Setting ACLs when creating files from Windows

Corinna Vinschen corinna at
Thu Jul 31 19:54:43 GMT 2008

On Jul 31 21:49, Corinna Vinschen wrote:
> On Jul 31 19:09, Volker Lendecke wrote:
> > On Thu, Jul 31, 2008 at 10:35:46AM +0200, Corinna Vinschen wrote:
> > > That's all.  Apparently Samba knows to switch to the local UNIX user
> > > corinna from the incoming request and creates the file as that user.
> > > But eventually, in the call tyo set_nt_acl, legacy_sid_to_uid doesn't
> > > know about the user mapping anymore and fails.
> > 
> > The problem very likely is that
> > S-1-5-21-2913048732-1697188782-3448811101-1001 is the SID of
> > user corinna on the workstation you're coming from, which
> > has nothing to do with the user corinna on the Samba box. If
> Why not?  The user with sid S-1-5-21-2913048732-1697188782-3448811101-1001
> has authenticated itself and is mapped by Samba to the user with uid 500.
> Files are created as that user with uid 500.  Why is that mapping not
> transparent when creating files with security descriptors using the SID
> which has been mapped to the uid formerly?  That's hard to understand.
> Isn't that what the smbusers file is supposed to accomplish?
> > you do a "net getlocalsid" on the samba box, you will
> > probably get a different SID prefix than
> > S-1-5-21-2913048732-1697188782-3448811101. You might want to
> > do a lookupname() (don't know the API call in win32) against
> > the samba box before choosing the SID to set in the sd.
> How shall I know what UNIX user my Windows user is mapped to?  If
> smbusers contains a mapping like "foo = bar", and a UNIX user bar
> doesn't exist, how should I ever find out that I have to ask for a UNIX
> user foo?  Sure, winbind seems to solve this problem, but that works, if a UNIX user bar exists, I might try something completely
wrong in this scenario...

> only for domains, not for standalone machines.
> Corinna

More information about the samba-technical mailing list