Re: [Samba] getting error with setfacl
On November 3, 2010, James D. Parra jam...@musicreports.com wrote: Hello, I have joined the Linux server (Suse 11.2) to the Windows domain (win2003) and users can login to the server using their window's domain credentials. Also can view all of the domain groups using 'wbinfo -g', however when I try to set the acls on a local dir' I get the follow error; #setfacl -m g:DOMAIN\\groupname:r /tmp/testacl setfacl: Option -m: Invalid argument near character 3 The same error occurs if I use a domain user, although I can add a local Linux user or group. What am I overlooking? setfacl has no idea about smb group or user names. You probably need to setup winbindd/nsswitch to map domain groups and users to local groups and users before you can assign acls. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
On Thu, Nov 04, 2010 at 11:50:03AM -0700, James D. Parra wrote: Hello Bruce, Still can't get setfacl to get group or user info from the AD (Windows 2003) I have the following in nsswitch.conf; passwd: compat ldap group: files ldap Have you put the correct details into the nss_ldap configuration file? On RedHat and Centos, this is /etc/ldap.conf (NOT /etc/ldap/ldap.conf), while on Debian-derived distributions it is /etc/libnss-ldap.conf. You will need to set the uri and basedn configuration options. You will also either have to enable anonymous LDAP searches on your domain controllers or (the more secure route) create a user with read-only access to the relevant parts of your active directory tree and add their details to the nss_ldap configuration file (binddn and bindpw). -- Bruce I must admit that the existence of Disneyland (which I know is real) proves that we are not living in Judea in AD 50. -- Philip K. Dick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
- Original Message - From: Bruce Richardson itsbr...@workshy.org To: samba@lists.samba.org Sent: Wednesday, November 3, 2010 6:31:44 PM GMT -08:00 US/Canada Pacific Subject: Re: [Samba] getting error with setfacl On Wed, Nov 03, 2010 at 05:05:28PM -0700, James D. Parra wrote: Well it does if you're using winbindd to map DOMAIN\\groupname to a group on the box :-). ~ Thank you Jeremy. What is the best way to do that? The key tool is nsswitch. Winbind may or may not be necessary, depending on your precise set up. It's the nsswitch libraries and configuration file which tell Linux where to fetch user and group information. If your domain stores its user list in the tdb files on your PDC, then your only option is to use winbind (and the nss_winbind library) to provide user and group information to nsswitch. However, if you are using an LDAP directory as the data backend for your domain, you could use nss_ldap instead, and pull the information straight from LDAP. That's what I do, for several reasons, of which the best two are: 1. It allows me to have a consistent nsswitch configuration across all servers, whether or not they are running Samba, and have domain users able to access services consistently. 2. It simplifies the Samba configuration on servers which are domain members. You have this choice both if your domain controllers are LDAP-backed Samba ones (as mine are), or Windows Active Directory servers - all you have to do is make sure your AD servers have the extension to their schema to support POSIX user/group information. Given the choice, I would always go for the direct LDAP route, with users and groups that have intrinsic, permanent UIDs and GIDs; it's less fragile. I'll happily create those users and groups via Samba/Winbind on the PDC (love the whole idmap alloc and ldmapsam:editposix combination), but once they're in the LDAP directory, they're permanent, and available to anything that speaks LDAP. ~ Thank you Bruce. I am using ldap on the Samba server joined to an AD domain. Could you point me to a URL for instructions on setup nss_ldap to use the groups on the AD. Many thanks, James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
The key tool is nsswitch. Winbind may or may not be necessary, depending on your precise set up. It's the nsswitch libraries and configuration file which tell Linux where to fetch user and group information. ~ Hello Bruce, Still can't get setfacl to get group or user info from the AD (Windows 2003) I have the following in nsswitch.conf; passwd: compat ldap group: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files dns services: files ldap protocols: files rpc:files ethers: files netmasks: files netgroup: files ldap publickey: files bootparams: files automount: files nis aliases:files ldap passwd_compat: ldap snip And the linux box is joined to the domain; # net ads testjoin Join is OK snip I can get details from 'wbinfo' fmt-mwr:~ # wbinfo -g DOMAIN+pg_out_test snip Somewhere is the magic to get setfacl to see the AD groups and users. Many thanks, James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
Still can't get setfacl to get group or user info from the AD (Windows 2003) snip Somewhere is the magic to get setfacl to see the AD groups and users. Found the problem and the solution. On the Windows AD the Unix attributes for the groups were not enabled and once enabled setfacl worked. Many thanks, James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
