Setting ACLs when creating files from Windows

Volker Lendecke Volker.Lendecke at SerNet.DE
Fri Aug 1 13:16:25 GMT 2008

On Thu, Jul 31, 2008 at 10:45:27PM +0200, Corinna Vinschen wrote:
> Sorry.  I attached now what happened when I cd'ed to the share for the
> first time.  I'm somewhat puzzled that the Windows user SID never shows
> up in the log.  Is it never transferred to the server?!?

No, only the name is at session setup time.

> > What does "rpcclient localhost -U% -c 'lookupnames corinna'"
> > say when run on the Samba box?
> $ rpcclient localhost -U% -c 'lookupnames corinna'
> corinna S-1-22-1-500 (User: 1)

Ok, here we go. That's what you would have to set in the sd.

> > > How shall I know what UNIX user my Windows user is mapped to?  If
> > > smbusers contains a mapping like "foo = bar", and a UNIX user bar
> > > doesn't exist, how should I ever find out that I have to ask for a UNIX
> > > user foo?  Sure, winbind seems to solve this problem, but that works
> > > only for domains, not for standalone machines.
> Oh and, even with winbind, there doesn't seem to be a way to map
> a Windows user to an arbitrary, already existing UNIX account.

?? Doesn't "username map" work for you?

> > Hmmm. Difficult. S-1-22-1-<uid> should always work, but how
> > do you know your uid then? There's also a "lsa who am I"
> I don't know my uid.  Not programatically.  I'm using the SID of the
> current Windows user and the SID of its primary group in the security
> descriptor in a call to NtCreateFile.

Without both boxes being member of the same domain, we are
always talking about two different users. They happen to
have the same password, but apart from that they don't have
anything in common.

> The mapping to the uid/gid is done on the Samba side.  For some reason
> it's only done at authentication time, but the mapping doesn't work in
> the later call to NtCreateFile with the aforementioned security
> descriptor.  I would expect that Samba knows the SID of the
> authenticated Windows user/primary group and maps them transparently to
> the UNIX user/group in all subsequent calls where the Windows SID is
> used.  Provided that Samba gets the SIDs (the entire user token?) from
> the incoming Windows client at one point.

No, we never get that. What we get is the qualified user
name and the credentials, that's it. Windows never sends
anything but that information.

> Maybe, but I'm rather wondering why the SID<->uid/sid mapping doesn't
> work transparently from a Windows client POV which has no idea that the
> remote machine is a Samba server, rather than a native Windows server.

Well, that's just how the protocol works. Sorry.

BTW, it would be pretty much the same against a Windows file
server. The main difference is that you can set your local
box'es user SID in the sd, but it won't help you in *any*
way accessing that file.

But wait a second -- what you could do is to create the file
without an sd, ask for the owner sid via querysecdesc and
then set the sd using that sid. But that's a 3-step process
instead of one.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list