szentannai
asked on
Folder ACL permissions of samba shares not visible under Windows
Hello,
From Windows systems permissions for directories of samba share are not listed in the Properties window (as in the attached pic) only if the permissions were set from Windows, not using setfacl command from Ubuntu. Permissions for the files are displayed correctly. Is there any setting that should be enabled to make permissions visible from Windows too? Everything is working fine, but permissions for folders cannot be overviewed from Windows. Any help is welcome, thank you!
The acl related settings in smb.conf are:
#### acl settings ######
acl compatibility = win2k
nt acl support = yes
inherit permissions = yes
inherit acls = yes
map acl inherit = yes
permissions.png
From Windows systems permissions for directories of samba share are not listed in the Properties window (as in the attached pic) only if the permissions were set from Windows, not using setfacl command from Ubuntu. Permissions for the files are displayed correctly. Is there any setting that should be enabled to make permissions visible from Windows too? Everything is working fine, but permissions for folders cannot be overviewed from Windows. Any help is welcome, thank you!
The acl related settings in smb.conf are:
#### acl settings ######
acl compatibility = win2k
nt acl support = yes
inherit permissions = yes
inherit acls = yes
map acl inherit = yes
permissions.png
Jason Watkins
I am quite sure that the ability to set ACL entries from a Windows machine to a SMB share on a Linux server is not possible. The security databases between the two do not synchronize that type of data.
I am equally sure that Firebar is incorrect...
Samba can handle ACLs just fine, and they can map to Microsoft ACLs just fine -- just don't expect the exact "granularity" of control you can have on Windows (NTFS) servers.
In your case, szentannai, I would be interested to see the outputs of the following command-line tools:
getfacl
net groupmap list
My suspicions are that the Domain Admins group isn't mapped correctly in the Samba system... a common mistake with several common causes:
a) admins assume group names will map, and so create a "domainadmins" account and expect Samba to just "figure it out"
b) admins assume Samba STILL creates an automatic mapping of NT "Domain Admins" to Linux "admins"
c) admins assume that the NT "Domain Admins" GID (512) will magically map to the Linux group GID 512 (whatever its name).
In fact, NONE of those assumptions are valid. If the "net groupmap list" output doesn't include a line for Domain Admins, try the following command:
net groupmap add ntgroup="Domain Admins" unixgroup="admins" rid=512 type=d
Repeat for the following NT groups with the associated GIDs:
512 = "Domain Admins"
513 = "Domain Users"
514 = "Domain Guests"
515 = "Domain Computers"
516 = "Domain Controllers"
517 = "Domain Certificate Admins"
518 = "Domain Schema Admins"
519 = "Domain Enterprise Admins"
520 = "Domain Policy Admins"
NOTE: While you CAN use the same unixgroup for multiple ntgroup names, it is not recommended (for example, you could re-use admins for "Domain Admins", "Domain Certificate Admins", "Domain Schema Admins", and "Domain Enterprise Admins" -- but it is better to just create separate groups for each.
I have attached a script that will aotomatically create and map unix groupnames to nt groupnames... use at your own discretion.
Good Luck!
Dan
IT4SOHO
Samba can handle ACLs just fine, and they can map to Microsoft ACLs just fine -- just don't expect the exact "granularity" of control you can have on Windows (NTFS) servers.
In your case, szentannai, I would be interested to see the outputs of the following command-line tools:
getfacl
net groupmap list
My suspicions are that the Domain Admins group isn't mapped correctly in the Samba system... a common mistake with several common causes:
a) admins assume group names will map, and so create a "domainadmins" account and expect Samba to just "figure it out"
b) admins assume Samba STILL creates an automatic mapping of NT "Domain Admins" to Linux "admins"
c) admins assume that the NT "Domain Admins" GID (512) will magically map to the Linux group GID 512 (whatever its name).
In fact, NONE of those assumptions are valid. If the "net groupmap list" output doesn't include a line for Domain Admins, try the following command:
net groupmap add ntgroup="Domain Admins" unixgroup="admins" rid=512 type=d
Repeat for the following NT groups with the associated GIDs:
512 = "Domain Admins"
513 = "Domain Users"
514 = "Domain Guests"
515 = "Domain Computers"
516 = "Domain Controllers"
517 = "Domain Certificate Admins"
518 = "Domain Schema Admins"
519 = "Domain Enterprise Admins"
520 = "Domain Policy Admins"
NOTE: While you CAN use the same unixgroup for multiple ntgroup names, it is not recommended (for example, you could re-use admins for "Domain Admins", "Domain Certificate Admins", "Domain Schema Admins", and "Domain Enterprise Admins" -- but it is better to just create separate groups for each.
I have attached a script that will aotomatically create and map unix groupnames to nt groupnames... use at your own discretion.
Good Luck!
