Setting ACLs when creating files from Windows

simo idra at
Thu Aug 7 11:48:13 GMT 2008

On Thu, 2008-08-07 at 12:12 +0200, Corinna Vinschen wrote:
> On Aug  4 07:53, simo wrote:
> > On Fri, 2008-07-18 at 14:00 +0200, Corinna Vinschen wrote:
> > > Hi,
> > > 
> > > I'm puzzeling over this problem for some time now.  So far I need
> > > a special hack in Cygwin for Samba, probably because I simply don't
> > > understand something about the user mapping correctly.
> > > 
> > > My current situation is, I have a Samba server (3.0.30) which is a domain member machine.  In smb.conf, security is set to domain.  There's
> > > no winbindd running.  Before I set up the domain, I had the same problem
> > > using security = server with the server being another Windows machine in
> > > the same workgroup.
> > 
> > Corinna, are the samba server and the windows workstation in the same
> > domain and are you using a domain user on the windows workstation ?
> > 
> > >From the previous and following emails this is not clear and it is
> > pretty critical to be able to understand if there is a mapping problem
> > or if you are just experiencing the joy of Globally Unique
> > identifiers :-)
> I am having a Windows DC, but that's not really the point.  What I'm
> looking for is something which should work also for users which just
> have a Windows client OS and a Linux machine sitting under their desk,
> whihc no domain setup at all.  The idea was that there's an automatic
> mapping from the user and primary group SIDs in the Windows user token
> of the authenticating user to a uid/gid pair on the Samba machine, using
> the information in the usermap file.  However, since Volker mentioned
> that there are no SIDs transferred from the Windows client machine to
> the server at authentication time, there's not much chance that this
> would work as I had hoped for.

If there is no domain setup, the SID you use on the windows client has
no meaning for the samba server. The Domain part will just be alien.
Only a domain setup where all the players are member of the same domain
(or trusted set of domains) can use directly SIDs, as in the case both
parties have a way to understand what they mean.

To be honest, windows machines can store in the file system just any SID
handled to them, but they will never do any mapping server side.
So if you take 2 windows client and try to set the SID of user Foo on
client 1 on client 2, user Foo of client 2 will not actually be able to
access the resource, as the SID will not match.

In general it's best if you avoid assuming what SID belong to whom on
network communications.


Simo Sorce
Samba Team GPL Compliance Officer <simo at>
Senior Software Engineer at Red Hat Inc. <ssorce at>

More information about the samba-technical mailing list