[Samba] Samba 3.0.0 -- ACLs are unusable due to UID/SID mapping
solovam at unix.stortek.com
Tue Oct 21 01:39:09 GMT 2003
I am sure somebody asks this question about once a week. Since I have
not found an answer I assume the worst -- it just does not work.
So, here goes my problem. I am testing Samba 3.0.0. I have got UNIX and
Windows domain users matching each other one-to-one. The server is
running with "security = domain". Everything works fine and all Windows
users connecting to Samba get mapped into their respective UNIX user
ids. Everything is nice, simple and consistent.
Now I want to enable ACLs and fortunately the host OS supports them
fine. Here the trouble starts. It looks like ACLs refuse to work in the
absense of winbindd. So I start winbindd and... get random mapping of NT
domain accounts into UNIX ids in the range of "idmap uid/gid".
So, for example, if I create a file from the windows side it gets
on the UNIX side. Windows says the owner is:
Which is already strange, I expect \DOMAIN\solovam like on all NT boxes.
If I try to add and ACL entry for myself to this file, I get a POSIX acl
which is what winbindd assigned for my SID. At this point Windows says
this was an ACL entry for user:
So, this is basically the problem. When I connect to Samba server I
connect as \DOMAIN\solovam and use domain password. The files I create
belong to my UNIX account "solovam". At the same time if I check
ownership, I see that I act as \SAMBA-SERVER\solovam! If I try to change
ACLs, I am back to being \DOMAIN\solovam, but my SID is now mapped by
winbindd to something randomly selected.
Well, there are a lot of funny implications at this point (like change
UNIX permissions to 000 and try to add "full control" ACL for the domain
user, which resets UNIX permissions again!), but the bottom line is that
Samba in this area is completely broken and horribly inconsistent.
I hope I am missing something really obvious, but after a day of looking
at documentation I doubt it is so.
More information about the samba