[Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\

Jens Nissen jens.nissen at gmx.net
Wed Apr 18 16:32:20 GMT 2007

Gerald (Jerry) Carter wrote:
> Jens Nissen wrote:
>> SID S-1-5-11 ("Authenticated Users") is part of the NT Authority.
>> Why should this SID be "non-mappable"?
> It's not mappable to a gid.
>> Can I simply comment the lines out? What will 
>> happen afterwards?
> Nope.  All SIDs have to be converted to a gid.

Thanks, Jerry.

But I have 4 comments (+1 extra):

1) wbinfo -Y S-1-5-11 -> 1018, which means, S-1-5-11 is mapped to GID
1018, contradicting that S-1-5-11 is not mapped.

2) If I set (with setfacl) proper rights to a folder for this group 1018
and I set "inherit permissions" for the whole share, Samba nicely copies
the corresponding rights into any subfolder I create with Samba and
Windows Explorer. So "Authenticated Users" becomes visible to Windows
Clients on a Samba share.

3) Group S-1-5-11 does not make sense to Samba, but Windows can use it.
Why is there a difference? Why can't Samba emulate Windows here?

4) Even if Samba can't make sense of S-1-5-11, others can.
Think of the following scenario:
Server A from domain A-Domain supplies Updates to Samba Server S (e.g.
by using xcopy).
Server B (which is a PDC in B-Domain) pulls this update from S (again by
using xcopy)
Clients X (from B-Domain) access the file on Server B.
If the chain A->S->B maintains the proper rights for S-1-5-11, then X
can access it, provided it can authenticate with B.

This last scenario is what our customers would like to do and what they
already do using a Windows Server in place S (which I would like to
replace with a wonderful Unix server)
Do you see any reasonable way to achieve this or something similar?

Kind regards,

Jens (/* very humble (I admit I do not see all the consequences using
S-1-5-11 has) */)

P.S: IMHO, deleting ACLs which Samba cannot map, probably is a bug.
Think of a file, which is shared between two different domains, e.g.,
two different Samba processes. If one process deletes EXISTING ACLs of
the other process simply because it cannot map them, this can be
extremely annoying.
Something like that:
Samba Process (configuration) A -> GIDs from 1000-1999
Samba Process (configuration) B -> GIDs from 2000-2999
File X has ACL user:1500:RW- (via Samba Process A)
Now a user of process (domain) B adds ACL user:2500:RWX to file X.
Does Samba Process B automatically delete user:1500:RW- thus making the
file unaccessible from A???
IMO, it should not be allowed to do this!
BTW: The processes don't run concurrently at the same time, B is a kind
of fallback domain in case the domain server from A fails.

Thanks for your patience!!!!

More information about the samba mailing list