--with-vfs and ACLs problem

Nir L nir_l3 at netvision.net.il
Thu Jun 20 12:18:01 GMT 2002

The problem is, that my Client Workstations are displaying correct account names when looking for ACL's of files of all the NT servers in the DOMAIN. The Client has no problem with that. It has problem when trying to translate SID's of the DOMAIN that were created by Samba.
So - My guess is that after all the problem is with the samba creating the SID's and not with the clients or the PDC. Maybe something on the ACL that is returned makes the client NOT requesting for more info from the PDC.
But - I don't know what it is...

Appriciate your help,
  ----- Original Message ----- 
  From: Eric Lee Steadle 
  To: Nir L 
  Sent: Thursday, June 20, 2002 8:01 PM
  Subject: RE: --with-vfs and ACLs problem

    Richard Sharpe already responded to you, but his explanation may not be clear. 

    After the ACL is retrieved by the Security Editor on the Client Workstation (the machine displaying the security tab), the Security Editor on that machine will contact the domain controller responsible for each SID in the ACL, and attemt to lookup the names of the accounts associated with each SID. This appears to be what is failing. The Client is NOT talking to Samba at this point -- it's talking to the password server. 

    If the password server doesn't know about a particular SID, it will ask other domain controllers that it may know about (basically anything with a trust relationship). If it still can't resolve the SID, it gives up. The Client will not be able to display the account names and so it will just show the SIDs instead. I'm not sure if your PDC has the accounts in it or not since you didn't provide details about the external ACL management product. Is it responsible for allocating SIDs too? Or does it just handle ACLs?  

    An Ethereal or Netmon trace on the PDC should confirm this for you. Look for MSRPC packets -- the specific function is called lsaLookupNames, but I don't know the OpCode off the top of my head. 

    To solve this problem, you need to get the client to talk to something that can resolve the Sids in the ACL into account names. 

    Is this any clearer now?

     -----Original Message-----
    From: samba-technical-admin at lists.samba.org [mailto:samba-technical-admin at lists.samba.org]On Behalf Of Nir L
    Sent: Thursday, June 20, 2002 12:48 PM
    To: samba-technical at samba.org
    Subject: --with-vfs and ACLs problem

    I am using samba 2.2.0 without winbind, using security = server.
    The samba server is NOT a PDC.
    I've set its password server to my PDC.

    I am writing an extention to samba, in order to let it get the ACL's of the shared files from an external security managment product. The security management product decides which DOMAIN users are authorized to which files.
    The users belong to my NT_DOMAIN.

    I replace the fget_nt_acl and get_nt_acl functions, in order to return the acl's according to the management product.

    The SID's that I return from these functions seem to be OK (I've checked them with several utilities)/
    But somehow, when I choose file->properties->security, I can see the correct SID's , but the SID's are NOT TRANSLATED to the account names in my domain. They remain in their SID form (similar to an SID of a deleted user, if you've ever seen it...)

    This happen both on Win2K clients and WinNT 4.0 clients with the latest service packs.

    Can anyone help me ?

    Currently, I can not upgrade to a version higher than 2.2.2.


-------------- next part --------------
HTML attachment scrubbed and removed

More information about the samba-technical mailing list