[Samba] Samba 3.0.0 -- ACLs are unusable due to UID/SID mapping weirdness :(

Anton Solovyev solovam at unix.stortek.com
Tue Oct 21 04:38:54 GMT 2003 

John,

John H Terpstra wrote:

>Having read your posting, I believe I need your help to fix our
>documentation. Are you willing to help me to do that?
>  
>

I could try.

>>I am sure somebody asks this question about once a week. Since I have
>>not found an answer I assume the worst -- it just does not work.
>>    
>>
>
>Please do not assume that because something does not work the way you have
>tried it that this means that Samba is broken. That is a bit like failing
>a driving test and then claiming that the test vehicle must have been
>defective!
>  
>

Absolutely. My fault.

>Have you read the Samba-HOWTO-Collection.pdf? Did you understand it all?
>Did you red the chapter on Group Mapping? Did it help you any? What do we
>need to add to the documentation to help someone else to understand the
>issues and to help them to find a solution.
>  
>

Yes, I did notice that it was close to what I was looking for. I could 
not find anything about *user* mapping though. It is not going to help 
me with *users*, is it? :)

>I need your feedback to help improve our documentation. Perhaps it is all
>wrong. It could be you know!
>  
>

The first (silly) suggestion -- make the link to 
Samba-HOWTO-Collection.html on the front page more visible. Took me a 
while to get to it.

>>So, here goes my problem. I am testing Samba 3.0.0. I have got UNIX and
>>Windows domain users matching each other one-to-one.
>>    
>>
>
>Here we go! What do you mean by: "users matching each other one-to-one"?
>Please explain this fully. I do not want to jump to conclusions, but my
>reading is that you have added users to the Samba server while it is a
>domain member server. Is my interpretation correct?
>
>  
>

There is a set of users common to the NT domain and the UNIX NIS 
environment. That is the usernames are the same in both. Yes, Samba is a 
domain member (security = domain), so the passwords for these users are 
verified against the NT domain.

>>The server is running with "security = domain". Everything works fine
>>and all Windows users connecting to Samba get mapped into their
>>respective UNIX user ids. Everything is nice, simple and consistent.
>>    
>>
>
>So you have a Windows NT4 Domain, or Active Directory? I can't really tell
>from your description. It does matter - it would certainly help me to help
>you. I have to tell people time and again that my crystal ball is worn out
>and my guessing is lousy! :)
>
>  
>

There I am a little unfirm. As far as I know it is an AD domain that 
still supports NT style authentication.

I tried to make the message as short as possible to make it more 
readable. Very gew people read messages that do not fit into single 
screen. Plus, I could not state the problem quite clearly. So, I was 
just hoping to get attention of a guru and give the details later.

>How did you "join the domain"? What precise steps did you take? Help me to
>reproduce your problem!
>  
>

I installed Samba and executed something like:

===
net join -Uanadmin%password -W domain -S windows-dc
===

>What information can you glean from the samba log files to confirm that
>"everything is nice, simple and consistent"?
>  
>

Well, it just worked most of the time the way we expected.

By "consistent and simple" I mean,  something like -- "you have a 
Windows user that needs to get to a Samba share? Create a UNIX account 
with the *same name* and you will get an smbd process with the UID and 
hence the permissions of that user accessing the files on the server (ok 
not always). The authentication will be done on the NT side though".

>>Now I want to enable ACLs and fortunately the host OS supports them
>>fine. Here the trouble starts. It looks like ACLs refuse to work in the
>>absense of winbindd.
>>    
>>
>
>Precisely, which user identities (or group identities) do you want to
>include in the ACLs? Accounts that are in /etc/passwd on the Samba server,
>or Domain Accounts?
>  
>

I do not want to see on the UNIX side any UIDs that are not listed in 
/etc/passwd. I do not want to differentiate between NT domain users and 
matching users in /etc/passwd.

It would be too much to ask, if it did not work "automagically" before I 
looked at ACLs. If I do not want ACLs, I, the domain user 
"\DOMAIN\solovam", create all the files and have all the permissions of 
the UNIX user "solovam". Once I want ACLs all of sudden this simplicity 
breaks and I have to worry about mapping SIDs back to UIDs.

>If you have a johndoe account in the Samba /etc/passwd, and a johndoe
>account on the Domain as well, then you need to realise that they are two
>totally different users. One is machine local and tied to the SID of your
>Samba server, the other is Domain Global, and is tied to the Domain SID.
>Do you recognize that?
>  
>

Very good.  I was afraid I would not be able to explain the problem 
clearly enough and you got right to the point :)

I do realize the difference. But here are my questions:

1. If UNIX accounts are local to the Samba server, why am I able to 
connect to it with my domain password?

2. If UNIX accounts generally are not related to domain accounts, why do 
I get "proper" mapping from my NT username to the same UNIX username 
(unless I want ACLs!) and more importantly to the right user id? I do 
not have to run winbindd for that!

3. Why, when I create files on NT servers, they are owned by the 
*domain* account, whereas on Samba server they are owned by the *local* 
account? They are supposed to be configured the same way, ask for the 
same password and genereally behave the same. That's what the 
description of the "security" option in smb.conf says.

4. If I have to maintain SID to UID mapping manually (which is a huge 
hassle!), I could not find a tool to do that. I am getting a feeling you 
are going to tell me to use "net groupmap" for that :) If so, that would 
be something to fix in the documentation. Pople do not read all text, 
people look for keywords.

5. To put it simply -- I never noticed any difference between local and 
domain accounts on Samba servers. Why all of sudden all the trouble when 
I want ACLs?

>Alternatively, could it possibly be that your understanding of how this
>ought to work is "completely uninformed", or "completely unrealistic", or
>maybe "just a little bit off".
>
>  
>

Very possible. Samba has become an incredibly complex product.

>What documentation did you look at? What documentation (specific pages
>etc.) did you look at that allowed you to come to the conclusions you have
>arrived at.
>
>  
>

I have been looking at HTML howto collection for 3.0.

-- 

Anton Solovyev

More information about the samba mailing list