[Samba] Winbind + ext3 ACLs
Sean Kennedy
skennedy at tpno.org
Thu Jul 29 22:36:06 GMT 2004
Umberto Zanatta wrote:
> You should set up smb.conf like that:
>
> winbind trusted domains only = yes
> winbind use default domain = no
>
> When you change acl in files server, you will do:
>
> setacl -m u:skennedy:rwx,d:u:skennedy:rwx vattelapesca.doc
>
> u.
>
I am so confused. :) I tried it out on my test server, and your advice
worked flawlessly! Then...I tried it on my work server, and it failed,
displaying the domains as well. So then, after I fixed that, I checked
out the man page, and found this:
winbind trusted domains only (G)
This parameter is designed to allow Samba servers that
are mem-
bers of a Samba controlled domain to use UNIX
accounts dis-
tributed via NIS, rsync, or LDAP as the uid’s for winbindd
users
in the hosts primary domain. Therefore, the user
DOMAIN\user1
would be mapped to the account user1 in /etc/passwd
instead of
allocating a new uid for him or her.
Default: winbind trusted domains only = no
Given my setup, I have no users in /etc/passwd, beyond what the system
is installed with, so it shouldn't have worked, even on my test system.
I mean, if that's what I need to do, then that's what i need to do, but
I want to understand what this is doing before I jump into it. :)
Thank you for your help thus far!
Sean
> Il gio, 2004-07-29 alle 23:06, Sean Kennedy ha scritto:
>
>>/Hi folks,
>>
>>For the longest time, I've had a problem changing or modifying ACLs from
>>my window clients. Whenever I tried, I'd get this in the logs:
>>
>>[2004/07/29 12:36:26, 0] smbd/posix_acls.c:create_canon_ace_lists(823)
>> create_canon_ace_lists: unable to map SID
>>S-1-5-21-1292428093-651377827-xxxxxxxxx-1333 to uid or gid.
>>
>>I could change the ACLs using getfacl/setfacl, btw.
>>
>>After a little investigation, I think I've found the problem. I'm using
>>winbind here, but I'm using this option:
>>
>>winbind use default domain = yes
>>
>>Which, for the sake of completeness, strips out domain info out of the
>>username. So instead of `BOCA/skennedy`, it comes out as `skennedy`.
>>This is where I think my problem is. Using wbinfo, I resolved that SID
>>to BOCA/skennedy, who happens to be a completely different user name.
>>
>>My question is this: Does my logic seem correct to everyone else? Is
>>there anything else I should be looking at? Further, does anybody have
>>a solution to this problem? This server is also a web/email server for
>>the intranet, and I am trying to avoid setting up a new server ( we have
>>4 going already, mainly for window crap ) if at all possible.
>>
>>Any help is greatly apprecaited.
>>
>>Sean/
>>
>
>
More information about the samba
mailing list