[Samba] acls unable to map SID solaris w2k

David Pullman dpullman at cme.nist.gov
Mon Nov 25 15:04:01 GMT 2002


I think I've looked over every post that has acl or sid or winbind in it.  I don't think this has been discussed quite this way.
 
The symptom is similar to other posts but the environment is a bit different.  We can do perms through samba, and we can see acls that have been set using setfacl, but we can't change the acls (e.g., add a user).  We get:

[2002/11/15 17:02:17, 0] smbd/posix_acls.c:create_canon_ace_lists(823)
  create_canon_ace_lists: unable to map SID S-1-5-21-1831498067-1181229849-1093625069-1172 to uid or gid.

We have Solaris file servers and use acls for shared directories.  This is a great way to avoid excess group membership problems, and gives the owner of the shared directory control of perms.

We use NIS (yes, still, but ldap is coming soon :) for all UNIX workstations and the servers, and we also use a NT domain controller (PDC and BDCs) for the windows workstations.  The user names are the same on both account databases.  So I'm dpullman on windows and on UNIX logins.

We maintain a consistent uid and username in NIS on each account with a master database at our facility.  Lets us use shared resources across otherwise disconnected political boundaries, i.e., the login is the same and so the user is known.

Our windows logins map the homedir from a samba server and they can map drives to a shared directory server.  We'd like to give the users the ability to manipulate the perms, including acls, from the windows boxes.  BTW, we have NT4 and w2k but its becoming moslty w2k so I'm testing with w2k.

I asked about this at Jerry's presentation at LISA and he suggested winbind and also said get to 2.2.6.  I'm testing 2.2.6, but unless I'm missing something, we can't go to winbind.  We need to use the NIS uids on the perms and it seems (it tried it on a test server) that the only way to use winbind is to use an arbitrary list of uids (e.g., 10000-20000).

Has anyone been able to get acl manipulation, specifically adding users to an acl, to work with a solaris file server?  I tried winbind, and I tried putting the usernames in /etc/passwd (which would not be pretty).  I have not yet tried ldap.  The essential issue seems to be that samba can't find a uid if given a sid.  It can find the sid from the uid, as it shows the username (albeit a machine domain/username) when the existing acl is inspected from the security  dialog.

Heres some of the smb.conf on my test server:

[global]
workgroup = MELNT
server string = Test Samba Server
hosts allow = @cme, @mel
log file = /var/spool/samba/%m
log level = 2
max log size = 1000
security = domain
socket options = TCP_NODELAY
local master = no
os level = 20
domain master = no
preferred master = no
wins support = no
wins server = 129.6.71.15
wins proxy = no
dns proxy = no
password server = wart
encrypt passwords = yes
load printers = no

#==================== file creation and security masks =======================
# creation masks
# files
create mask = 0755
force create mode = 0000
map archive = no
map hidden = no
map system = no
# directories
directory mask = 0755
force directory mode = 0000

# security masks
# files
security mask = 0777
force security mode = 0000
# directories
directory security mask = 0777
force directory security mode = 0000

Thanks very much.

Dave

-- 
David Pullman
Systems Administrator
Manufacturing Engineering Laboratory
National Institute of Standards & Technology
Mail Stop 8203 
Gaithersburg, MD 20899-8260
Tel: (301) 975-5385
Fax: (301) 926-3842
E-mail: david.pullman at nist.gov




More information about the samba mailing list