[Samba] Winbind + ext3 ACLs

Sean Kennedy skennedy at tpno.org
Thu Jul 29 22:36:06 GMT 2004 

Umberto Zanatta wrote:

> You should set up smb.conf like that:
>
> winbind trusted domains only = yes
> winbind use default domain = no
>
> When you change acl in files server, you will do:
>
> setacl -m u:skennedy:rwx,d:u:skennedy:rwx  vattelapesca.doc
>
> u.
>
I am so confused.  :)  I tried it out on my test server, and your advice 
worked flawlessly!  Then...I tried it on my work server, and it failed, 
displaying the domains as well.  So then, after I fixed that, I checked 
out the man page, and found this:

       winbind trusted domains only (G)
              This parameter is designed to allow Samba servers that 
are  mem-
              bers  of  a  Samba  controlled  domain to use UNIX 
accounts dis-
              tributed via NIS, rsync, or LDAP as the uid’s for winbindd 
users
              in  the  hosts  primary domain. Therefore, the user 
DOMAIN\user1
              would be mapped to the account user1 in /etc/passwd  
instead  of
              allocating a new uid for him or her.

              Default: winbind trusted domains only = no

Given my setup, I have no users in /etc/passwd, beyond what the system 
is installed with, so it shouldn't have worked, even on my test system. 

I mean, if that's what I need to do, then that's what i need to do, but 
I want to understand what this is doing before I jump into it.  :)  
Thank you for your help thus far!

Sean

> Il gio, 2004-07-29 alle 23:06, Sean Kennedy ha scritto:
>
>>/Hi folks,
>>
>>For the longest time, I've had a problem changing or modifying ACLs from 
>>my window clients.  Whenever I tried, I'd get this in the logs:
>>
>>[2004/07/29 12:36:26, 0] smbd/posix_acls.c:create_canon_ace_lists(823)
>>  create_canon_ace_lists: unable to map SID 
>>S-1-5-21-1292428093-651377827-xxxxxxxxx-1333 to uid or gid.
>>
>>I could change the ACLs using getfacl/setfacl, btw. 
>>
>>After a little investigation, I think I've found the problem.  I'm using 
>>winbind here, but I'm using this option:
>>
>>winbind use default domain = yes
>>
>>Which, for the sake of completeness, strips out domain info out of the 
>>username.  So instead of `BOCA/skennedy`, it comes out as `skennedy`.  
>>This is where I think my problem is.  Using wbinfo, I resolved that SID 
>>to BOCA/skennedy, who happens to be a completely different user name.
>>
>>My question is this:  Does my logic seem correct to everyone else?  Is 
>>there anything else I should be looking at?  Further, does anybody have 
>>a solution to this problem?  This server is also a web/email server for 
>>the intranet, and I am trying to avoid setting up a new server ( we have 
>>4 going already, mainly for window crap ) if at all possible.
>>
>>Any help is greatly apprecaited.
>>
>>Sean/
>>
>  
>

More information about the samba mailing list