Samba 3 AD member + ACLs without winbind uid/gid mappings

Edvard Fagerholm efagerho at
Wed Aug 20 21:01:38 GMT 2003


I sent an e-mail with a different subject about this to samba@ mailing-list,
but no answers, so hope you can help.

What I'm doing is the following: Win2k3 AD server, Samba 3 File server + Linux
clients and Win2k clients.

On the fileserver I've got the directory /share which contains the folders
/share/rhome and /share/scratch. /share/rhome and /share/scratch, are both
exported with NFS to the linux clients and also shared with samba to win2k
clients. /share is a XFS filesystem with POSIX ACLs working.

Linux computers authenticate with the AD. Kerberos is used for authentication
and an nssldap is used for uid<->name mappings. AD4Unix is installed on the
win2k3 server and each user has a uid and gid specified manually. Everything
works on the linux side.

Windows clients authenticate with the AD and map /share/rhome/%u as the home
drive Z: and scratch as another drive. This works fine except that ACLs don't
seem to work.

First the owner of the file isn't printed in the ACL. Instead there's a SID
printed here. This SID is the one generated by passdb from a UID, so samba
is not getting the SID for a user from the AD it's generating it with its own
SID generator algorithm.

When I edit an ACL and cÃlick "apply" or "ok", the ACL doesn't change i.e. my
changes are just erased without any error.

The problem here is that winbind can't be used. I'd have to run winbind on all
linux clients to get the uid<->username mappings, but the problem here is that
AFAIK winbind generates the SID<->uid map randomly instead of using an
algorithm. That would mean that the SID<->uid map would be different for all
linux clients, so the NFS mounts would have incorrect permissions on all linux

I can provide logs by request, screenshots of the ACL-editor...


        workgroup = TEST
        realm = TEST.domain.dom
        server string = File Server
        hosts allow = domain.dom localhost

        log file = /var/log/samba/%m.log
        max log size = 0

        log level = 100

        security = ADS
        client ntlmv2 auth = yes
	password server = <domain controller>
        encrypt passwords = yes
        map acl inherit = yes
        null passwords = no

        client use spnego = no

	local master = no
        name resolve order = host

        path = /share/rhome/%u
        comment = Hemkatalog
        browseable = yes
        writable = yes
        create mode = 0600
        directory mode = 0700
        guest ok = no

        path = /share/rhome
        comment = Medlem
        browseable = yes
        writable = yes
        create mode = 0600
        directory mode = 0700
        guest ok = no

        comment = Skräp
        path = /share/scratch
        browseable = yes
        writable = yes
        guest ok = no

More information about the samba-technical mailing list