[Samba] ACLs and samba
Edvard Fagerholm
efagerho at cc.hut.fi
Tue Nov 18 18:17:59 GMT 2003
On Tue, Nov 18, 2003 at 06:30:13PM +0100, Marius Grannæs wrote:
> John H Terpstra:
> > On Tue, 18 Nov 2003, Marius [iso-8859-1] Grannæs wrote:
> >
> > > Marius Grannæs:
> > > > Hi,
> > > >
> > > > I'm having trouble getting ACLs and samba to work on solaris. In a unix
> > > > shell I can set and get the ACLs with setfacl and getfacl just fine.
> > > > Connecting with a window machine (w2000/w2003) to samba lets me
> > > > list the ACLs and even modify them. The problem is creating new
> > > > ACLs. In the logs I get
> > > >
> > > > 20031029/local2.error:Oct 29 16:30:11 test1 smbd[5417]: [ID 702911
> > > > local2.error] create_canon_ace_lists: unable to map SID
> > > > S-1-5-21-3959417778-1711865379-3952174976-20920 to uid or gid.
> > > >
> > > > Seems to me there is a problem mapping from Windows SIDs to Unix uid. Reading
> > > > the documentation, winbind seems to be the only solution to this problem.
> > > > But I don't wish to use winbind as I allready have syncronized accounts
> > > > on both windows and unix. Though looking at the code it seems to me
> > > > that this is the only option available.
> > > >
> > > > Any ideas?
> > >
> > > Some more information:
> > >
> > > I'm running samba 3.0.0 with the following setup:
> > >
> > > security = domain
> > > nt acl support = yes
> >
> > You will need to use current CVS samba-3.0.1pre3.
> >
> > Suggest you add to smb.conf [globals]:
> >
> > winbind trusted domains only = Yes
> >
> > Then run winbindd. This was added to solve the problem you are seeing.
>
> Thanks! This is just what I wanted :-). I've been pulling my hair for days
> over this. Is this in the documentation somewhere?
>
> Again, many thanks =)
>
> --
>
> Marius Grannæs
I had the some problem at my site too. I noticed that I got the correct user
when I used the tool wbinfo to search for a SID or for a username. However,
all other queries gave me the wrong result.
My solution was a quick hack to wb_client.c to make it work. The hack was
simply to let samba always search by name and then use getpw* and getgr*
functions to get the uid/gid I wanted. I included the patch below...
So this is now done/fixed/whatever in samba 3.0.1? So you can run winbindd
without having to specify a uid/gid range and it will directly read the info
from the system without trying to use its own uid/gid mapper? If it is, then
I'm really looking forward to the release! :)
- edvard
-------------- next part --------------
--- wb_client.c.orig 2003-08-21 19:41:32.000000000 +0300
+++ wb_client.c 2003-08-21 19:42:52.000000000 +0300
@@ -110,6 +110,9 @@
int result;
fstring sid_str;
+ /* Edu: added */
+ struct passwd *pw;
+
if (!puid)
return False;
@@ -120,10 +123,15 @@
sid_to_string(sid_str, sid);
fstrcpy(request.data.sid, sid_str);
-
- /* Make request */
- result = winbindd_request(WINBINDD_SID_TO_UID, &request, &response);
+ /* Make request - Edu: changed to lookup by name */
+ if((result = winbindd_request(WINBINDD_LOOKUPSID, &request, &response)) == NSS_STATUS_SUCCESS) {
+ pw = sys_getpwnam(response.data.name.name);
+ if(pw != NULL) {
+ DEBUG(10,("winbind_sid_to_uid: searched by name: found uid %d for SID %s\n", pw->pw_uid, sid_str));
+ response.data.uid = pw->pw_uid;
+ }
+ }
/* Copy out result */
@@ -140,8 +148,12 @@
{
struct winbindd_request request;
struct winbindd_response response;
+ struct passwd *pw;
int result;
+ /* Edu: added */
+ fstring domain;
+
if (!sid)
return False;
@@ -156,6 +168,18 @@
result = winbindd_request(WINBINDD_UID_TO_SID, &request, &response);
+ /* Edu: There might not be a map, so try by name */
+ if(result != NSS_STATUS_SUCCESS) {
+ pw = sys_getpwuid(uid);
+ if(pw != NULL) {
+ fstrcpy(request.data.name.name, pw->pw_name);
+ fstrcpy(request.data.name.dom_name, lp_workgroup());
+ if((result = winbindd_request(WINBINDD_LOOKUPNAME, &request, &response)) == NSS_STATUS_SUCCESS) {
+ DEBUG(0,(("winbind_uid_to_sid: searched by name: found SID %s for uid %d\n"), response.data.sid.sid, uid));
+ }
+ }
+ }
+
/* Copy out result */
if (result == NSS_STATUS_SUCCESS) {
@@ -177,6 +201,9 @@
int result;
fstring sid_str;
+ /* Edu: added */
+ struct group *gr;
+
if (!pgid)
return False;
@@ -188,9 +215,14 @@
sid_to_string(sid_str, sid);
fstrcpy(request.data.sid, sid_str);
- /* Make request */
-
- result = winbindd_request(WINBINDD_SID_TO_GID, &request, &response);
+ /* Make request - Edu: changed to lookup by name */
+ if((result = winbindd_request(WINBINDD_LOOKUPSID, &request, &response)) == NSS_STATUS_SUCCESS) {
+ gr = sys_getgrnam(response.data.name.name);
+ if(gr != NULL) {
+ DEBUG(10,("winbind_sid_to_uid: searched by name: found gid %d for SID %s\n", gr->gr_gid, sid_str));
+ response.data.gid = gr->gr_gid;
+ }
+ }
/* Copy out result */
@@ -209,6 +241,9 @@
struct winbindd_response response;
int result;
+ /* Edu: added */
+ struct group *gr;
+
if (!sid)
return False;
@@ -223,6 +258,18 @@
result = winbindd_request(WINBINDD_GID_TO_SID, &request, &response);
+ /* Edu: There might not be a map, so try by name */
+ if(result != NSS_STATUS_SUCCESS) {
+ gr = sys_getgrgid(gid);
+ if(gr != NULL) {
+ fstrcpy(request.data.name.name, gr->gr_name);
+ fstrcpy(request.data.name.dom_name, lp_workgroup());
+ if((result = winbindd_request(WINBINDD_LOOKUPNAME, &request, &response)) == NSS_STATUS_SUCCESS) {
+ DEBUG(0,(("winbind_gid_to_sid: searched by name: found SID %s for gid %d\n"), response.data.sid.sid, gid));
+ }
+ }
+ }
+
/* Copy out result */
if (result == NSS_STATUS_SUCCESS) {
More information about the samba
mailing list