[Samba] Question about AD user/ACL mapping
wknox at mitre.org
Thu Mar 15 21:25:25 GMT 2007
Yes - I assumed that is what is allowing it to work if I create a
fred_smith user on the Unix box (which then works fine), and what is
letting wbinfo work. It seems to really be the mapping that would be
required to make winbindd know that fred_smith in the domain is the
same as freddy on the Unix box.
Lead Operating Systems Programmer/Analyst
The MITRE Corporation
From: Jeremy Allison [mailto:jra at samba.org]
Sent: Thursday, March 15, 2007 5:17 PM
To: Knox, Bill
Cc: samba at lists.samba.org
Subject: Re: [Samba] Question about AD user/ACL mapping
On Thu, Mar 15, 2007 at 03:16:47PM -0400, Knox, Bill wrote:
> Yes, in the security-tab when I am trying to add an ACL to a file on
> the Samba share.
> Let me extend the example a bit to explain what we are doing:
> The server has a local username freddy, and the domain contains a
> The usernamemap file contains:
> freddy = DOMAIN\fred_smith
> When I try to add permissions for fred_smith in the security tab on
> Windows, I get an error in the log file like this:
> [2007/03/14 15:17:38, 0]
> create_canon_ace_lists: unable to map SID
> S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXX to uid or gid.
> However, I can access shares as fred_smith and my access gets mapped
> the freddy user, and I can run wbinfo -n fred_smith on the box to get
> SID back.
> When viewing ACLs in the tab that are set on the filesystem itself,
> they come back as "<username> (Unix User\<username>)" in the listing
> It would also work if there were a tool to manually populate the
> winbindd_idmap.tdb file - does such a thing exist that is fairly
> useable? What are the implications for my interaction with the AD if
> did something as screwball as that?
Ok, this is the function : sid_to_uid() or sid_to_gid()
failing to return a valid value. Are you running
winbindd here ?
More information about the samba