[PATCH] Patches required for POSIX ACL support of GPOs

Fri May 11 10:33:12 MDT 2012

On 05/11/2012 04:02 PM, Andrew Bartlett wrote:
> On Fri, 2012-05-11 at 15:44 +0200, Michael Wood wrote:
>> Hi Matthieu
>>
>> On 11 May 2012 15:18, Matthieu Patou<mat at samba.org>  wrote:
>>> Steve,
>>>
>>>> Yes of course. Sorry. Here are the steps I used as root in /data:
>>>>
>>>> mkdir reports
>>>> chmod 0770 reports
>>>> chgrp staff reports
>>> At the risk of repeating this 1000 time, the staff group has NO existance in
>>> windows so when s3fs/winbind map it to a SID it will mapped to a domain that
>>> is not the domain of your AD forest.
>>>
>>> In order to be more clearer, on my system I have:
>>>
>>> grep staff /etc/group
>>> staff:x:50:
>>>
>>> If I search in idmap.ldb for this xidnumber there is 0 results:
>>>   /ldbsearch -H ~/workspace/samba/rodc_mat/private/idmap.ldb  (xidnumber=50)
>>>
>>> It's because we don't map all the existing unix group and users to domain
>>> SIDs, we do for just a couple of them namely:
>>>
>>> * nogroup to anonymous (S-1-5-7)
>>> * root to administrator (domainsid-500)
>>> * adm to administrators(S-1-5-32-544)
>>> * users to domain users (domainsid-513)
>>>
>>> So if you want to have a chance of having this working you need to
>>> understand this and grant rights on linux side to gid that samba knows how
>>> to map back to SID !
>> But Steve has created a group in the directory, as quoted in the
>> message you replied to:
>>
>> dn: CN=staff,CN=Users,DC=polop,DC=site
>> cn: staff
>> instanceType: 4
>> whenCreated: 20120508143644.0Z
>> uSNCreated: 3725
>> name: staff
>> objectGUID: 2c910ec0-0508-4f48-90df-544aa47c8d65
>> objectSid: S-1-5-21-1196638036-2541980263-511278767-1106
>> sAMAccountName: staff
>> sAMAccountType: 268435456
>> groupType: -2147483646
>> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=polop,DC=site
>> objectClass: top
>> objectClass: posixGroup
>> objectClass: group
>> gidNumber: 21106
>> member: CN=steve2,CN=Users,DC=polop,DC=site
>> whenChanged: 20120511090721.0Z
>> uSNChanged: 3850
>> distinguishedName: CN=staff,CN=Users,DC=polop,DC=site
>>
>> Based on his earlier e-mails it seems he has also updated the
>> xidNumber in the idmap.ldb.
>>
>> Whether he has a staff group in /etc/groups or not, I do not know, and
>> if so, whether the GID from /etc/groups matches the xidNumber I also
>> don't know.
>>
>> I do know he's using nslcd to map users/groups<->  IDs, so assuming he
>> has the staff group only defined in the directory or that the one in
>> /etc/groups has a GID that matches the XID of the one in the
>> directory, is that not sufficient?
>>
>> By the way, is the gidNumber field used for anything?
> It is not used by Samba in any way.
>
> It certainly would be easier and less confusing if there wasn't the
> confusing addition of nslcd or gidNumber in the directory.
>
> Andrew Bartlett
>
Hi

Please ignore gidNumber and nslcd. This issue is about s3fs and the 
possibility of having s3fs honour posix acls.

It works fine with NTVFS to windows cients and nfs to Linux clients. It 
just doesn't work with s3fs.

Cheers again,
Steve