Setting ACLs when creating files from Windows

Corinna Vinschen corinna at
Thu Jul 31 19:49:51 GMT 2008

On Jul 31 19:09, Volker Lendecke wrote:
> On Thu, Jul 31, 2008 at 10:35:46AM +0200, Corinna Vinschen wrote:
> > That's all.  Apparently Samba knows to switch to the local UNIX user
> > corinna from the incoming request and creates the file as that user.
> > But eventually, in the call tyo set_nt_acl, legacy_sid_to_uid doesn't
> > know about the user mapping anymore and fails.
> The problem very likely is that
> S-1-5-21-2913048732-1697188782-3448811101-1001 is the SID of
> user corinna on the workstation you're coming from, which
> has nothing to do with the user corinna on the Samba box. If

Why not?  The user with sid S-1-5-21-2913048732-1697188782-3448811101-1001
has authenticated itself and is mapped by Samba to the user with uid 500.
Files are created as that user with uid 500.  Why is that mapping not
transparent when creating files with security descriptors using the SID
which has been mapped to the uid formerly?  That's hard to understand.
Isn't that what the smbusers file is supposed to accomplish?

> you do a "net getlocalsid" on the samba box, you will
> probably get a different SID prefix than
> S-1-5-21-2913048732-1697188782-3448811101. You might want to
> do a lookupname() (don't know the API call in win32) against
> the samba box before choosing the SID to set in the sd.

How shall I know what UNIX user my Windows user is mapped to?  If
smbusers contains a mapping like "foo = bar", and a UNIX user bar
doesn't exist, how should I ever find out that I have to ask for a UNIX
user foo?  Sure, winbind seems to solve this problem, but that works
only for domains, not for standalone machines.


More information about the samba-technical mailing list