Samba 2.0.7 problems with NT ACL support
Cole, Timothy D.
timothy_d_cole at md.northgrum.com
Thu Sep 14 17:54:30 GMT 2000
> -----Original Message-----
> From: acherry at pobox.com [SMTP:acherry at pobox.com]
> Sent: Sunday, September 10, 2000 14:51
> To: samba-technical at samba.org
> Subject: Samba 2.0.7 problems with NT ACL support
> I've repeated the network trace with an NT server (where the install
> succeeds) instead of a Samba server so that I could try to do some
> comparisons. I've extracted out the information from the snoops into
> a more readable format and done interpretation of the data where
> appropriate. My speculation is that the installer is
> looking at the SID associated with the Samba/UNIX account and
> comparing it against the domain SID, and then rejecting permission,
> but my understanding of how Samba functions in a domain environment is
> limited. (BTW, chmoding the files to be world writable also works
> around this problem)
This is a long-standing problem. Apparently a lot of stupid NT apps
actually bother to use GetEffectiveRightsFromAcl() and friends, rather than
just letting the ACLs do their thing. Some stupid Unix ports use access(),
too; same net effect.
The underlying problem is that Samba really doesn't know/care
anything about the relationship between domain SIDs and Unix ids outside of
authentication. There's no way to get an SID for a given Unix id, so Samba
makes one up on the spot (as an RID under the Samba server's SID).
Only solution is to implement some sort of generalized POSIX-ID/SID
mapping scheme (i.e. SURS). Winbindd does this now, as I recall, but it's
not integrated with the ACL code (or much of anything in smbd) at all, as
far as I know.
More information about the samba-technical