Re: [Samba] ACL changes on Samba NT 4.0 Member Server
Thank you for the advice. I tried the same setup Ubuntu 7.10 and it worked like a charm! Hans Eric Diven wrote: Try samba 3.0.23d. I just built if for Solaris, and it appears to be working beautifully. That's several days of my life I'll never get back. I just did built the "new" version, installed it, copied the libnss_winbind.so to where it lives and restarted samba. No config changes, nothing. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Diven Sent: Monday, November 05, 2007 12:55 PM To: samba@lists.samba.org Subject: RE: [Samba] ACL changes on Samba NT 4.0 Member Server Not neccessarily, console login is controlled by PAM, not winbind. If you haven't set up PAM (and you shouldn't need to for just setting up a file share), you won't be able to log in at the console (or by ssh, etc). I'm still fighting this on my side as well, for what it's worth. If I figure it out, I'll let you know. When I try to add an entry to the ACL, I get the same error, but in the logs I see an error about not being able to set the access rights into the Unix security model. The error I get is "Too many ACE entries for file to convert to posix perms." If you're seeing that too, we might be on to something. I am seeing it consistently across Solaris and CentOS, so I'm guessing this isn't a platform related issue for either of us. Good luck. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hans-Wilhelm Heisinger Sent: Monday, November 05, 2007 11:00 AM To: samba@lists.samba.org Subject: Re: [Samba] ACL changes on Samba NT 4.0 Member Server John, I seemed to have pinpointed the problem down to an authentication issue. wbinfo -a CPDOM+admin%password plaintext password authentication succeeded challenge/reponse password authentication succeeded su CPDOM+admin Password: su: incorrect password Any ideas? John Drescher wrote: On 11/2/07, Hans-Wilhelm Heisinger <[EMAIL PROTECTED]> wrote: I'm not really sure what I'm looking for or which log file the error would present it's self in. Anyways below is a my "shot in the dark" This is the right file but I don't see an error. Hopefully someone else can help. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba info/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] ACL changes on Samba NT 4.0 Member Server
Try samba 3.0.23d. I just built if for Solaris, and it appears to be working beautifully. That's several days of my life I'll never get back. I just did built the "new" version, installed it, copied the libnss_winbind.so to where it lives and restarted samba. No config changes, nothing. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Diven Sent: Monday, November 05, 2007 12:55 PM To: samba@lists.samba.org Subject: RE: [Samba] ACL changes on Samba NT 4.0 Member Server Not neccessarily, console login is controlled by PAM, not winbind. If you haven't set up PAM (and you shouldn't need to for just setting up a file share), you won't be able to log in at the console (or by ssh, etc). I'm still fighting this on my side as well, for what it's worth. If I figure it out, I'll let you know. When I try to add an entry to the ACL, I get the same error, but in the logs I see an error about not being able to set the access rights into the Unix security model. The error I get is "Too many ACE entries for file to convert to posix perms." If you're seeing that too, we might be on to something. I am seeing it consistently across Solaris and CentOS, so I'm guessing this isn't a platform related issue for either of us. Good luck. