[Samba] Samba 3.0.0 -- ACLs are unusable due to UID/SID mapping weirdness :(

[Eric Horst]

> > By "consistent and simple" I mean,  something like -- "you have a
> > Windows user that needs to get to a Samba share? Create a UNIX account
> > with the *same name* and you will get an smbd process with the UID and
> > hence the permissions of that user accessing the files on the server
> > (ok not always). The authentication will be done on the NT side though".
>
> Nope. You should use winbind for that. Any other way will cause you
> problems when you try to use ACLs.


I think I understand at least a part of Anton's issue.  It's one that I've
been thinking about as we deploy Samba 3.0.  We never really thought much
about ACLs until now and have never run winbindd.  The problem boils down
to this:  We currently have a group of seven Samba/NFS file servers which
are members of a Windows domain.  The Windows usernames and group names
are synchronized.  The numeric UIDs and GIDs are uniform across all of
them by virtue of the fact that they have a common /etc/passwd.  We want
to jump on the ACL bandwagon and do things right using winbindd.
However, in a distributed environment the official way of mapping SIDs to
UIDs consistently across the servers involves an 'idmap backend'.  All of
the idmap backends involve ldap.  It is frustrating that I have to
introduce the overhead of deploying an LDAP server and populate it with
UID mappings even though the file servers already have an /etc/passwd
which has enough information to map numeric Unix UIDs consistently.

I know idmap'ing was a hot topic during development so you have probably
already considered all of this.  At the time, watching the discussion I
didn't follow it all but now starting to consider deployment the issues
are becoming clearer.

--Eric