Dan
IT4SOHO
#! /bin/bash
# SetSambaDomainGroups.sh
# Author: Dan McAllister (IT4SOHO)
# Date: 2003-Jan-23
# Mod Date:2008-Apr-16 (add extended nt domain group lists)
#
# Use: run with no arguments as the root user (or with a properly configured sudo)
#
# Assumptions:
# Must be run as ROOT user (group ID creation requires root permission)
# Group names are pre-defined and hard-coded in the script (this is not required)
# Group numbers are pre-defined and hard-coded in the script (this is not required)
#
#
# Check for root user running this program
#
if [ "$UID" != "0" ] ; then
echo $0 : FATAL : Program MUST be run as the ROOT user 1>&2
exit 1
fi
# Setup & populate Arrays
MSNAME=( "Domain Admins" \
"Domain Users" \
"Domain Guests" \
"Domain Computers" \
"Domain Controllers" \
"Domain Certificate Admins" \
"Domain Schema Admins" \
"Domain Enterprise Admins" \
"Domain Policy Admins" \
)
MSRID=( 512 513 514 515 516 517 518 519 520 )
LINID=( "domadmins" "domusers" \
"domguests" "domcomputers" \
"domcontrollers" "domcertadmins" \
"domschemaadmins" "domentadmins" \
"dompolicyadmins"
)
#
# Check Variables (all 3 arrays should have the same number of elements
#
if [ ${#MSNAME[*]} != ${#MSRID[*]} ] ; then
echo Mismatched Variable Lists ... fix MSNAME or MSRID in $0
exit 1
elif [ ${#MSNAME[*]} != ${#LINID[*]} ] ; then
echo Mismatched Variable Lists ... fix MSNAME or LINID in $0
exit 1
fi
ARRAYLEN=${#MSNAME[*]}
#
# Loop through variables
#
INDEX=0
while [ "${INDEX}" -lt "${ARRAYLEN}" ] ; do
DOMAP=0
# Check for presence of Mapping ALREADY present
if net groupmap list ntgroup="${MSNAME[${INDEX}]}" > /dev/null 2>&1 ; then
net groupmap list ntgroup="${MSNAME[${INDEX}]}"
else
DOMAP=1
fi
#
# Check for presence of LINID already
if ! grep "${LINID[${INDEX}]}" /etc/group > /dev/null 2>&1 ; then
echo -n Creating Linux Group ${LINID[${INDEX}]}
if groupadd -g ${MSRID[${INDEX}]} ${LINID[${INDEX}]} > /dev/null 2>&1 ; then
echo \ with ID ${MSRID[${INDEX}]} '(normal)'
elif groupadd ${LINID[${INDEX}]} > /dev/null 2>&1 ; then
GID=`grep "^${LINID[${INDEX}]}:" /etc/group | awk -F: '{print $3}'`
echo \ with ID $GID '(generated)'
fi
fi
#
#
if [ "$DOMAP" != 0 ] ; then
echo Mapping Windows ${MSNAME[${INDEX}]} to Linux ${LINID[${INDEX}]}
net groupmap add ntgroup="${MSNAME[${INDEX}]}" unixgroup="${LINID[${INDEX}]}" rid=${MSRID[${INDEX}]} type=d > /dev/null 2>&1
if [ $? -ne 0 ] ; then
echo OOPS! Error mapping Windows ${MSNAME[${INDEX}]} to Linux ${LINID[${INDEX}]}
fi
fi
INDEX=`expr $INDEX + 1`
done
No mention was made that the Samba server was a domain controller. Just going on the information provided...
Another common mis-conception -- and it brings up something LACKING in my post:
1) The group mappings should be there regardless -- even if you're not a DC, just an AD member (which is all Samba can do 'til 4 comes out)
2) If you're a member of a Microsoft domain, you're going to need to make sure that NOT just smbd and nmbd are running, but also winbindd!
Most distributions' startup scripts & installers will auto-config and auto-start smbd & nmbd (the "traditional" samba daemons.... but as a member of an AD domain, you MUST also be running the winbindd daemon!
Use the following command to see if it is running:
pgrep -l winbindd
If the response is empty (no lines), start winbindd manually with
winbindd -D
and fix your startup program (probably by editing the file at /etc/init.d/smb or /etc/init.d/samba)
If it is already running, the maps I setup above should provide the final "key"
Best of luck!
Dan
IT4SOHO
PS: I believe an explanation may be in order:
the groupmaps FORCE an association between unix and nt domain group names... this is generally desired for admin groups (so Win admins can have file access admin rights on the Unix system file shares)
the winbindd EXTENDS the Unix users and groups to include the domain users & groups. Under the covers, a large block of Unix UIDs & GIDs are reserved for winbindd use, and then whenever a user or group accesses the file shares, Samba creates (on the fly) a UID or GID and automagically associates (maps) it to the domain UID or GID. NOTE: this can be problematic with clustered storage arrays, and so some thought about the underlying mechanics needs to be undertaken in more "advanced" installations.
1) The group mappings should be there regardless -- even if you're not a DC, just an AD member (which is all Samba can do 'til 4 comes out)
2) If you're a member of a Microsoft domain, you're going to need to make sure that NOT just smbd and nmbd are running, but also winbindd!
Most distributions' startup scripts & installers will auto-config and auto-start smbd & nmbd (the "traditional" samba daemons.... but as a member of an AD domain, you MUST also be running the winbindd daemon!
Use the following command to see if it is running:
pgrep -l winbindd
If the response is empty (no lines), start winbindd manually with
winbindd -D
and fix your startup program (probably by editing the file at /etc/init.d/smb or /etc/init.d/samba)
If it is already running, the maps I setup above should provide the final "key"
Best of luck!
Dan
IT4SOHO
PS: I believe an explanation may be in order:
the groupmaps FORCE an association between unix and nt domain group names... this is generally desired for admin groups (so Win admins can have file access admin rights on the Unix system file shares)
the winbindd EXTENDS the Unix users and groups to include the domain users & groups. Under the covers, a large block of Unix UIDs & GIDs are reserved for winbindd use, and then whenever a user or group accesses the file shares, Samba creates (on the fly) a UID or GID and automagically associates (maps) it to the domain UID or GID. NOTE: this can be problematic with clustered storage arrays, and so some thought about the underlying mechanics needs to be undertaken in more "advanced" installations.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.