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hans-Wilhelm Heisinger Sent: Monday, November 05, 2007 11:00 AM To: samba@lists.samba.org Subject: Re: [Samba] ACL changes on Samba NT 4.0 Member Server John, I seemed to have pinpointed the problem down to an authentication issue. wbinfo -a CPDOM+admin%password plaintext password authentication succeeded challenge/reponse password authentication succeeded su CPDOM+admin Password: su: incorrect password Any ideas? John Drescher wrote: > On 11/2/07, Hans-Wilhelm Heisinger <[EMAIL PROTECTED]> wrote: > >> I'm not really sure what I'm looking for or which log file the error >> would present it's self in. Anyways below is a my "shot in the dark" >> >> > > This is the right file but I don't see an error. > > Hopefully someone else can help. > > John > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba info/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] ACL changes on Samba NT 4.0 Member Server
Not neccessarily, console login is controlled by PAM, not winbind. If you haven't set up PAM (and you shouldn't need to for just setting up a file share), you won't be able to log in at the console (or by ssh, etc). I'm still fighting this on my side as well, for what it's worth. If I figure it out, I'll let you know. When I try to add an entry to the ACL, I get the same error, but in the logs I see an error about not being able to set the access rights into the Unix security model. The error I get is "Too many ACE entries for file to convert to posix perms." If you're seeing that too, we might be on to something. I am seeing it consistently across Solaris and CentOS, so I'm guessing this isn't a platform related issue for either of us. Good luck. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hans-Wilhelm Heisinger Sent: Monday, November 05, 2007 11:00 AM To: samba@lists.samba.org Subject: Re: [Samba] ACL changes on Samba NT 4.0 Member Server John, I seemed to have pinpointed the problem down to an authentication issue. wbinfo -a CPDOM+admin%password plaintext password authentication succeeded challenge/reponse password authentication succeeded su CPDOM+admin Password: su: incorrect password Any ideas? John Drescher wrote: > On 11/2/07, Hans-Wilhelm Heisinger <[EMAIL PROTECTED]> wrote: > >> I'm not really sure what I'm looking for or which log file the error >> would present it's self in. Anyways below is a my "shot in the dark" >> >> > > This is the right file but I don't see an error. > > Hopefully someone else can help. > > John > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba info/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACL changes on Samba NT 4.0 Member Server
John, I seemed to have pinpointed the problem down to an authentication issue. wbinfo -a CPDOM+admin%password plaintext password authentication succeeded challenge/reponse password authentication succeeded su CPDOM+admin Password: su: incorrect password Any ideas? John Drescher wrote: On 11/2/07, Hans-Wilhelm Heisinger <[EMAIL PROTECTED]> wrote: I'm not really sure what I'm looking for or which log file the error would present it's self in. Anyways below is a my "shot in the dark" This is the right file but I don't see an error. Hopefully someone else can help. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACL changes on Samba NT 4.0 Member Server
John, I seemed to have pinpointed the problem down to an authentication issue. wbinfo -a CPDOM+admin%password plaintext password authentication succeeded challenge/reponse password authentication succeeded su CPDOM+admin Password: su: incorrect password Any ideas? John Drescher wrote: On 11/2/07, Hans-Wilhelm Heisinger <[EMAIL PROTECTED]> wrote: I'm not really sure what I'm looking for or which log file the error would present it's self in. Anyways below is a my "shot in the dark" This is the right file but I don't see an error. Hopefully someone else can help. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACL changes on Samba NT 4.0 Member Server
