[Samba] Question about AD user/ACL mapping

Knox, Bill wknox at mitre.org
Thu Mar 15 19:16:47 GMT 2007 

Yes, in the security-tab when I am trying to add an ACL to a file on
the Samba share.

Let me extend the example a bit to explain what we are doing:

The server has a local username freddy, and the domain contains a user
fred_smith
The usernamemap file contains:
freddy = DOMAIN\fred_smith

When I try to add permissions for fred_smith in the security tab on
Windows, I get an error in the log file like this:

[2007/03/14 15:17:38, 0] smbd/posix_acls.c:create_canon_ace_lists(1399)
  create_canon_ace_lists: unable to map SID
S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXX to uid or gid.

However, I can access shares as fred_smith and my access gets mapped to
the freddy user, and I can run wbinfo -n fred_smith on the box to get a
SID back.

When viewing ACLs in the tab that are set on the filesystem itself,
they come back as "<username> (Unix User\<username>)" in the listing as
well.

It would also work if there were a tool to manually populate the
winbindd_idmap.tdb file - does such a thing exist that is fairly
useable? What are the implications for my interaction with the AD if I
did something as screwball as that?

Thanks for the help.


                  Bill Knox
                  Lead Operating Systems Programmer/Analyst
                  The MITRE Corporation

-----Original Message-----
From: Jeremy Allison [mailto:jra at samba.org] 
Sent: Thursday, March 15, 2007 12:54 PM
To: Knox, Bill
Cc: samba at lists.samba.org
Subject: Re: [Samba] Question about AD user/ACL mapping

On Thu, Mar 15, 2007 at 12:02:03AM -0400, Knox, Bill wrote:
> We have updated our long-standing Samba install on a Solaris 8 box to
> 3.0.24 and are interested in making use of the Windows ACL mapping
> capabilities to help take over a Windows share. However, there is a
> snag - the pre-existing box has usernames that differ from people's
> Windows logins, i.e. their Unix login is freddy, and their Windows
> login is fred_smith.
> 
> I have our AD domain membership working on the box and can see the
ACLs
> work with a dummy account set up to match someone's Windows login
(i.e.
> if in the above example, I set up a fred_smith account on the Unix
> box), but could find no way in the documentation to do a username
> mapping (equivalent to what is being done for logins) for the ACLs.
Is
> it there and I just didn't see it, or does it not exist?

So this is when you're doing a right-click, security-tab,
show ACLs on the Windows client ?

I think we currently just display the usernames we get
from the SID mapping subsystem when the client does the SID -> name
lookup to display these. I need to look at the code to see 
how easy it would be to do a reverse username map lookup
for this - although it would be lossy as username map allows
multiple Windows names to map onto one UNIX one.

Jeremy.

More information about the samba mailing list