[Samba] Another Samba+ACLs thread

Wed Nov 27 14:19:01 GMT 2002

On Wed, Nov 27, 2002 at 12:08:12PM +0800 or thereabouts, Andrew Furey wrote:
> (recipient list getting longer...)
> 
> 
> >>Via username mapping, yes (we're a member server in a 2k mixed domain, 
> >>but that side of things seems to be working).
> >>
> >>On further investigation, it appears that I _can_ modify existing 
> >>ACLs, and I can even remove them (users, at least); but I can't add 
> >>users to the ACL, which is what I really need.
> >
> >It may be that my post yesterday is about the same issue.  I've noted 
> >that according to the log.nmbd that I have the same error.  I can edit 
> >the perms on acl entries, or delete an acl entry, but cannot add a user 
> >to a list from the w2k side (I can of course use setfacl from the unix 
> >clients of the file server or on the server itself).
> >
> >My tests also were done as the owner of the file.  In fact, our NT 
> >domain and NIS passwd have identical user names.  It just can't 
> >determine the uid of the user from the machine SID+RID.
> 
> Hmm.
> 
> I've also noticed that it doesn't seem to be mapping the usernames 
> properly in the ACL listing. I can't add users from W2k, so I have yet 
> to see what that would be listed as, but let's say I have a username map
> 
> andrewfu = "Andrew Furey"
> 
> and I set the ACL on a file with
> 
> setfacl -m andrewfu:rwx myfile
> 
> Now, the permission via the ACL does work correctly (W2k user "Andrew 
> Furey" can access the file, others can't), but in the W2k ACL list the 
> user is listed as
> 
> andrewfu (SMBSERVERNAME\andrewfu)
> 
> rather than
> 
> Andrew Furey (Andrew Furey at dns.domain)
> 
> as it does on the (same) W2k machine.
> 
> 
> Not sure if this is relevant, but it may be linked...
> 
> -- 
> ANDREW FUREY <andrew at terminus.net.au> - Sysadmin/developer for Terminus.
> Providing online networks of Australian lawyers (http://www.ilaw.com.au)
> and Linux experts (http://www.linuxconsultants.com.au) for instant help!
> Disclaimer: http://www.terminus.net.au/disclaimer.html. GCS L+++ P++ t++

A thought that occurs to me when looking at the two ways of displaying the name above is that I've heard that a W2K domain will record machine name more like a dns domain (with its emphasis on ddns and all that).  So it makes me wonder if you have a W2K PDC.

We're using an NT PDC still with a mix of W2K and NT 40 clients (we have a half dozen BDCs and about 500 windows clients, and a couple of hundred mixed UNIX platform clients).  All of our file servers are samba on solaris.  So we only see something like andrewfu (SMBSERVERNAME\andrewfu) on a NT security dialog acl.  On a setfacl on the UNIX side it is stictly username, the UNIX systems have no idea about the NT domain.  This is of course excepting the samba server itself, which has security = domain.  This lets a user map a drive using their NT passwd, which might be different than their NIS passwd.

Dave