On 11/2/07, Hans-Wilhelm Heisinger <[EMAIL PROTECTED]> wrote: > > I'm not really sure what I'm looking for or which log file the error would > present it's self in. Anyways below is a my "shot in the dark" > This is the right file but I don't see an error. Hopefully someone else can help. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACL changes on Samba NT 4.0 Member Server
I'm not really sure what I'm looking for or which log file the error would present it's self in. Anyways below is a my "shot in the dark" [2007/11/02 06:13:29, 5] rpc_parse/parse_prs.c:prs_ntstatus(763) 0018 status: NT_STATUS_OK [2007/11/02 06:13:29, 10] nsswitch/winbindd_rpc.c:sequence_number(848) domain_sequence_number: for domain CPDOM is 29539 [2007/11/02 06:13:29, 10] nsswitch/winbindd_cache.c:store_cache_seqnum(400) store_cache_seqnum: success [CPDOM][29539 @ 1194002009] [2007/11/02 06:13:29, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(459) refresh_sequence_number: CPDOM seq number is now 29539 [2007/11/02 06:13:29, 10] nsswitch/winbindd_cache.c:centry_expired(501) centry_expired: Key TRUSTDOMS/CPDOM for domain CPDOM is good. [2007/11/02 06:13:29, 10] nsswitch/winbindd_cache.c:wcache_fetch(588) wcache_fetch: returning entry TRUSTDOMS/CPDOM for domain CPDOM [2007/11/02 06:13:29, 10] nsswitch/winbindd_cache.c:trusted_domains(1741) trusted_domains: [Cached] - cached info for domain CPDOM (2 trusts) status: NT_STATUS_OK [2007/11/02 06:13:29, 10] nsswitch/winbindd_cache.c:cache_store_response(1966) Storing response for pid 2464, len 3337 [2007/11/02 06:13:29, 10] nsswitch/winbindd_cache.c:cache_store_response(1980) Storing extra data: len=97 [2007/11/02 06:13:35, 4] nsswitch/winbindd_dual.c:fork_domain_child(809) child daemon request 13 [2007/11/02 06:13:35, 10] nsswitch/winbindd_dual.c:child_process_request(395) process_request: request fn AUTH_CRAP [2007/11/02 06:13:35, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1460) [ 2453]: pam auth crap domain: CPDOM user: ADMIN [2007/11/02 06:13:35, 8] lib/util.c:is_myname(2065) is_myname("CPDOM") returns 0 [2007/11/02 06:13:35, 5] libsmb/credentials.c:creds_step(148) sequence = 0x472b046c [2007/11/02 06:13:35, 5] libsmb/credentials.c:creds_step(150) seed:6A478DD1D50C5B54 [2007/11/02 06:13:35, 5] libsmb/credentials.c:creds_step(155) seed+seq D64BB818D50C5B54 [2007/11/02 06:13:35, 5] libsmb/credentials.c:creds_step(159) CLIENT 39C2447FE6E06DDE [2007/11/02 06:13:35, 5] libsmb/credentials.c:creds_step(164) seed+seq+1 D74BB818D50C5B54 [2007/11/02 06:13:35, 5] libsmb/credentials.c:creds_step(168) SERVER AFDE89BB3E2F0393 [2007/11/02 06:13:35, 5] libsmb/credentials.c:creds_reseed(238) cred_reseed: seed D74BB818D50C5B54 John Drescher wrote: On 11/1/07, Hans-Wilhelm Heisinger <[EMAIL PROTECTED]> wrote: John, Thank you for the reply. Below is the output from mount and ls -al. Yes I can login as CPDOM+admin and create files, but connecting to the share as CPDOM+admin doesn't work. Hans [EMAIL PROTECTED] ~]# mount /dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/hda1 on /boot type ext3 (rw,acl) tmpfs on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) [EMAIL PROTECTED] ~]# ls -al /files total 5196 drwxrwxrwx 3 root root4096 Nov 1 10:17 . drwxr-xr-x 26 root root4096 Nov 1 05:25 .. -rwxrw-rw- 1 root root 413 Feb 24 2006 AS400.WS -rwxrw-rw- 1 root root 398 Jul 27 14:13 dnsb.txt -rwxrw-rw- 1 root root 3100432 May 22 2006 Dsclient.exe drwxrwxrwx 2 root root4096 Apr 7 2005 Fonts -rwxrw-rw- 1 root root1411 Aug 15 08:09 hans.txt -rwxrw-rw- 1 root root 61440 Sep 14 08:57 IDTag.exe -rwxrw-rw- 1 root root 262727 Apr 21 2003 keyfinder.exe -rwxrw-rw- 1 root root 25088 Mar 22 2007 Label6x4 layout with text.doc -rwxrw-rw- 1 root root 60416 Jun 6 09:41 Label proposal II.xls -rwxrw-rw- 1 root root 90112 May 9 2006 OfficeTime.exe -rwxrw-rw- 1 root root 317 Jul 3 07:51 OutputsLisec.txt -rwxrw-rw- 1 root root 173231 May 4 1999 REPLICA.HLP -rwxrw-rw- 1 root