[PATCH] Patches required for POSIX ACL support of GPOs

Matthieu Patou mat at samba.org
Fri May 11 07:18:49 MDT 2012

> Yes of course. Sorry. Here are the steps I used as root in /data:
> mkdir reports
> chmod 0770 reports
> chgrp staff reports
At the risk of repeating this 1000 time, the staff group has NO 
existance in windows so when s3fs/winbind map it to a SID it will mapped 
to a domain that is not the domain of your AD forest.

In order to be more clearer, on my system I have:

grep staff /etc/group

If I search in idmap.ldb for this xidnumber there is 0 results:
  /ldbsearch -H ~/workspace/samba/rodc_mat/private/idmap.ldb  

It's because we don't map all the existing unix group and users to 
domain SIDs, we do for just a couple of them namely:

* nogroup to anonymous (S-1-5-7)
* root to administrator (domainsid-500)
* adm to administrators(S-1-5-32-544)
* users to domain users (domainsid-513)

So if you want to have a chance of having this working you need to 
understand this and grant rights on linux side to gid that samba knows 
how to map back to SID !

As far as I'm concerned I'll ignore you very soon and won't get any more 
feedback and support from me (and I suppose it will the case from some 
others too) if you keep asking the same questions without trying to 
understand what we try to answer you. We might be not clear and you are 
free to ask some precision but you have to show us that you started some 
reflexion on the subject.

Matthieu Patou
Samba Team

More information about the samba-technical mailing list