I have joined the Linux server (Suse 11.2) to the Windows domain (win2003) and users can login to the server using their window's domain credentials. Also can view all of the domain groups using 'wbinfo -g', however when I try to set the acls on a local dir' I get the follow error; #setfacl -m g:DOMAIN\\groupname:r /tmp/testacl setfacl: Option -m: Invalid argument near character 3 The setfacl tool knows nothing about Windos domains, hence the error you see. You can also use the user or group number as given by getent passwd and getent group. In this case, setfacl does work. You can also try smbcacls which comes with Samba or set the ACLs from a Windows client. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
On Wed, Nov 03, 2010 at 11:25:44PM +, Miguel Medalha wrote: I have joined the Linux server (Suse 11.2) to the Windows domain (win2003) and users can login to the server using their window's domain credentials. Also can view all of the domain groups using 'wbinfo -g', however when I try to set the acls on a local dir' I get the follow error; #setfacl -m g:DOMAIN\\groupname:r /tmp/testacl setfacl: Option -m: Invalid argument near character 3 The setfacl tool knows nothing about Windos domains, hence the error you see. Well it does if you're using winbindd to map DOMAIN\\groupname to a group on the box :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
The setfacl tool knows nothing about Windos domains, hence the error you see. Well it does if you're using winbindd to map DOMAIN\\groupname to a group on the box :-). I never used Samba with AD authentication, so I don't have direct experience with that. But immediately *after* I pressed the Send button I thought Well, maybe it does through winbind... My bad. Please excuse me, all who read that. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
On Wed, Nov 03, 2010 at 11:25:44PM +, Miguel Medalha wrote: I have joined the Linux server (Suse 11.2) to the Windows domain (win2003) and users can login to the server using their window's domain credentials. Also can view all of the domain groups using 'wbinfo -g', however when I try to set the acls on a local dir' I get the follow error; #setfacl -m g:DOMAIN\\groupname:r /tmp/testacl setfacl: Option -m: Invalid argument near character 3 The setfacl tool knows nothing about Windos domains, hence the error you see. Well it does if you're using winbindd to map DOMAIN\\groupname to a group on the box :-). ~ Thank you Jeremy. What is the best way to do that? Many thanks, James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
By the way, does the Samba team have the intention to produce a command line tool that can use the acl_xattr module to manipulate ACLs, providing them to the OS? That would be very nice! Maybe I'm wrong, but I see a big future there. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
On Wed, Nov 03, 2010 at 05:05:28PM -0700, James D. Parra wrote: On Wed, Nov 03, 2010 at 11:25:44PM +, Miguel Medalha wrote: I have joined the Linux server (Suse 11.2) to the Windows domain (win2003) and users can login to the server using their window's domain credentials. Also can view all of the domain groups using 'wbinfo -g', however when I try to set the acls on a local dir' I get the follow error; #setfacl -m g:DOMAIN\\groupname:r /tmp/testacl setfacl: Option -m: Invalid argument near character 3 The setfacl tool knows nothing about Windos domains, hence the error you see. Well it does if you're using winbindd to map DOMAIN\\groupname to a group on the box :-). ~ Thank you Jeremy. What is the best way to do that? Check into setting up and running winbindd. Lots of docs available. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
On Thu, Nov 04, 2010 at 12:05:02AM +, Miguel Medalha wrote: By the way, does the Samba team have the intention to produce a command line tool that can use the acl_xattr module to manipulate ACLs, providing them to the OS? That would be very nice! Maybe I'm wrong, but I see a big future there. Not sure what you mean by providing them to the OS ? The store in acl_xattr is a Samba-specific one. If you want the OS to use them that means kernel changes. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
Not sure what you mean by providing them to the OS ? The store in acl_xattr is a Samba-specific one. If you want the OS to use them that means kernel changes. Yes. A kernel module maybe, and a utility to manipulate the ACLs on xattr. I really like your vfs_acl_xattr idea. Often I need to set ACLs on the server side for Windows clients, for example when connected to the servers via a SSH shell. I have been doing this with the Linux ACLs together with getfacl/setfacl. I would like to increasingly use the vfs module from now on, but then I can only set the ACLs from Windows, and I dislike the idea. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
