Standalone with Windows ACL

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Standalone with Windows ACL

Samba - General mailing list
I'm configuring a standalone server(server role = standalone server) using
POSIX ACLs to manage permissions on server.

I need to manage permissions(At least basic ones, like read, write) from
Windows GUI.

Is that possible using standalone?


When I try setting permissions on Windows I got this on the log:

[2017/10/04 19:07:08.437837,  2]
../source3/smbd/posix_acls.c:3006(set_canon_ace_list)
  set_canon_ace_list: sys_acl_set_file type file failed for file AD225.TXT
(Operation not permitted).

I issued grant on server(tercio is my username):

net rpc rights grant "tercio" SeDiskOperatorPrivilege -U "root"

My conf:

# Global parameters
[global]
workgroup = SER-CAPITAL
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
usershare path =
map to guest = Bad User
obey pam restrictions = Yes
server role = standalone server
dns proxy = No
idmap config * : backend = tdb

[MyShare]
path = /srv/samba/MyShare
read only = No
--
Atenciosamente,

Tercio Gaudencio Filho
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Standalone with Windows ACL

Samba - General mailing list
On Wed, 04 Oct 2017 22:08:29 +0000
Tercio Gaudencio Filho via samba <[hidden email]> wrote:

> I'm configuring a standalone server(server role = standalone server)
> using POSIX ACLs to manage permissions on server.
>
> I need to manage permissions(At least basic ones, like read, write)
> from Windows GUI.

Ah, so you don't want to use POSIX ACLs, you want to use Windows ACLs

>
> Is that possible using standalone?

Yes

>
>
> When I try setting permissions on Windows I got this on the log:
>
> [2017/10/04 19:07:08.437837,  2]
> ../source3/smbd/posix_acls.c:3006(set_canon_ace_list)
>   set_canon_ace_list: sys_acl_set_file type file failed for file
> AD225.TXT (Operation not permitted).
>
> I issued grant on server(tercio is my username):
>
> net rpc rights grant "tercio" SeDiskOperatorPrivilege -U "root"
>
> My conf:
>
> # Global parameters
> [global]
> workgroup = SER-CAPITAL
> log file = /var/log/samba/log.%m
> max log size = 1000
> panic action = /usr/share/samba/panic-action %d
> usershare path =
> map to guest = Bad User
> obey pam restrictions = Yes
> server role = standalone server
> dns proxy = No
> idmap config * : backend = tdb
>
> [MyShare]
> path = /srv/samba/MyShare
> read only = No

You don't say what OS you are using, but on debian, you need to install
the acl & attr packages.

You need to be using a filesystem that understands ACLs, such as ext4

You also need to add these lines to smb.conf:

security = user
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes

There is also a Samba wiki page about this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Standalone with Windows ACL

Samba - General mailing list
I'm sorry for the delay, I got pretty busy down here.

First things first, it's working now, thanks!

I'll leave it here in case anyone is trying to do the same thing.

apt-get install samba smbclient samba-vfs-modules acl attr

smb.conf:

# Global parameters
[global]
workgroup = WORKGROUP
security = USER
server role = standalone server

log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
usershare path =
# Disable Printing
disable spoolss = Yes
load printers = No
printcap name = /dev/null
printing = bsd

map to guest = Bad User
obey pam restrictions = Yes
dns proxy = No
passdb backend = tdbsam
# Enable Win ACLs
store dos attributes = Yes
map acl inherit = Yes
vfs objects = acl_xattr

[MyShare]
path = /srv/samba/myshare
read only = No

I have to add "SeDiskOperatorPrivilege" right to the user that want to
manage permissions using Windows:

net rpc rights grant "UNIX_USERNAME" SeDiskOperatorPrivilege -U "root"

That's all!

Thanks again.

On Thu, Oct 5, 2017 at 4:11 AM Rowland Penny via samba <
[hidden email]> wrote:

> On Wed, 04 Oct 2017 22:08:29 +0000
> Tercio Gaudencio Filho via samba <[hidden email]> wrote:
>
> > I'm configuring a standalone server(server role = standalone server)
> > using POSIX ACLs to manage permissions on server.
> >
> > I need to manage permissions(At least basic ones, like read, write)
> > from Windows GUI.
>
> Ah, so you don't want to use POSIX ACLs, you want to use Windows ACLs
>
> >
> > Is that possible using standalone?
>
> Yes
>
> >
> >
> > When I try setting permissions on Windows I got this on the log:
> >
> > [2017/10/04 19:07:08.437837,  2]
> > ../source3/smbd/posix_acls.c:3006(set_canon_ace_list)
> >   set_canon_ace_list: sys_acl_set_file type file failed for file
> > AD225.TXT (Operation not permitted).
> >
> > I issued grant on server(tercio is my username):
> >
> > net rpc rights grant "tercio" SeDiskOperatorPrivilege -U "root"
> >
> > My conf:
> >
> > # Global parameters
> > [global]
> > workgroup = SER-CAPITAL
> > log file = /var/log/samba/log.%m
> > max log size = 1000
> > panic action = /usr/share/samba/panic-action %d
> > usershare path =
> > map to guest = Bad User
> > obey pam restrictions = Yes
> > server role = standalone server
> > dns proxy = No
> > idmap config * : backend = tdb
> >
> > [MyShare]
> > path = /srv/samba/MyShare
> > read only = No
>
> You don't say what OS you are using, but on debian, you need to install
> the acl & attr packages.
>
> You need to be using a filesystem that understands ACLs, such as ext4
>
> You also need to add these lines to smb.conf:
>
> security = user
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> There is also a Samba wiki page about this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

--
Atenciosamente,

Tercio Gaudencio Filho
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba