[Samba] Samba 3.0.0 -- ACLs are unusable due to UID/SID mapping weirdness :(

Anton Solovyev solovam at unix.stortek.com
Tue Oct 21 01:39:09 GMT 2003 

Hi,

I am sure somebody asks this question about once a week. Since I have 
not found an answer I assume the worst -- it just does not work.

So, here goes my problem. I am testing Samba 3.0.0. I have got UNIX and 
Windows domain users matching each other one-to-one. The server is 
running with "security = domain". Everything works fine and all Windows 
users connecting to Samba get mapped into their respective UNIX user 
ids. Everything is nice, simple and consistent.

Now I want to enable ACLs and fortunately the host OS supports them 
fine. Here the trouble starts. It looks like ACLs refuse to work in the 
absense of winbindd. So I start winbindd and... get random mapping of NT 
domain accounts into UNIX ids in the range of "idmap uid/gid".

So, for example, if I create a file from the windows side it gets 
ownership of:

solovam/uid=1001

on the UNIX side. Windows says the owner is:

\SAMBA-SERVER\solovam

Which is already strange, I expect \DOMAIN\solovam like on all NT boxes.

If I try to add and ACL entry for myself to this file, I get a POSIX acl 
entry for:

???/uid=40000

which is what winbindd assigned for my SID. At this point Windows says 
this was an ACL entry for user:

\DOMAIN\solovam

So, this is basically the problem. When I connect to Samba server I 
connect as \DOMAIN\solovam and use domain password. The files I create 
belong to my UNIX account "solovam". At the same time if I check 
ownership, I see that I act as \SAMBA-SERVER\solovam! If I try to change 
ACLs, I am back to being \DOMAIN\solovam, but my SID is now mapped by 
winbindd to something randomly selected.

Well, there are a lot of funny implications at this point (like change 
UNIX permissions to 000 and try to add "full control" ACL for the domain 
user, which resets UNIX permissions again!), but the bottom line is that 
Samba in this area is completely broken and horribly inconsistent.

I hope I am missing something really obvious, but after a day of looking 
at documentation I doubt it is so.

-- 

Anton Solovyev

More information about the samba mailing list