FUQ: Changing ACLs in 2.2.7a from W2K client when not using winbind
c.d.wakelin at reading.ac.uk
Wed Feb 19 16:07:59 GMT 2003
I've had several good trawls throuh the list archives for the samba-technical
and samba lists and this seems to be a frequently unanswered question :-)
Server is Solaris 8, samba server is a member of a Windows 2000 AD domain.
All unix (NIS) users are duplicated in the W2K domain. I've tried Samba
2.2.5, 2.2.7a and the latest 2.2.x CVS (as of yesterday).
If you use a Windows 2000 client to add an access control entry to an ACL
then it fails with message "create_canon_ace_lists: unable to map SID" in the
Existing ACEs can be modified or removed without any problems. ACEs can be
added with "setfacl" from the Solaris side and are then visible from W2K.
It works from a Windows NT4 client in the same domain. As far as I can see
(tried level 10 logs!) the NT4 request gets treated in a rather different way
from the W2K one. In NT4, "passdb/passdb.c:local_sid_to_uid" seems to get
called and works. In W2K, "smbd/uid.c:sid_to_gid" gets called, tries winbind
first and then (supposedly) tries local, but fails.
One difference I noticed is that before clicking OK for the added ACE, in
Win2K it appears as "DOMAIN\user" (and clicking "Apply" or OK loses the
change) whereas in WinNT it appears as "SAMBASERVER\user" (and works).
ACLs work fine from W2K when using Winbind, but we don't wish to use this as
the same Samba server may be accessed by Windows 9x users who are not logging
into the domain (yet) and Winbind would mean changing the ownership of all
existing files to match the Winbind-generated uids and gids. I'm also not
convinced that Winbind will scale to 20000+ users.
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 6630
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
More information about the samba-technical