Samba 2.0.7 problems with NT ACL support

Cole, Timothy D. timothy_d_cole at
Thu Sep 14 17:54:30 GMT 2000

> -----Original Message-----
> From:	acherry at [SMTP:acherry at]
> Sent:	Sunday, September 10, 2000 14:51
> To:	samba-technical at
> Subject:	Samba 2.0.7 problems with NT ACL support
> I've repeated the network trace with an NT server (where the install
> succeeds) instead of a Samba server so that I could try to do some
> comparisons.  I've extracted out the information from the snoops into
> a more readable format and done interpretation of the data where
> appropriate.  My speculation is that the installer is 
> looking at the SID associated with the Samba/UNIX account and
> comparing it against the domain SID, and then rejecting permission,
> but my understanding of how Samba functions in a domain environment is 
> limited.  (BTW, chmoding the files to be world writable also works
> around this problem)
	This is a long-standing problem.  Apparently a lot of stupid NT apps
actually bother to use GetEffectiveRightsFromAcl() and friends, rather than
just letting the ACLs do their thing.  Some stupid Unix ports use access(),
too; same net effect.

	The underlying problem is that Samba really doesn't know/care
anything about the relationship between domain SIDs and Unix ids outside of
authentication.  There's no way to get an SID for a given Unix id, so Samba
makes one up on the spot (as an RID under the Samba server's SID).

	Only solution is to implement some sort of generalized POSIX-ID/SID
mapping scheme (i.e. SURS).  Winbindd does this now, as I recall, but it's
not integrated with the ACL code (or much of anything in smbd) at all, as
far as I know.

More information about the samba-technical mailing list