Setting ACLs when creating files from Windows

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Jul 31 20:00:14 GMT 2008

On Thu, Jul 31, 2008 at 09:49:51PM +0200, Corinna Vinschen wrote:
> Why not?  The user with sid S-1-5-21-2913048732-1697188782-3448811101-1001
> has authenticated itself and is mapped by Samba to the user with uid 500.

Not sure about that. You did not post the session setup part
of the connection, there this would have been visible.

> Files are created as that user with uid 500.  Why is that mapping not
> transparent when creating files with security descriptors using the SID
> which has been mapped to the uid formerly?  That's hard to understand.
> Isn't that what the smbusers file is supposed to accomplish?

What does "rpcclient localhost -U% -c 'lookupnames corinna'"
say when run on the Samba box?

> > you do a "net getlocalsid" on the samba box, you will
> > probably get a different SID prefix than
> > S-1-5-21-2913048732-1697188782-3448811101. You might want to
> > do a lookupname() (don't know the API call in win32) against
> > the samba box before choosing the SID to set in the sd.
> How shall I know what UNIX user my Windows user is mapped to?  If
> smbusers contains a mapping like "foo = bar", and a UNIX user bar
> doesn't exist, how should I ever find out that I have to ask for a UNIX
> user foo?  Sure, winbind seems to solve this problem, but that works
> only for domains, not for standalone machines.

Hmmm. Difficult. S-1-22-1-<uid> should always work, but how
do you know your uid then? There's also a "lsa who am I"
call that gives you the name that you authenticated as, but
as you say this might not be sufficient either. This btw is
exactly where some RPC programming might come in extremely
handy.... :-)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list