On Thu, Nov 04, 2010 at 12:23:12AM +, Miguel Medalha wrote: Not sure what you mean by providing them to the OS ? The store in acl_xattr is a Samba-specific one. If you want the OS to use them that means kernel changes. Yes. A kernel module maybe, and a utility to manipulate the ACLs on xattr. I really like your vfs_acl_xattr idea. Often I need to set ACLs on the server side for Windows clients, for example when connected to the servers via a SSH shell. I have been doing this with the Linux ACLs together with getfacl/setfacl. I would like to increasingly use the vfs module from now on, but then I can only set the ACLs from Windows, and I dislike the idea. This probably won't happen, as kernels deal with uids/gids, not SIDs. However, on Solaris we have ZFS ACLs, and on Linux there is code called RichACL in development (which matches NFSv4 ACLs, which are essentially Windows based). Once we have these in kernel, Samba mapping will get much better and easier. Does anyone know if something similar is being created for FreeBSD ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
I just noticed that my question has two aspects to it. Leaving aside, for now, the kernel connection, it would be very nice to have a command line tool to manipulate the ACLs stored by the vfs_acl_xattr module, even if it's only for Samba. There must be a way, some utility to read and write the information stored on the security.NTACL Extended Attribute in a form that humans can understand. Maybe I am not expressing myself in the best of ways... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
On Thu, Nov 04, 2010 at 12:37:33AM +, Miguel Medalha wrote: I just noticed that my question has two aspects to it. Leaving aside, for now, the kernel connection, it would be very nice to have a command line tool to manipulate the ACLs stored by the vfs_acl_xattr module, even if it's only for Samba. There must be a way, some utility to read and write the information stored on the security.NTACL Extended Attribute in a form that humans can understand. There is the smbcacls tool that already ships with Samba. It works via smbd, not directly on the xattr's, but I think that's probably the right way to do it. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
What I meant was: the vfs_acl_xattr is a very good idea. Is there some other way to get/set the ACLs it stores other than using the Windows graphic interface on a Windows client machine? If not, that's what I find uncomfortable with this solution. That's why I asked for a command line tool to get/set the ACLs from the *nix server side. There is the smbcacls tool that already ships with Samba. It works via smbd, not directly on the xattr's, but I think that's probably the right way to do it. Ok, we're on the right track now. Do you mean that smbcacls is compatible with the use of the vfs_acl_xattr module? Will the ACLs set with that tool be passed to the module and stored in Extended Attributes? I find smbcacls a very unfriendly utility... I couldn't find a way to read the ACLs when using the vfs module. My fault probably, I never really tried hard... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
Ok, we're on the right track now. Do you mean that smbcacls is compatible with the use of the vfs_acl_xattr module? Will the ACLs set with that tool be passed to the module and stored in Extended Attributes? I just made some quick tests and indeed smbcacls does show the ACLs stored by the vfs module. I suppose the problem here was the lack of documentation. There's always this gap between programmers and end users... Still, I think that both pdbedit and smbcacls need some attention from developers. Thank you for your answers and your work in general. I applied the ACL jumbo patch to Samba 3.5.6 and will be testing the coming days. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getting error with setfacl
On Wed, Nov 03, 2010 at 05:05:28PM -0700, James D. Parra wrote: Well it does if you're using winbindd to map DOMAIN\\groupname to a group on the box :-). ~ Thank you Jeremy. What is the best way to do that? The key tool is nsswitch. Winbind may or may not be necessary, depending on your precise set up. It's the nsswitch libraries and configuration file which tell Linux where to fetch user and group information. If your domain stores its user list in the tdb files on your PDC, then your only option is to use winbind (and the nss_winbind library) to provide user and group information to nsswitch. However, if you are using an LDAP directory as the data backend for your domain, you could use nss_ldap instead, and pull the information straight from LDAP. That's what I do, for several reasons, of which the best two are: 1. It allows me to have a consistent nsswitch configuration across all servers, whether or not they are running Samba, and have domain users able to access services consistently. 2. It simplifies the Samba configuration on servers which are domain members. You have this choice both if your domain controllers are LDAP-backed Samba ones (as mine are), or Windows Active Directory servers - all you have to do is make sure your AD servers have the extension to their schema to support POSIX user/group information. Given the choice, I would always go for the direct LDAP route, with users and groups that have intrinsic, permanent UIDs and GIDs; it's less fragile. I'll happily create those users and groups via Samba/Winbind on the PDC (love the whole idmap alloc and ldmapsam:editposix combination), but once they're in the LDAP directory, they're permanent, and available to anything that speaks LDAP. -- Bruce I must admit that the existence of Disneyland (which I know is real) proves that we are not living in Judea in AD 50. -- Philip K. Dick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
