[Samba] Question about AD user/ACL mapping
Jeremy Allison
jra at samba.org
Thu Mar 15 21:17:06 GMT 2007
On Thu, Mar 15, 2007 at 03:16:47PM -0400, Knox, Bill wrote:
> Yes, in the security-tab when I am trying to add an ACL to a file on
> the Samba share.
>
> Let me extend the example a bit to explain what we are doing:
>
> The server has a local username freddy, and the domain contains a user
> fred_smith
> The usernamemap file contains:
> freddy = DOMAIN\fred_smith
>
> When I try to add permissions for fred_smith in the security tab on
> Windows, I get an error in the log file like this:
>
> [2007/03/14 15:17:38, 0] smbd/posix_acls.c:create_canon_ace_lists(1399)
> create_canon_ace_lists: unable to map SID
> S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXX to uid or gid.
>
> However, I can access shares as fred_smith and my access gets mapped to
> the freddy user, and I can run wbinfo -n fred_smith on the box to get a
> SID back.
>
> When viewing ACLs in the tab that are set on the filesystem itself,
> they come back as "<username> (Unix User\<username>)" in the listing as
> well.
>
> It would also work if there were a tool to manually populate the
> winbindd_idmap.tdb file - does such a thing exist that is fairly
> useable? What are the implications for my interaction with the AD if I
> did something as screwball as that?
Ok, this is the function : sid_to_uid() or sid_to_gid()
failing to return a valid value. Are you running
winbindd here ?
Jeremy.
More information about the samba
mailing list