[Samba] Question about AD user/ACL mapping
wknox at mitre.org
Thu Mar 15 19:16:47 GMT 2007
Yes, in the security-tab when I am trying to add an ACL to a file on
the Samba share.
Let me extend the example a bit to explain what we are doing:
The server has a local username freddy, and the domain contains a user
The usernamemap file contains:
freddy = DOMAIN\fred_smith
When I try to add permissions for fred_smith in the security tab on
Windows, I get an error in the log file like this:
[2007/03/14 15:17:38, 0] smbd/posix_acls.c:create_canon_ace_lists(1399)
create_canon_ace_lists: unable to map SID
S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXX to uid or gid.
However, I can access shares as fred_smith and my access gets mapped to
the freddy user, and I can run wbinfo -n fred_smith on the box to get a
When viewing ACLs in the tab that are set on the filesystem itself,
they come back as "<username> (Unix User\<username>)" in the listing as
It would also work if there were a tool to manually populate the
winbindd_idmap.tdb file - does such a thing exist that is fairly
useable? What are the implications for my interaction with the AD if I
did something as screwball as that?
Thanks for the help.
Lead Operating Systems Programmer/Analyst
The MITRE Corporation
From: Jeremy Allison [mailto:jra at samba.org]
Sent: Thursday, March 15, 2007 12:54 PM
To: Knox, Bill
Cc: samba at lists.samba.org
Subject: Re: [Samba] Question about AD user/ACL mapping
On Thu, Mar 15, 2007 at 12:02:03AM -0400, Knox, Bill wrote:
> We have updated our long-standing Samba install on a Solaris 8 box to
> 3.0.24 and are interested in making use of the Windows ACL mapping
> capabilities to help take over a Windows share. However, there is a
> snag - the pre-existing box has usernames that differ from people's
> Windows logins, i.e. their Unix login is freddy, and their Windows
> login is fred_smith.
> I have our AD domain membership working on the box and can see the
> work with a dummy account set up to match someone's Windows login
> if in the above example, I set up a fred_smith account on the Unix
> box), but could find no way in the documentation to do a username
> mapping (equivalent to what is being done for logins) for the ACLs.
> it there and I just didn't see it, or does it not exist?
So this is when you're doing a right-click, security-tab,
show ACLs on the Windows client ?
I think we currently just display the usernames we get
from the SID mapping subsystem when the client does the SID -> name
lookup to display these. I need to look at the code to see
how easy it would be to do a reverse username map lookup
for this - although it would be lossy as username map allows
multiple Windows names to map onto one UNIX one.
More information about the samba