root1101 Apr 25 2005 Salesreport.dtf -rw-rw-rw- 1 root root 481 Nov 1 08:42 smb.conf -rwxrw-rw- 1 root root 69632 Mar 4 2004 system.mdw -rwxrw-rw- 1 root root 491008 May 10 13:20 TSClient.doc -rwxrw-rw- 1 root root 782848 Jun 30 2006 WIP LOCATIONS.xls -rwxrw-rw- 1 root root5632 Aug 4 2004 wmi.dll -rwxrw-rw- 1 root root 16930 May 31 1994 XCOPY.EXE It is possible the problem is that the owner and group of the share are both root. I never do that for any of my working samba shares. The owner can be a user or possibly root but the group is always a group that the users I want to change acls. I see from the docs that dos filemode is supposed to fix that so maybe this is not the case. Can you set a log level of 10 and see if there are any errors caused when you try to change the acls? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACL changes on Samba NT 4.0 Member Server
On 11/1/07, Hans-Wilhelm Heisinger <[EMAIL PROTECTED]> wrote: > > John, > > Thank you for the reply. Below is the output from mount and ls -al. > Yes I can login as CPDOM+admin and create files, but connecting to the share > as CPDOM+admin doesn't work. > > Hans > > [EMAIL PROTECTED] ~]# mount > /dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw) > proc on /proc type proc (rw) > sysfs on /sys type sysfs (rw) > devpts on /dev/pts type devpts (rw,gid=5,mode=620) > /dev/hda1 on /boot type ext3 (rw,acl) > tmpfs on /dev/shm type tmpfs (rw) > none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) > sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) > > [EMAIL PROTECTED] ~]# ls -al /files > total 5196 > drwxrwxrwx 3 root root4096 Nov 1 10:17 . > drwxr-xr-x 26 root root4096 Nov 1 05:25 .. > -rwxrw-rw- 1 root root 413 Feb 24 2006 AS400.WS > -rwxrw-rw- 1 root root 398 Jul 27 14:13 dnsb.txt > -rwxrw-rw- 1 root root 3100432 May 22 2006 Dsclient.exe > drwxrwxrwx 2 root root4096 Apr 7 2005 Fonts > -rwxrw-rw- 1 root root1411 Aug 15 08:09 hans.txt > -rwxrw-rw- 1 root root 61440 Sep 14 08:57 IDTag.exe > -rwxrw-rw- 1 root root 262727 Apr 21 2003 keyfinder.exe > -rwxrw-rw- 1 root root 25088 Mar 22 2007 Label6x4 layout with text.doc > -rwxrw-rw- 1 root root 60416 Jun 6 09:41 Label proposal II.xls > -rwxrw-rw- 1 root root 90112 May 9 2006 OfficeTime.exe > -rwxrw-rw- 1 root root 317 Jul 3 07:51 OutputsLisec.txt > -rwxrw-rw- 1 root root 173231 May 4 1999 REPLICA.HLP > -rwxrw-rw- 1 root root1101 Apr 25 2005 Salesreport.dtf > -rw-rw-rw- 1 root root 481 Nov 1 08:42 smb.conf > -rwxrw-rw- 1 root root 69632 Mar 4 2004 system.mdw > -rwxrw-rw- 1 root root 491008 May 10 13:20 TSClient.doc > -rwxrw-rw- 1 root root 782848 Jun 30 2006 WIP LOCATIONS.xls > -rwxrw-rw- 1 root root5632 Aug 4 2004 wmi.dll > -rwxrw-rw- 1 root root 16930 May 31 1994 XCOPY.EXE > > > > It is possible the problem is that the owner and group of the share are both root. I never do that for any of my working samba shares. The owner can be a user or possibly root but the group is always a group that the users I want to change acls. I see from the docs that dos filemode is supposed to fix that so maybe this is not the case. Can you set a log level of 10 and see if there are any errors caused when you try to change the acls? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACL changes on Samba NT 4.0 Member Server
