Samba 3 AD member + ACLs without winbind uid/gid mappings
Edvard Fagerholm
efagerho at cc.hut.fi
Wed Aug 20 21:01:38 GMT 2003
Hello!
I sent an e-mail with a different subject about this to samba@ mailing-list,
but no answers, so hope you can help.
What I'm doing is the following: Win2k3 AD server, Samba 3 File server + Linux
clients and Win2k clients.
On the fileserver I've got the directory /share which contains the folders
/share/rhome and /share/scratch. /share/rhome and /share/scratch, are both
exported with NFS to the linux clients and also shared with samba to win2k
clients. /share is a XFS filesystem with POSIX ACLs working.
Linux computers authenticate with the AD. Kerberos is used for authentication
and an nssldap is used for uid<->name mappings. AD4Unix is installed on the
win2k3 server and each user has a uid and gid specified manually. Everything
works on the linux side.
Windows clients authenticate with the AD and map /share/rhome/%u as the home
drive Z: and scratch as another drive. This works fine except that ACLs don't
seem to work.
First the owner of the file isn't printed in the ACL. Instead there's a SID
printed here. This SID is the one generated by passdb from a UID, so samba
is not getting the SID for a user from the AD it's generating it with its own
SID generator algorithm.
When I edit an ACL and cÃlick "apply" or "ok", the ACL doesn't change i.e. my
changes are just erased without any error.
The problem here is that winbind can't be used. I'd have to run winbind on all
linux clients to get the uid<->username mappings, but the problem here is that
AFAIK winbind generates the SID<->uid map randomly instead of using an
algorithm. That would mean that the SID<->uid map would be different for all
linux clients, so the NFS mounts would have incorrect permissions on all linux
clients.
I can provide logs by request, screenshots of the ACL-editor...
Regards,
Edvard
smb.conf:
----------
[global]
workgroup = TEST
realm = TEST.domain.dom
server string = File Server
hosts allow = domain.dom localhost
log file = /var/log/samba/%m.log
max log size = 0
log level = 100
security = ADS
client ntlmv2 auth = yes
password server = <domain controller>
encrypt passwords = yes
map acl inherit = yes
null passwords = no
client use spnego = no
local master = no
name resolve order = host
[homes]
path = /share/rhome/%u
comment = Hemkatalog
browseable = yes
writable = yes
create mode = 0600
directory mode = 0700
guest ok = no
[medlem]
path = /share/rhome
comment = Medlem
browseable = yes
writable = yes
create mode = 0600
directory mode = 0700
guest ok = no
[scratch]
comment = Skräp
path = /share/scratch
browseable = yes
writable = yes
guest ok = no
More information about the samba-technical
mailing list