[PATCH] Patches required for POSIX ACL support of GPOs

[steve]

On 05/11/2012 03:44 PM, Michael Wood wrote:
> Hi Matthieu
>
> On 11 May 2012 15:18, Matthieu Patou<mat at samba.org>  wrote:
>> Steve,
>>
>>> Yes of course. Sorry. Here are the steps I used as root in /data:
>>>
>>> mkdir reports
>>> chmod 0770 reports
>>> chgrp staff reports
>> At the risk of repeating this 1000 time, the staff group has NO existance in
>> windows so when s3fs/winbind map it to a SID it will mapped to a domain that
>> is not the domain of your AD forest.
>>
>> In order to be more clearer, on my system I have:
>>
>> grep staff /etc/group
>> staff:x:50:
>>
>> If I search in idmap.ldb for this xidnumber there is 0 results:
>>   /ldbsearch -H ~/workspace/samba/rodc_mat/private/idmap.ldb  (xidnumber=50)
>>
>> It's because we don't map all the existing unix group and users to domain
>> SIDs, we do for just a couple of them namely:
>>
>> * nogroup to anonymous (S-1-5-7)
>> * root to administrator (domainsid-500)
>> * adm to administrators(S-1-5-32-544)
>> * users to domain users (domainsid-513)
>>
>> So if you want to have a chance of having this working you need to
>> understand this and grant rights on linux side to gid that samba knows how
>> to map back to SID !
> But Steve has created a group in the directory, as quoted in the
> message you replied to:
>
> dn: CN=staff,CN=Users,DC=polop,DC=site
> cn: staff
> instanceType: 4
> whenCreated: 20120508143644.0Z
> uSNCreated: 3725
> name: staff
> objectGUID: 2c910ec0-0508-4f48-90df-544aa47c8d65
> objectSid: S-1-5-21-1196638036-2541980263-511278767-1106
> sAMAccountName: staff
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=polop,DC=site
> objectClass: top
> objectClass: posixGroup
> objectClass: group
> gidNumber: 21106
> member: CN=steve2,CN=Users,DC=polop,DC=site
> whenChanged: 20120511090721.0Zcalled staff. It is in the directory and
> uSNChanged: 3850
> distinguishedName: CN=staff,CN=Users,DC=polop,DC=site
>
> Based on his earlier e-mails it seems he has also updated the
> xidNumber in the idmap.ldb.
>
> Whether he has a staff group in /etc/groups or not, I do not know, and
> if so, whether the GID from /etc/groups matches the xidNumber I also
> don't know.
>
> I do know he's using nslcd to map users/groups<->  IDs, so assuming he
> has the staff group only defined in the directory or that the one in
> /etc/groups has a GID that matches the XID of the one in the
> directory, is that not sufficient?
>
> By the way, is the gidNumber field used for anything?
>
Hi everyone

I have _one_ group called staff. It is a Samba4 AD group, as Michael has 
kindly reminded us. I have no group called staff in /etc/groups. I have 
members in the AD group. steve2 is one of those members. I simply want 
group rw access to the share. wbinfo --group info and getent group map 
perfectly.

I can do it with the old NTVFS for windows and of course Linux clients 
over nfs. I just can't do it with s3fs.

The gidNumber field is necessary, otherwise the Linux mapping doesn't 
work. getent group and getent passwd do not work. We use nss-pam-ldapd 
for the LDAP mapping. Please note that this works fine apart from s3fs 
not honouring the posix acl that we have set.

If you really do not want to help me any longer then OK. But I really do 
feel that this problem needs to be a. understood . b. addressed and c. 
left here as a warning to others trying to achieve the same goal.

Thank you once more for your patience.

Cheers,
Steve