[Samba] Samba 3.0.0 -- ACLs are unusable due to UID/SID mapping weirdness :(

John H Terpstra jht at samba.org
Wed Oct 22 22:43:12 GMT 2003

On Wed, 22 Oct 2003, Eric Horst wrote:

> > > By "consistent and simple" I mean,  something like -- "you have a
> > > Windows user that needs to get to a Samba share? Create a UNIX account
> > > with the *same name* and you will get an smbd process with the UID and
> > > hence the permissions of that user accessing the files on the server
> > > (ok not always). The authentication will be done on the NT side though".
> >
> > Nope. You should use winbind for that. Any other way will cause you
> > problems when you try to use ACLs.
> I think I understand at least a part of Anton's issue.  It's one that I've
> been thinking about as we deploy Samba 3.0.  We never really thought much
> about ACLs until now and have never run winbindd.  The problem boils down
> to this:  We currently have a group of seven Samba/NFS file servers which
> are members of a Windows domain.  The Windows usernames and group names
> are synchronized.  The numeric UIDs and GIDs are uniform across all of
> them by virtue of the fact that they have a common /etc/passwd.  We want
> to jump on the ACL bandwagon and do things right using winbindd.
> However, in a distributed environment the official way of mapping SIDs to
> UIDs consistently across the servers involves an 'idmap backend'.  All of
> the idmap backends involve ldap.  It is frustrating that I have to
> introduce the overhead of deploying an LDAP server and populate it with
> UID mappings even though the file servers already have an /etc/passwd
> which has enough information to map numeric Unix UIDs consistently.
> I know idmap'ing was a hot topic during development so you have probably
> already considered all of this.  At the time, watching the discussion I
> didn't follow it all but now starting to consider deployment the issues
> are becoming clearer.

Equally, the real issues, where the rubber meets the road, are becoming
clearer also. We anticipated these concerns correctly. I am glad we have
only a simple problem today. It could have been much more challenging.

We are now at a point where if the current limitations are too restrictive
we must know that very soon. I do not know if this can be changed for
3.0.1 (Jeremy will have to weigh in on that), but if the case is strong
enough it may be addressed for 3.0.2 (even that depends on what sort of
ground-swell there is for a change).

So here is my take: If this is a big show stopper issue please file a bug
report on https://bugzilla.samba.org. Please, if this is NOT a
show-stopper, then let's not pressure the developers too hashly - we pay
them peanuts and expect them to work night and day already! :)

- John T.
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list