl support". I have tried to keep it as simple as possible, and i did not understand those settings to be necesssary to achieve the ability to modify ACL's from the MMC. (i did set those parameters you mentioned and restarted the server, but i continue to get "changes could not be saved, access is denied") I set the baseline permissions from the linux console, that is the directory is owned by root but i did a chgrp "MRPARTYKA\Domain Users" /ftproot && chmod g+x /ftproot to give any "domain users" to ability to write to the shared directory. I know i can adjust permissions in this manner but a windows admin will be administering going forward, which is why the ability to adjust through the use of an MMC is valuable. Thanks for the response Louis, On 1/3/06, Louis van Belle <[EMAIL PROTECTED]> wrote: > > does your kernel support ACL and Extended Attributes. > > Also you can set the following settings > > inherit acls = (yes/no) > nt acl support = > map hidden = no > map system = no > map achieve = no > store dos attributes = yes > ea support = yes > > u combine above settings for your enviroment. > Als dit you set the privileges for the samba server > or do you set the rights as root > > Louis > > > >-Oorspronkelijk bericht- > >Van: Mike Partyka [mailto:[EMAIL PROTECTED] > >Verzonden: dinsdag 3 januari 2006 13:56 > >Aan: Louis van Belle > >CC: samba@lists.samba.org > >Onderwerp: Re: [Samba] Windows ACL modify ability? > > > >Samba 3.0.14a server which is a domain member server of a 2003 > >Active Directory and Domain Controller. > > > >There are no errors that appear in the windows servers event > >log, and my smb.conf is pretty simple: > > > >[global] > >unix charset = LOCALE > >workgroup = mrpartyka > >realm = MRPARTYKA.DOMAIN > >server string = SMBv3.0.14a/MS ADS/winbindd > >security = ads > >log level = 1 > >syslog = 0 > >log file = /var/log/samba/%m > >max log size = 50 > >printcap name = CUPS > >ldap ssl = No > >idmap uid = 1-4000 > >idmap gid = 1-4000 > >template primary group = "Domain Users" > >template shell = /bin/bash > >nt acl support = Yes > >printing = cups > ># winbind trusted domains only = Yes > >winbind separator = \# > > > >[ftp] > >comment = All users share > >path = /ftproot > >valid users = @"MRPARTYKA\Domain Users" > >writeable = Yes > >browseable = Yes > > > >As i said originally, my goal here is to manage > >permissions's/ACL's from the server 2003 MMC, but any time i > >try to add or remove groups for access on either the Security > >tab or the Permissions tab, i get the message "changes could > >not be saved, access is denied". Also, though the message > >indicates the changes are not saved, if you open the share > >properties window again and go to the same permission you just > >tried to adjust, the group is there, but when you selected the > >group from the AD container, it looked like "MRPARTYA\Domain > >Users" and now it's liked as "SAND\Domain Users". SAND is the > >hostname of the samba server. > > > >Is this expected behavior? Due to winbindd making AD groups > >and users appear as though they are local groups/users of the > >Samba server? Samba logging indicates this: > > > >[2006/01/03 06:43:18, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993) > > api_pipe_bind_req: unknown auth type 9 requested. > >[2006/01/03 06:43:18, 1] smbd/service.c:make_connection_snum(642) > > 192.168.0.7 (192.168.0.7) connect to service ftp initially > >as user MRPARTYKA\administrator (uid=1, gid=1) (pid 3343) > >[2006/01/03 06:43:18, 0] rpc_server/srv_pipe.
RE: [Samba] Windows ACL modify ability?
