[Samba] Acl problems with 3.07 on solaris 9

Henrik Beckman Henrik.Beckman at sgu.se
Thu Oct 7 06:40:27 GMT 2004


Well it works but not the way I want... ; ) 

I would like to have the SID for user0 to map to the UID for user0, 
otherwise if winbindd maps user0 SID to UID 15000 when
the user has UID 512 all permissions that are set from windows are 
worthless when accessing the filestructure from unix with NIS permissions.
If the files are moved to another fileserver same thing the mapping would 
also break.

My NT users and groups are for legacy reasons "empty"  and only for 
windows login, all permissions are managed by NIS users and groups and are 
set by
standar file permission or acl:s. Standard user/group and rwx can be set 
from windows but the acls can´t. 

Your  winnbindd instructions solves that but not in a usable way, can I 
solve this with some kind of static UID<->SID mapping list or am I
forced to use ldap or AD ?


John H Terpstra <jht at samba.org> 
Sent by: samba-bounces+henrik.beckman=sgu.se at lists.samba.org
2004-10-01 19:19
Please respond to
jht at samba.org

samba at lists.samba.org

Re: [Samba] Acl problems with 3.07 on solaris 9

On Friday 01 October 2004 02:41, Henrik Beckman wrote:
> Hi all
> I get the following errors when trying to set acls, client os is NT4 and
> XP, server is 3.0.7 on solaris9
> [2004/10/01 09:33:22, 0] smbd/posix_acls.c:create_canon_ace_lists(1385)
>   create_canon_ace_lists: unable to map SID <sid number removed by me>
> to uid or gid.
> Samba is a member in a NT4 domain, all permissions is managed by unix
> uid/gid which are in NIS, each unix user exists in NT but no groups.
> (passwords are syncronized.)
> There is a user.map fil for those 5 user who doesn´t have the same
> username in unix as in the domain but those are admin accounts only.
> Do I have to use winbind to get the mapping to work ?
> [global]
>         workgroup = <DOMAIN NAME>
>         netbios name =<netbios NAME
>         server string = <server name>
>         security = DOMAIN
>         encrypt passwords = Yes

This is already default behavior - no need to set it.

>         min passwd length = 6
>         password server = <pdc> <bdc>

This is worked out automatically - only need to specify it if you 
need to force samba to authenticate to a particular PDC or BDC server.

>         username map = /usr/local/samba/lib/users.map
>         #loglevel = 2
>         log file = /var/opt/samba/log/%m
>         name resolve order = host wins bcast

                 name resolve order = wins bcast host

>         time server = Yes
>         deadtime = 10
>         wins server = <wins1> <wins2>

Specifiy only one WINS server.

>         kernel oplocks = No
>         host msdfs = Yes
>         invalid users = smsclitoknacct& smsclisvcacct&
>         create mask = 0644
>         inherit acls = Yes

                 idmap uid = 15000-20000
                 idmap gid = 15000-20000

Also, you must run winbindd. I hope you have added to your 

                 hosts: files dns wins
                 passwd: files winbind
                 shadow: files winbind
                 group: files winbind

Make sure that the following work:

                 wbinfo -u
                 wbinfo -g
                 getent passwd
                 getent group

> Samba is compiled with acl support.
> ACL are used in the ufs filesystem and works.
> This is slowly driving me insane.....


See chapter 9.

It's all explained there. If it is not clear and I have failed to cover 
needs please let me know so I can update the documentation.

- John T.
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
OpenLDAP by Example, ISBN: 0131488732
Other books in production.
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list