Discussion:
[Samba] Samba43 ACL's issues
Juan Garcia
2016-06-21 11:46:46 UTC
Permalink
Hi there,

I'm having trouble with permissions and ACL's running samba43.

I want to be able to set permissions on a folder to an specific user.

I'm having a similar issue reported here
https://lists.samba.org/archive/samba/2010-July/156965.html

However my error message is slightly different:

When I set the permission on an specific user by creating a new folder
inside the share, right click -> properties -> security tab I get:

An error ocurred while applying security information to:

\\servername\test

The parameter is incorrect


I have tried changing the permissions manually with "chmod a+rwx /test/"

But this does not look like a permissions problem this looks more like
samba or some setting in smb4.con itself


this is my smb4.conf file:

Global parameters
[global]
interfaces = 192.168.1.100
bind interfaces only = yes
workgroup = CW1
realm = DOMAIN.NAME.COM.AU
netbios name = SERVER1
server role = active directory domain controller
dns forwarder = 192.168.1.1
printing = bsd
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, dnsserver
restrict anonymous = 1
map acl inherit = no
store dos attributes = yes
unix extensions = no
ea support = no
idmap_ldb:use rfc2307 = yes
browseable= yes
writable = yes
read only= no
create mask = 770
force create mode = 770
directory mask = 770
force directory mode = 770
kerberos method = system keytab
client ldap sasl wrapping = sign
allow dns updates = nonsecure and secure

[test]
path = /var/fileshare/test
valid users = @DOMAIN.NAME.COM.AU\staff
guest ok = yes
read only = no

Not sure what am I missing, I appreciate your help.

Regards,
--
Juan Garcia
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mueller
2016-06-21 12:22:50 UTC
Permalink
What about this in your global section
create mask = 770
force create mode = 770
directory mask = 770
force directory mode = 770

Greetings
Daniel


EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
Email: ***@tropenklinik.de
www.tropenklinik.de
www.bauen-sie-mit.tropenklinik.de




-----Ursprüngliche Nachricht-----
Von: Juan Garcia [mailto:***@ish.com.au]
Gesendet: Dienstag, 21. Juni 2016 13:47
An: ***@lists.samba.org
Betreff: [Samba] Samba43 ACL's issues

Hi there,

I'm having trouble with permissions and ACL's running samba43.

I want to be able to set permissions on a folder to an specific user.

I'm having a similar issue reported here https://lists.samba.org/archive/samba/2010-July/156965.html

However my error message is slightly different:

When I set the permission on an specific user by creating a new folder inside the share, right click -> properties -> security tab I get:

An error ocurred while applying security information to:

\\servername\test

The parameter is incorrect


I have tried changing the permissions manually with "chmod a+rwx /test/"

But this does not look like a permissions problem this looks more like samba or some setting in smb4.con itself


this is my smb4.conf file:

Global parameters
[global]
interfaces = 192.168.1.100
bind interfaces only = yes
workgroup = CW1
realm = DOMAIN.NAME.COM.AU
netbios name = SERVER1
server role = active directory domain controller
dns forwarder = 192.168.1.1
printing = bsd
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, dnsserver
restrict anonymous = 1
map acl inherit = no
store dos attributes = yes
unix extensions = no
ea support = no
idmap_ldb:use rfc2307 = yes
browseable= yes
writable = yes
read only= no
create mask = 770
force create mode = 770
directory mask = 770
force directory mode = 770
kerberos method = system keytab
client ldap sasl wrapping = sign
allow dns updates = nonsecure and secure

[test]
path = /var/fileshare/test
valid users = @DOMAIN.NAME.COM.AU\staff
guest ok = yes
read only = no

Not sure what am I missing, I appreciate your help.

Regards,
--
Juan Garcia
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Juan Garcia
2016-06-23 01:18:42 UTC
Permalink
Post by Mueller
What about this in your global section
create mask = 770
force create mode = 770
directory mask = 770
force directory mode = 770
Greetings
Daniel
Hi Daniel, Thanks for your response. Those settings are already in my
smb4.conf

Global parameters
[global]
interfaces = 192.168.1.100
bind interfaces only = yes
workgroup = CW1
realm = DOMAIN.NAME.COM.AU
netbios name = SERVER1
server role = active directory domain controller
dns forwarder = 192.168.1.1
printing = bsd
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, dnsserver
restrict anonymous = 1
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = no
unix extensions = no
inherit acls = yes
inherit permissions = yes
ea support = no
idmap_ldb:use rfc2307 = yes
browseable= yes
writable = yes
read only= no
create mask = 770
force create mode = 770
directory mask = 770
force directory mode = 770

The problem is not about accessing folders, we want to be able to assign
to an specific folder different permissions inside the same file share

Let's say I have this set up:

Share:
Public/

Subfloder:
Public/folder1

Required Permissions:
DM\user.one -> full access
DM\user.two -> readonly

So in windows with an administrator account I right click on the folder
to assign this permissions on the Security tab, right after I hit
"apply" I get:
An error occurred while applying security information to:
Public/folder1
The parameter is incorrect


