[Samba] ACLs and samba

Edvard Fagerholm efagerho at cc.hut.fi
Tue Nov 18 18:17:59 GMT 2003 

On Tue, Nov 18, 2003 at 06:30:13PM +0100, Marius Grannæs wrote:
> John H Terpstra:
> > On Tue, 18 Nov 2003, Marius [iso-8859-1] Grannæs wrote:
> > 
> > > Marius Grannæs:
> > > > Hi,
> > > >
> > > > I'm having trouble getting ACLs and samba to work on solaris. In a unix
> > > > shell I can set and get the ACLs with setfacl and getfacl just fine.
> > > > Connecting with a window machine (w2000/w2003) to samba lets me
> > > > list the ACLs and even modify them. The problem is creating new
> > > > ACLs. In the logs I get
> > > >
> > > > 20031029/local2.error:Oct 29 16:30:11 test1 smbd[5417]: [ID 702911
> > > > local2.error] create_canon_ace_lists: unable to map SID
> > > > S-1-5-21-3959417778-1711865379-3952174976-20920 to uid or gid.
> > > >
> > > > Seems to me there is a problem mapping from Windows SIDs to Unix uid. Reading
> > > > the documentation, winbind seems to be the only solution to this problem.
> > > > But I don't wish to use winbind as I allready have syncronized accounts
> > > > on both windows and unix. Though looking at the code it seems to me
> > > > that this is the only option available.
> > > >
> > > > Any ideas?
> > >
> > > Some more information:
> > >
> > > I'm running samba 3.0.0 with the following setup:
> > >
> > > security = domain
> > > nt acl support = yes
> > 
> > You will need to use current CVS samba-3.0.1pre3.
> > 
> > Suggest you add to smb.conf [globals]:
> > 
> > 	winbind trusted domains only = Yes
> > 
> > Then run winbindd. This was added to solve the problem you are seeing.
> 
> Thanks! This is just what I wanted :-). I've been pulling my hair for days
> over this. Is this in the documentation somewhere?  
> 
> Again, many thanks =)
> 
> -- 
> 
> Marius Grannæs

I had the some problem at my site too. I noticed that I got the correct user
when I used the tool wbinfo to search for a SID or for a username. However,
all other queries gave me the wrong result.

My solution was a quick hack to wb_client.c to make it work. The hack was
simply to let samba always search by name and then use getpw* and getgr*
functions to get the uid/gid I wanted. I included the patch below...

So this is now done/fixed/whatever in samba 3.0.1? So you can run winbindd
without having to specify a uid/gid range and it will directly read the info
from the system without trying to use its own uid/gid mapper? If it is, then
I'm really looking forward to the release! :)

- edvard
-------------- next part --------------
--- wb_client.c.orig	2003-08-21 19:41:32.000000000 +0300
+++ wb_client.c	2003-08-21 19:42:52.000000000 +0300
@@ -110,6 +110,9 @@
 	int result;
 	fstring sid_str;
 
+	/* Edu: added */
+	struct passwd *pw;
+
 	if (!puid)
 		return False;
 
@@ -120,10 +123,15 @@
 
 	sid_to_string(sid_str, sid);
 	fstrcpy(request.data.sid, sid_str);
-	
-	/* Make request */
 
-	result = winbindd_request(WINBINDD_SID_TO_UID, &request, &response);
+	/* Make request - Edu: changed to lookup by name */
+	if((result = winbindd_request(WINBINDD_LOOKUPSID, &request, &response)) == NSS_STATUS_SUCCESS) {
+		pw = sys_getpwnam(response.data.name.name);
+		if(pw != NULL) {
+			DEBUG(10,("winbind_sid_to_uid: searched by name: found uid %d for SID %s\n", pw->pw_uid, sid_str));
+			response.data.uid = pw->pw_uid;
+		}
+	}
 
 	/* Copy out result */
 
@@ -140,8 +148,12 @@
 {
 	struct winbindd_request request;
 	struct winbindd_response response;
+	struct passwd *pw;
 	int result;
 
+	/* Edu: added */
+	fstring domain;
+
 	if (!sid)
 		return False;
 
@@ -156,6 +168,18 @@
 
 	result = winbindd_request(WINBINDD_UID_TO_SID, &request, &response);
 
+	/* Edu: There might not be a map, so try by name */
+	if(result != NSS_STATUS_SUCCESS) {
+		pw = sys_getpwuid(uid);
+		if(pw != NULL) {
+			fstrcpy(request.data.name.name, pw->pw_name);	
+			fstrcpy(request.data.name.dom_name, lp_workgroup());
+			if((result = winbindd_request(WINBINDD_LOOKUPNAME, &request, &response)) == NSS_STATUS_SUCCESS) {
+				DEBUG(0,(("winbind_uid_to_sid: searched by name: found SID %s for uid %d\n"), response.data.sid.sid, uid));
+			}
+		}
+	}
+
 	/* Copy out result */
 
 	if (result == NSS_STATUS_SUCCESS) {
@@ -177,6 +201,9 @@
 	int result;
 	fstring sid_str;
 
+	/* Edu: added */
+	struct group *gr;
+
 	if (!pgid)
 		return False;
 
@@ -188,9 +215,14 @@
 	sid_to_string(sid_str, sid);
 	fstrcpy(request.data.sid, sid_str);
 	
-	/* Make request */
-
-	result = winbindd_request(WINBINDD_SID_TO_GID, &request, &response);
+	/* Make request - Edu: changed to lookup by name  */
+	if((result = winbindd_request(WINBINDD_LOOKUPSID, &request, &response)) == NSS_STATUS_SUCCESS) {
+		gr = sys_getgrnam(response.data.name.name);
+		if(gr != NULL) {
+			DEBUG(10,("winbind_sid_to_uid: searched by name: found gid %d for SID %s\n", gr->gr_gid, sid_str));
+			response.data.gid = gr->gr_gid;
+		}
+	}
 
 	/* Copy out result */
 
@@ -209,6 +241,9 @@
 	struct winbindd_response response;
 	int result;
 
+	/* Edu: added */
+	struct group *gr;
+
 	if (!sid)
 		return False;
 
@@ -223,6 +258,18 @@
 
 	result = winbindd_request(WINBINDD_GID_TO_SID, &request, &response);
 
+	/* Edu: There might not be a map, so try by name */
+	if(result != NSS_STATUS_SUCCESS) {
+		gr = sys_getgrgid(gid);
+		if(gr != NULL) {
+			fstrcpy(request.data.name.name, gr->gr_name);	
+			fstrcpy(request.data.name.dom_name, lp_workgroup());
+			if((result = winbindd_request(WINBINDD_LOOKUPNAME, &request, &response)) == NSS_STATUS_SUCCESS) {
+				DEBUG(0,(("winbind_gid_to_sid: searched by name: found SID %s for gid %d\n"), response.data.sid.sid, gid));
+			}
+		}
+	}
+
 	/* Copy out result */
 
 	if (result == NSS_STATUS_SUCCESS) {

More information about the samba mailing list