--with-vfs and ACLs problem

Richard Sharpe rsharpe at ns.aus.com
Thu Jun 20 15:01:05 GMT 2002

On Thu, 20 Jun 2002, Nir L wrote:

> The problem is, that my Client Workstations are displaying correct account names when looking for ACL's of files of all the NT servers in the DOMAIN. The Client has no problem with that. It has problem when trying to translate SID's of the DOMAIN that were created by Samba.
> So - My guess is that after all the problem is with the samba creating the SID's and not with the clients or the PDC. Maybe something on the ACL that is returned makes the client NOT requesting for more info from the PDC.
> But - I don't know what it is...

Are you working in a domain trusts environment? 

Prior to 2.2.4, I think, Samba was doing silly things when constructing 
the token for a user just logging on. It was using its own DOMAIN SID and 
the RID from the incoming token, rather than the DOMAIN SID of the domain 
they authenticated in.

This could create some silly problems.

The other thing that might be happening, depending on your code, is that 
the user's local SID might be used, and if you are not using winbindd, 
this might not be being handled properly.

What do the SIDs look like? Can you relate them to the machine SID for 
Samba or the DOMAIN SID for your domain?

Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org, 
sharpe at ethereal.com

More information about the samba-technical mailing list