[Samba] Can set ACLs great from Windows, but see only SIDs when i reopen them

Thomas Boutell boutell at boutell.com
Wed Mar 9 15:28:05 GMT 2005


Good morning, Samba List,

I'm setting ACLs from the security tab of the properties window of a folder
via a Windows XP SP2 client. The Samba share in question is running on 
3.0.11 with an ext3 file system and Fedora Core 3 underneath. All this
works great -- I can set up ACLs beautifully from Windows and when I check 
them out with getfacl on the Linux side, the results make sense to me.

However, when I close and re-open the properties window, the two
groups I've set up ACLs for -- AD\salesgroup and AD\marketinggroup --
show up only as SIDs (S-bignumber-with-hyphens). Which, of course, 
is confusing.

I've appended the output of getfacl, the relevant part of "getent group",
and my smb.conf file. Thanks for any thoughts on this. I could certainly 
just write this up as a frustrating quirk that will "hopefully be fixed soon," 
but of course I'd rather present the fix!

Is there some way in which Samba might not be correctly mapping SIDs back to
names upon request from the client?

Thanks again!

GETFACL OUTPUT:

[root at ADSambaFP1 ~]# getfacl /research
# file: research
# owner: AD\134salesperson1
# group: root
user::rwx
group::---
group:10012:rwx
group:10015:r-x
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:10012:rwx
default:group:10015:r-x
default:mask::rwx
default:other::---

GETENT GROUP OUTPUT:

AD\domain computers:x:10003:
AD\domain controllers:x:10002:
AD\schema admins:x:10005:AD\administrator
AD\enterprise admins:x:10006:AD\administrator
AD\domain admins:x:10007:AD\administrator
AD\domain users:x:10000:
AD\domain guests:x:10001:
AD\group policy creator owners:x:10004:AD\administrator
AD\dnsupdateproxy:x:10013:
AD\cheaters:x:10014:
AD\salesgroup:x:10012:AD\salesperson2,AD\salesperson1
AD\marketinggroup:x:10015:AD\marketperson2,AD\marketperson1
AD\hrgroup:x:10016:AD\hrperson2,AD\hrperson1

MY SMB.CONF FILE:

[global]
         log level = 3
         log file = /var/log/samba/%m.log
         # Use CUPS for all back end printing chores
         printing = cups
         printcap = cups
         load printers = yes
    idmap gid = 10000-20000
         map acl inherit = yes
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         admin users = AD\Administrator
         printer admin = AD\Administrator
#       winbind trusted domains only = yes
         encrypt passwords = YES
    realm = AD.CORP.COM
    template shell = /bin/bash
         dns proxy = no
         cups options = raw
         server string = Samba Server
    idmap uid = 10000-20000
    workgroup = AD
         printcap name = /etc/printcap
    security = ads
         max log size = 50

    winbind use default domain = no
    password server = windc1.ad.corp.com
[homes]
    comment = Home Directories
    browseable = no
    writable = yes
[printers]
         guest ok = no
         comment = All Printers
         printable = yes
         writable = no
         path = /var/spool/samba

[research]
         comment = Research Files, Sales Writes, Marketing Reads
         writeable = yes
         path = /research

[print$]
         comment = Printer Drivers for Windows
         path = /usr/local/samba/windrivers
         write list = AD\administrator

--
Thomas Boutell
Boutell.Com, Inc. 
http://www.boutell.com/



More information about the samba mailing list