Any ideas?
Post by Mueller
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
www.tropenklinik.de
www.bauen-sie-mit.tropenklinik.de
-----Ursprüngliche Nachricht-----
Gesendet: Dienstag, 21. Juni 2016 13:47
Betreff: [Samba] Samba43 ACL's issues
Hi there,
I'm having trouble with permissions and ACL's running samba43.
I want to be able to set permissions on a folder to an specific user.
I'm having a similar issue reported here https://lists.samba.org/archive/samba/2010-July/156965.html
\\servername\test
The parameter is incorrect
I have tried changing the permissions manually with "chmod a+rwx /test/"
But this does not look like a permissions problem this looks more like samba or some setting in smb4.con itself
Global parameters
[global]
interfaces = 192.168.1.100
bind interfaces only = yes
workgroup = CW1
realm = DOMAIN.NAME.COM.AU
netbios name = SERVER1
server role = active directory domain controller
dns forwarder = 192.168.1.1
printing = bsd
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, dnsserver
restrict anonymous = 1
map acl inherit = no
store dos attributes = yes
unix extensions = no
ea support = no
idmap_ldb:use rfc2307 = yes
browseable= yes
writable = yes
read only= no
create mask = 770
force create mode = 770
directory mask = 770
force directory mode = 770
kerberos method = system keytab
client ldap sasl wrapping = sign
allow dns updates = nonsecure and secure
[test]
path = /var/fileshare/test
guest ok = yes
read only = no
Not sure what am I missing, I appreciate your help.
Regards,
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Data Control Systems - Mike Elkevizth
2016-06-23 02:28:27 UTC
Permalink
DCs seem to do odd things, that member servers don't, when it comes to file
serving. That's why the Samba team recommends to not do file serving on a
DC.

https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Introduction

I've found that on a DC, the create mask, force create mode, directory
mask, and force directory mode will be ignored unless nt acl support option
is set to no.

nt acl support = no

I'm not sure what other consequences this may have with your setup, so
you'll just have to experiment.

Mike E.
Post by Juan Garcia
Post by Mueller
What about this in your global section
create mask = 770
force create mode = 770
directory mask = 770
force directory mode = 770
Greetings
Daniel
Hi Daniel, Thanks for your response. Those settings are already in my
smb4.conf
Global parameters
[global]
interfaces = 192.168.1.100
bind interfaces only = yes
workgroup = CW1
realm = DOMAIN.NAME.COM.AU
netbios name = SERVER1
server role = active directory domain controller
dns forwarder = 192.168.1.1
printing = bsd
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, dnsserver
restrict anonymous = 1
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = no
unix extensions = no
inherit acls = yes
inherit permissions = yes
ea support = no
idmap_ldb:use rfc2307 = yes
browseable= yes
writable = yes
read only= no
create mask = 770
force create mode = 770
directory mask = 770
force directory mode = 770
The problem is not about accessing folders, we want to be able to assign
to an specific folder different permissions inside the same file share
Public/
Public/folder1
DM\user.one -> full access
DM\user.two -> readonly
So in windows with an administrator account I right click on the folder
to assign this permissions on the Security tab, right after I hit
Public/folder1
The parameter is incorrect
Any ideas?
Post by Mueller
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
www.tropenklinik.de
www.bauen-sie-mit.tropenklinik.de
-----Ursprüngliche Nachricht-----
Gesendet: Dienstag, 21. Juni 2016 13:47
Betreff: [Samba] Samba43 ACL's issues
Hi there,
I'm having trouble with permissions and ACL's running samba43.
I want to be able to set permissions on a folder to an specific user.
I'm having a similar issue reported here
https://lists.samba.org/archive/samba/2010-July/156965.html
Post by Mueller
When I set the permission on an specific user by creating a new folder
\\servername\test
The parameter is incorrect
I have tried changing the permissions manually with "chmod a+rwx /test/"
But this does not look like a permissions problem this looks more like
samba or some setting in smb4.con itself
Post by Mueller
Global parameters
[global]
interfaces = 192.168.1.100
bind interfaces only = yes
workgroup = CW1
realm = DOMAIN.NAME.COM.AU
netbios name = SERVER1
server role = active directory domain controller
dns forwarder = 192.168.1.1
printing = bsd
server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, dnsserver
restrict anonymous = 1
map acl inherit = no
store dos attributes = yes
unix extensions = no
ea support = no
idmap_ldb:use rfc2307 = yes
browseable= yes
writable = yes
read only= no
create mask = 770
force create mode = 770
directory mask = 770
force directory mode = 770
kerberos method = system keytab
client ldap sasl wrapping = sign
allow dns updates = nonsecure and secure
[test]
path = /var/fileshare/test
guest ok = yes
read only = no
Not sure what am I missing, I appreciate your help.
Regards,
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...