[Samba] Winbind + ext3 ACLs

Umberto Zanatta uzanatta at provincia.treviso.it
Fri Jul 30 07:40:45 GMT 2004 

You don't care, 'cos your server is working with ldap.

If your server do by ldap, you will modify only /etc/nsswitch.conf like
that:

file /etc/nsswitch.conf

passwd: files ldap winbind
group: files ldap winbind
shadow: files ldap winbind

The system is going to search users in /etc/passwd, then ldap db, then
winbind (in other domains).

'winbind trusted domains only = yes' will give you a way to map domain
users from local users, 'cos
the ;
so ldap will search the users in ldap db.

Don't forget: your shares must have 'profile acls = no'.

I do hope my explanation make clear your question.

u.

Il ven, 2004-07-30 alle 00:36, Sean Kennedy ha scritto:

> Umberto Zanatta wrote:
> 
> > You should set up smb.conf like that:
> >
> > winbind trusted domains only = yes
> > winbind use default domain = no
> >
> > When you change acl in files server, you will do:
> >
> > setacl -m u:skennedy:rwx,d:u:skennedy:rwx  vattelapesca.doc
> >
> > u.
> >
> I am so confused.  :)  I tried it out on my test server, and your advice 
> worked flawlessly!  Then...I tried it on my work server, and it failed, 
> displaying the domains as well.  So then, after I fixed that, I checked 
> out the man page, and found this:
> 
>        winbind trusted domains only (G)
>               This parameter is designed to allow Samba servers that 
> are  mem-
>               bers  of  a  Samba  controlled  domain to use UNIX 
> accounts dis-
>               tributed via NIS, rsync, or LDAP as the uid’s for winbindd 
> users
>               in  the  hosts  primary domain. Therefore, the user 
> DOMAIN\user1
>               would be mapped to the account user1 in /etc/passwd  
> instead  of
>               allocating a new uid for him or her.
> 
>               Default: winbind trusted domains only = no
> 
> Given my setup, I have no users in /etc/passwd, beyond what the system 
> is installed with, so it shouldn't have worked, even on my test system. 
> 
> I mean, if that's what I need to do, then that's what i need to do, but 
> I want to understand what this is doing before I jump into it.  :)  
> Thank you for your help thus far!
> 
> Sean
> 
> > Il gio, 2004-07-29 alle 23:06, Sean Kennedy ha scritto:
> >
> >>/Hi folks,
> >>
> >>For the longest time, I've had a problem changing or modifying ACLs from 
> >>my window clients.  Whenever I tried, I'd get this in the logs:
> >>
> >>[2004/07/29 12:36:26, 0] smbd/posix_acls.c:create_canon_ace_lists(823)
> >>  create_canon_ace_lists: unable to map SID 
> >>S-1-5-21-1292428093-651377827-xxxxxxxxx-1333 to uid or gid.
> >>
> >>I could change the ACLs using getfacl/setfacl, btw. 
> >>
> >>After a little investigation, I think I've found the problem.  I'm using 
> >>winbind here, but I'm using this option:
> >>
> >>winbind use default domain = yes
> >>
> >>Which, for the sake of completeness, strips out domain info out of the 
> >>username.  So instead of `BOCA/skennedy`, it comes out as `skennedy`.  
> >>This is where I think my problem is.  Using wbinfo, I resolved that SID 
> >>to BOCA/skennedy, who happens to be a completely different user name.
> >>
> >>My question is this:  Does my logic seem correct to everyone else?  Is 
> >>there anything else I should be looking at?  Further, does anybody have 
> >>a solution to this problem?  This server is also a web/email server for 
> >>the intranet, and I am trying to avoid setting up a new server ( we have 
> >>4 going already, mainly for window crap ) if at all possible.
> >>
> >>Any help is greatly apprecaited.
> >>
> >>Sean/
> >>
> >  
> >

_______________________
Umberto Zanatta
linuxDidattica

tel: +39 (335) 54 71 385
email: umberto.z at tin.it
web: http://linuxdidattica.org
_______________________

More information about the samba mailing list