does your kernel support ACL and Extended Attributes. Also you can set the following settings inherit acls = (yes/no) nt acl support = map hidden = no map system = no map achieve = no store dos attributes = yes ea support = yes u combine above settings for your enviroment. Als dit you set the privileges for the samba server or do you set the rights as root Louis >-Oorspronkelijk bericht- >Van: Mike Partyka [mailto:[EMAIL PROTECTED] >Verzonden: dinsdag 3 januari 2006 13:56 >Aan: Louis van Belle >CC: samba@lists.samba.org >Onderwerp: Re: [Samba] Windows ACL modify ability? > >Samba 3.0.14a server which is a domain member server of a 2003 >Active Directory and Domain Controller. > >There are no errors that appear in the windows servers event >log, and my smb.conf is pretty simple: > >[global] >unix charset = LOCALE >workgroup = mrpartyka >realm = MRPARTYKA.DOMAIN >server string = SMBv3.0.14a/MS ADS/winbindd >security = ads >log level = 1 >syslog = 0 >log file = /var/log/samba/%m >max log size = 50 >printcap name = CUPS >ldap ssl = No >idmap uid = 1-4000 >idmap gid = 1-4000 >template primary group = "Domain Users" >template shell = /bin/bash >nt acl support = Yes >printing = cups ># winbind trusted domains only = Yes >winbind separator = \# > >[ftp] >comment = All users share >path = /ftproot >valid users = @"MRPARTYKA\Domain Users" >writeable = Yes >browseable = Yes > >As i said originally, my goal here is to manage >permissions's/ACL's from the server 2003 MMC, but any time i >try to add or remove groups for access on either the Security >tab or the Permissions tab, i get the message "changes could >not be saved, access is denied". Also, though the message >indicates the changes are not saved, if you open the share >properties window again and go to the same permission you just >tried to adjust, the group is there, but when you selected the >group from the AD container, it looked like "MRPARTYA\Domain >Users" and now it's liked as "SAND\Domain Users". SAND is the >hostname of the samba server. > >Is this expected behavior? Due to winbindd making AD groups >and users appear as though they are local groups/users of the >Samba server? Samba logging indicates this: > >[2006/01/03 06:43:18, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993) > api_pipe_bind_req: unknown auth type 9 requested. >[2006/01/03 06:43:18, 1] smbd/service.c:make_connection_snum(642) > 192.168.0.7 (192.168.0.7) connect to service ftp initially >as user MRPARTYKA\administrator (uid=1, gid=1) (pid 3343) >[2006/01/03 06:43:18, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993) > api_pipe_bind_req: unknown auth type 9 requested. >[2006/01/03 06:43:22, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993) > api_pipe_bind_req: unknown auth type 9 requested. >[2006/01/03 06:43:29, 1] smbd/service.c:close_cnum(830) > 192.168.0.7 (192.168.0.7) closed connection to service ftp > >I have many messages in the Samba archive asking about enties >like this, but i did not see any responses explaining it. > >Any ideas about how i can correct this problem and manage >share permissions from the server MMC? > >TIA, > > > >On 1/3/06, Louis van Belle <[EMAIL PROTECTED] > wrote: > > Hi, > > first which version of samba are you running? > are you running pdc or AD Member ? > > etc etc. > need more input ;-) > > Louis > > > > >-----Oorspronkelijk bericht----- > >Van: samba-bounces+louis= [EMAIL PROTECTED] ><mailto:[EMAIL PROTECTED]> > >[mailto: >[EMAIL PROTECTED] ><mailto:[EMAIL PROTECTED]> ] > >Namens Mike Partyka > >Verzonden: maandag 2 januari 2006 23:50 > >Aan: samba@lists.samba.org <mailto:samba@lists.samba.org> > >Onderwerp: [Samba] Windows ACL modify ability? > > > >I have posted several questions now and have ben unsuccessful > >in getting any > >responses, so i thought i would take a different tack. > > > >I know adjusting permissions on Samba shares, through the > >Microsoft MMC is > >possible when you have POSIX ACL support compiled in your > >kernel. I don't > >think that level of control is necessary for me and short of > >recompilin
Re: [Samba] Windows ACL modify ability?