John, Thank you for the reply. Below is the output from mount and ls -al. Yes I can login as CPDOM+admin and create files, but connecting to the share as CPDOM+admin doesn't work. Hans [EMAIL PROTECTED] ~]# mount /dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/hda1 on /boot type ext3 (rw,acl) tmpfs on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) [EMAIL PROTECTED] ~]# ls -al /files total 5196 drwxrwxrwx 3 root root4096 Nov 1 10:17 . drwxr-xr-x 26 root root4096 Nov 1 05:25 .. -rwxrw-rw- 1 root root 413 Feb 24 2006 AS400.WS -rwxrw-rw- 1 root root 398 Jul 27 14:13 dnsb.txt -rwxrw-rw- 1 root root 3100432 May 22 2006 Dsclient.exe drwxrwxrwx 2 root root4096 Apr 7 2005 Fonts -rwxrw-rw- 1 root root1411 Aug 15 08:09 hans.txt -rwxrw-rw- 1 root root 61440 Sep 14 08:57 IDTag.exe -rwxrw-rw- 1 root root 262727 Apr 21 2003 keyfinder.exe -rwxrw-rw- 1 root root 25088 Mar 22 2007 Label6x4 layout with text.doc -rwxrw-rw- 1 root root 60416 Jun 6 09:41 Label proposal II.xls -rwxrw-rw- 1 root root 90112 May 9 2006 OfficeTime.exe -rwxrw-rw- 1 root root 317 Jul 3 07:51 OutputsLisec.txt -rwxrw-rw- 1 root root 173231 May 4 1999 REPLICA.HLP -rwxrw-rw- 1 root root1101 Apr 25 2005 Salesreport.dtf -rw-rw-rw- 1 root root 481 Nov 1 08:42 smb.conf -rwxrw-rw- 1 root root 69632 Mar 4 2004 system.mdw -rwxrw-rw- 1 root root 491008 May 10 13:20 TSClient.doc -rwxrw-rw- 1 root root 782848 Jun 30 2006 WIP LOCATIONS.xls -rwxrw-rw- 1 root root5632 Aug 4 2004 wmi.dll -rwxrw-rw- 1 root root 16930 May 31 1994 XCOPY.EXE John Drescher wrote: On 11/1/07, Hans-Wilhelm Heisinger <[EMAIL PROTECTED]> wrote: I have a Samba 3.0.24-7 on Fedora 6 as a member of an Windows NT 4.0 domain, with a simple share setup with ACLs. The permissions on the share from Windows XP Pro Security tab shows Everyone, and root (Unix Group\root) without any Permissions. When trying to add permissions from XP while logged on as CPDOM+admin the error is display "Unable to save permission changes on "share name" on "server name" Access is denied. Files can be copied to the share but can't be opened. Below is the smb.conf. I believe ACLs would work if I add access. I tried setting the ACLs using setfacl and then the permissions show full control from XP, but I'm still unable to change permissions or open files. [global] winbind separator = + idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = no security = domain workgroup = CPDOM netbios name = FILE_SRV password server = XSERVER server string = [data] comment = FILES path = /files guest ok = yes create mask = 0777 writeable = yes nt acl support = yes oplocks = no browseable = yes dos filemode = yes admin users = Your smb.conf file looks fine. Can CPDOM+admin log into the unix system and create files? You are mounting your unix filesystem with acls enabled? Also can you post an ls -al on /files -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACL changes on Samba NT 4.0 Member Server
On 11/1/07, Hans-Wilhelm Heisinger <[EMAIL PROTECTED]> wrote: > I have a Samba 3.0.24-7 on Fedora 6 as a member of an Windows NT 4.0 > domain, with a simple share setup with ACLs. The permissions on the > share from Windows XP Pro Security tab shows Everyone, and root (Unix > Group\root) without any Permissions. When trying to add permissions > from XP while logged on as CPDOM+admin the error is display "Unable to > save permission changes on "share name" on "server name" Access is > denied. Files can be copied to the share but can't be opened. Below is > the smb.conf. I believe ACLs would work if I add access. I tried > setting the ACLs using setfacl and then the permissions show full > control from XP, but I'm still unable to change permissions or open files. > > [global] > > winbind separator = + > idmap uid = 1-2 > idmap gid = 1-2 > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = no > > security = domain > workgroup = CPDOM > netbios name = FILE_SRV > password server = XSERVER > server string = > > > [data] > comment = FILES > path = /files > guest ok = yes > create mask = 0777 > writeable = yes > nt acl support = yes > oplocks = no > browseable = yes > dos filemode = yes > admin users = > Your smb.conf file looks fine. Can CPDOM+admin log into the unix system and create files? You are mounting your unix filesystem with acls enabled? Also can you post an ls -al on /files -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba