[PATCH] Patches required for POSIX ACL support of GPOs

Andrew Bartlett abartlet at samba.org
Fri May 11 08:02:26 MDT 2012 

On Fri, 2012-05-11 at 15:44 +0200, Michael Wood wrote:
> Hi Matthieu
> 
> On 11 May 2012 15:18, Matthieu Patou <mat at samba.org> wrote:
> >
> > Steve,
> >
> >> Yes of course. Sorry. Here are the steps I used as root in /data:
> >>
> >> mkdir reports
> >> chmod 0770 reports
> >> chgrp staff reports
> >
> > At the risk of repeating this 1000 time, the staff group has NO existance in
> > windows so when s3fs/winbind map it to a SID it will mapped to a domain that
> > is not the domain of your AD forest.
> >
> > In order to be more clearer, on my system I have:
> >
> > grep staff /etc/group
> > staff:x:50:
> >
> > If I search in idmap.ldb for this xidnumber there is 0 results:
> >  /ldbsearch -H ~/workspace/samba/rodc_mat/private/idmap.ldb  (xidnumber=50)
> >
> > It's because we don't map all the existing unix group and users to domain
> > SIDs, we do for just a couple of them namely:
> >
> > * nogroup to anonymous (S-1-5-7)
> > * root to administrator (domainsid-500)
> > * adm to administrators(S-1-5-32-544)
> > * users to domain users (domainsid-513)
> >
> > So if you want to have a chance of having this working you need to
> > understand this and grant rights on linux side to gid that samba knows how
> > to map back to SID !
> 
> But Steve has created a group in the directory, as quoted in the
> message you replied to:
> 
> dn: CN=staff,CN=Users,DC=polop,DC=site
> cn: staff
> instanceType: 4
> whenCreated: 20120508143644.0Z
> uSNCreated: 3725
> name: staff
> objectGUID: 2c910ec0-0508-4f48-90df-544aa47c8d65
> objectSid: S-1-5-21-1196638036-2541980263-511278767-1106
> sAMAccountName: staff
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=polop,DC=site
> objectClass: top
> objectClass: posixGroup
> objectClass: group
> gidNumber: 21106
> member: CN=steve2,CN=Users,DC=polop,DC=site
> whenChanged: 20120511090721.0Z
> uSNChanged: 3850
> distinguishedName: CN=staff,CN=Users,DC=polop,DC=site
> 
> Based on his earlier e-mails it seems he has also updated the
> xidNumber in the idmap.ldb.
> 
> Whether he has a staff group in /etc/groups or not, I do not know, and
> if so, whether the GID from /etc/groups matches the xidNumber I also
> don't know.
> 
> I do know he's using nslcd to map users/groups <-> IDs, so assuming he
> has the staff group only defined in the directory or that the one in
> /etc/groups has a GID that matches the XID of the one in the
> directory, is that not sufficient?
> 
> By the way, is the gidNumber field used for anything?

It is not used by Samba in any way, when configured as an AD DC.

It certainly would be easier and less confusing if there wasn't the
confusing addition of nslcd or gidNumber in the directory.  

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list