[PATCH] Patches required for POSIX ACL support of GPOs

Michael Wood esiotrot at gmail.com
Fri May 11 07:44:57 MDT 2012 

Hi Matthieu

On 11 May 2012 15:18, Matthieu Patou <mat at samba.org> wrote:
>
> Steve,
>
>> Yes of course. Sorry. Here are the steps I used as root in /data:
>>
>> mkdir reports
>> chmod 0770 reports
>> chgrp staff reports
>
> At the risk of repeating this 1000 time, the staff group has NO existance in
> windows so when s3fs/winbind map it to a SID it will mapped to a domain that
> is not the domain of your AD forest.
>
> In order to be more clearer, on my system I have:
>
> grep staff /etc/group
> staff:x:50:
>
> If I search in idmap.ldb for this xidnumber there is 0 results:
>  /ldbsearch -H ~/workspace/samba/rodc_mat/private/idmap.ldb  (xidnumber=50)
>
> It's because we don't map all the existing unix group and users to domain
> SIDs, we do for just a couple of them namely:
>
> * nogroup to anonymous (S-1-5-7)
> * root to administrator (domainsid-500)
> * adm to administrators(S-1-5-32-544)
> * users to domain users (domainsid-513)
>
> So if you want to have a chance of having this working you need to
> understand this and grant rights on linux side to gid that samba knows how
> to map back to SID !

But Steve has created a group in the directory, as quoted in the
message you replied to:

dn: CN=staff,CN=Users,DC=polop,DC=site
cn: staff
instanceType: 4
whenCreated: 20120508143644.0Z
uSNCreated: 3725
name: staff
objectGUID: 2c910ec0-0508-4f48-90df-544aa47c8d65
objectSid: S-1-5-21-1196638036-2541980263-511278767-1106
sAMAccountName: staff
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=polop,DC=site
objectClass: top
objectClass: posixGroup
objectClass: group
gidNumber: 21106
member: CN=steve2,CN=Users,DC=polop,DC=site
whenChanged: 20120511090721.0Z
uSNChanged: 3850
distinguishedName: CN=staff,CN=Users,DC=polop,DC=site

Based on his earlier e-mails it seems he has also updated the
xidNumber in the idmap.ldb.

Whether he has a staff group in /etc/groups or not, I do not know, and
if so, whether the GID from /etc/groups matches the xidNumber I also
don't know.

I do know he's using nslcd to map users/groups <-> IDs, so assuming he
has the staff group only defined in the directory or that the one in
/etc/groups has a GID that matches the XID of the one in the
directory, is that not sufficient?

By the way, is the gidNumber field used for anything?

-- 
Michael Wood <esiotrot at gmail.com>

More information about the samba-technical mailing list