[Samba] Acl problems with 3.07 on solaris 9
Henrik Beckman
Henrik.Beckman at sgu.se
Thu Oct 7 06:40:27 GMT 2004
Hi
Well it works but not the way I want... ; )
I would like to have the SID for user0 to map to the UID for user0,
otherwise if winbindd maps user0 SID to UID 15000 when
the user has UID 512 all permissions that are set from windows are
worthless when accessing the filestructure from unix with NIS permissions.
If the files are moved to another fileserver same thing the mapping would
also break.
My NT users and groups are for legacy reasons "empty" and only for
windows login, all permissions are managed by NIS users and groups and are
set by
standar file permission or acl:s. Standard user/group and rwx can be set
from windows but the acls can´t.
Your winnbindd instructions solves that but not in a usable way, can I
solve this with some kind of static UID<->SID mapping list or am I
forced to use ldap or AD ?
/Henrik
www.sgu.se
John H Terpstra <jht at samba.org>
Sent by: samba-bounces+henrik.beckman=sgu.se at lists.samba.org
2004-10-01 19:19
Please respond to
jht at samba.org
To
samba at lists.samba.org
cc
Subject
Re: [Samba] Acl problems with 3.07 on solaris 9
On Friday 01 October 2004 02:41, Henrik Beckman wrote:
> Hi all
>
> I get the following errors when trying to set acls, client os is NT4 and
> XP, server is 3.0.7 on solaris9
>
> [2004/10/01 09:33:22, 0] smbd/posix_acls.c:create_canon_ace_lists(1385)
> create_canon_ace_lists: unable to map SID <sid number removed by me>
> to uid or gid.
>
> Samba is a member in a NT4 domain, all permissions is managed by unix
> uid/gid which are in NIS, each unix user exists in NT but no groups.
> (passwords are syncronized.)
> There is a user.map fil for those 5 user who doesn´t have the same
> username in unix as in the domain but those are admin accounts only.
>
> Do I have to use winbind to get the mapping to work ?
>
> [global]
> workgroup = <DOMAIN NAME>
> netbios name =<netbios NAME
> server string = <server name>
> security = DOMAIN
> encrypt passwords = Yes
This is already default behavior - no need to set it.
> min passwd length = 6
> password server = <pdc> <bdc>
This is worked out automatically - only need to specify it if you
absolutely
need to force samba to authenticate to a particular PDC or BDC server.
> username map = /usr/local/samba/lib/users.map
> #loglevel = 2
> log file = /var/opt/samba/log/%m
> name resolve order = host wins bcast
Suggest:
name resolve order = wins bcast host
> time server = Yes
> deadtime = 10
> wins server = <wins1> <wins2>
Specifiy only one WINS server.
> kernel oplocks = No
> host msdfs = Yes
> invalid users = smsclitoknacct& smsclisvcacct&
> create mask = 0644
> inherit acls = Yes
Add:
idmap uid = 15000-20000
idmap gid = 15000-20000
Also, you must run winbindd. I hope you have added to your
/etc/nsswitch.conf
file:
hosts: files dns wins
passwd: files winbind
shadow: files winbind
group: files winbind
Make sure that the following work:
wbinfo -u
wbinfo -g
getent passwd
getent group
>
> Samba is compiled with acl support.
> ACL are used in the ufs filesystem and works.
>
> This is slowly driving me insane.....
http://www.samba.org/samba/docs/Samba-Guide.pdf
See chapter 9.
It's all explained there. If it is not clear and I have failed to cover
your
needs please let me know so I can update the documentation.
- John T.
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
OpenLDAP by Example, ISBN: 0131488732
Other books in production.
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list