Samba 3.0.14a server which is a domain member server of a 2003 Active Directory and Domain Controller. There are no errors that appear in the windows servers event log, and my smb.conf is pretty simple: [global] unix charset = LOCALE workgroup = mrpartyka realm = MRPARTYKA.DOMAIN server string = SMBv3.0.14a/MS ADS/winbindd security = ads log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 printcap name = CUPS ldap ssl = No idmap uid = 1-4000 idmap gid = 1-4000 template primary group = "Domain Users" template shell = /bin/bash nt acl support = Yes printing = cups # winbind trusted domains only = Yes winbind separator = \# [ftp] comment = All users share path = /ftproot valid users = @"MRPARTYKA\Domain Users" writeable = Yes browseable = Yes As i said originally, my goal here is to manage permissions's/ACL's from the server 2003 MMC, but any time i try to add or remove groups for access on either the Security tab or the Permissions tab, i get the message "changes could not be saved, access is denied". Also, though the message indicates the changes are not saved, if you open the share properties window again and go to the same permission you just tried to adjust, the group is there, but when you selected the group from the AD container, it looked like "MRPARTYA\Domain Users" and now it's liked as "SAND\Domain Users". SAND is the hostname of the samba server. Is this expected behavior? Due to winbindd making AD groups and users appear as though they are local groups/users of the Samba server? Samba logging indicates this: [2006/01/03 06:43:18, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993) api_pipe_bind_req: unknown auth type 9 requested. [2006/01/03 06:43:18, 1] smbd/service.c:make_connection_snum(642) 192.168.0.7 (192.168.0.7) connect to service ftp initially as user MRPARTYKA\administrator (uid=1, gid=1) (pid 3343) [2006/01/03 06:43:18, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993) api_pipe_bind_req: unknown auth type 9 requested. [2006/01/03 06:43:22, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993) api_pipe_bind_req: unknown auth type 9 requested. [2006/01/03 06:43:29, 1] smbd/service.c:close_cnum(830) 192.168.0.7 (192.168.0.7) closed connection to service ftp I have many messages in the Samba archive asking about enties like this, but i did not see any responses explaining it. Any ideas about how i can correct this problem and manage share permissions from the server MMC? TIA, On 1/3/06, Louis van Belle <[EMAIL PROTECTED]> wrote: > > Hi, > > first which version of samba are you running? > are you running pdc or AD Member ? > > etc etc. > need more input ;-) > > Louis > > > > >-Oorspronkelijk bericht- > >Van: [EMAIL PROTECTED] > >[mailto: [EMAIL PROTECTED] > >Namens Mike Partyka > >Verzonden: maandag 2 januari 2006 23:50 > >Aan: samba@lists.samba.org > >Onderwerp: [Samba] Windows ACL modify ability? > > > >I have posted several questions now and have ben unsuccessful > >in getting any > >responses, so i thought i would take a different tack. > > > >I know adjusting permissions on Samba shares, through the > >Microsoft MMC is > >possible when you have POSIX ACL support compiled in your > >kernel. I don't > >think that level of control is necessary for me and short of > >recompiling the > >kernel for that support i have been unable to adjust > >permissions on Samba > >shares through the MMC, i keep getting "Access is denied". > > > >Could someone just toss out a couple ideas about whether adjustments to > >ACL's ar possible without kernel POSIX ACL support and if so, what some > >causes of the "Access is denied" could be? > > > >TIA, > > > >-MIKE > >-- > >To unsubscribe from this list go to the following URL and read the > >instructions: https://lists.samba.org/mailman/listinfo/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Windows ACL modify ability?
Hi, first which version of samba are you running? are you running pdc or AD Member ? etc etc. need more input ;-) Louis >-Oorspronkelijk bericht- >Van: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] >Namens Mike Partyka >Verzonden: maandag 2 januari 2006 23:50 >Aan: samba@lists.samba.org >Onderwerp: [Samba] Windows ACL modify ability? > >I have posted several questions now and have ben unsuccessful >in getting any >responses, so i thought i would take a different tack. > >I know adjusting permissions on Samba shares, through the >Microsoft MMC is >possible when you have POSIX ACL support compiled in your >kernel. I don't >think that level of control is necessary for me and short of >recompiling the >kernel for that support i have been unable to adjust >permissions on Samba >shares through the MMC, i keep getting "Access is denied". > >Could someone just toss out a couple ideas about whether adjustments to >ACL's ar possible without kernel POSIX ACL support and if so, what some >causes of the "Access is denied" could be? > >TIA, > >-MIKE >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Windows ACL modify ability?
I have posted several questions now and have ben unsuccessful in getting any responses, so i thought i would take a different tack. I know adjusting permissions on Samba shares, through the Microsoft MMC is possible when you have POSIX ACL support compiled in your kernel. I don't think that level of control is necessary for me and short of recompiling the kernel for that support i have been unable to adjust permissions on Samba shares through the MMC, i keep getting "Access is denied". Could someone just toss out a couple ideas about whether adjustments to ACL's ar possible without kernel POSIX ACL support and if so, what some causes of the "Access is denied" could be? TIA, -MIKE -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba