[Samba] Users mapping in security tab

grant little grantliddle at gmail.com
Sat Aug 21 14:46:59 MDT 2010 

On Fri, Aug 20, 2010 at 9:57 AM, tizo <tizone at gmail.com> wrote:

> Hi there,
>
> I have a Samba installation acting as a Domain Member with a disk share
> (the
> partiton is mounted with acl and user_xattr options). I am not using
> winbind, because I want the domain users to be mapped to Unix users.
> Everything works right, excepting the users in the Windows Explorer
> security
> tab. I will try to explain the situation with an example.
>
> I have username map, that maps Administrator and domainuser into root and
> unixuser respectively. I also have another user that do not need the
> mapping, as the username is the same in both systems. The three users can
> login correctly to the share, and when a user creates a file, the owner of
> the new file is the mapped user corresponding to the logged user.
>
> The problem arise in the Windows Explorer security tab of a file. The users
> seen there, are the Unix users and not the domain ones; for example, I can
> see something like "unixuser (Unix User\unixuser)" or for groups "unixgroup
> (Unix Group\unixgroup)". I can modify the permissions of an entry here (and
> the modifications can be seen in the Posix ACLs in the file), but I cannot
> add another user. For example, in a file that I do not have the unixuser
> entry, I click the Add button, search for domainuser (of course, unixuser
> cannot be obtained from here), add him, set some permissions, and when I
> click "Apply" the new entry dissapears. In that moment, the Samba log says
> something like (and the symptoms are the same for the users in the map, and
> for the user that have the same username on both systems):
>
> smbd/posix_acls.c:create_canon_ace_lists(1510)
>  create_canon_ace_lists: unable to map SID
> X-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX to uid or gid.
>
> So, I guess that Samba is not using the same mechanism for the login, than
> for administering ACLs. Maybe that is not possible; I simply do not know
> because I am relatively new to Samba. Can someone explain how Samba should
> work with the security tab?. Shouldn't it map users in both directions so
> from Windows only domain users can be seen?
>
> My smb.conf:
>
> [global]
>    workgroup = DUMMY
>    netbios name = PRUEBA-ARCHIVOS
>    server string = %h (Samba %v)
>    security = DOMAIN
>    username map = /etc/samba/mapeousuarios
>    log level = 2
>    syslog = 0
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    name resolve order = wins host bcast
>    wins server = 192.168.X.X, 192.168.X.X
>    panic action = /usr/share/samba/panic-action %d
>
> [datos-usu]
>    path = /exports/datos
>    read only = No
>    map acl inherit = Yes
>    store dos attributes = Yes
>
> Thanks very much,
>
> tizo
>
>
Tizo,

I found the exact same thing using ldap/kerberos with security=ads and with
winbind disabled

I can set ACLs fine on the files from linux via setfacl and they show that
way when viewed from windows in the security tab but  as
Unix User\username

it seems like it may be a case of windows not knowing how to handle Unix
User\username

here's my smb.conf for comparison (note am running a fileserver only, no
printers):
---------
[global]
  # workaround symlink bug with wide links 2-5-2010
  unix extensions = no

  disable spoolss = Yes
  name resolve order = hosts
  workgroup = AD
  realm = AD.MYDOMAIN.EDU
  server string = %h server (Samba, Ubuntu)
  dns proxy = no
  log file = /var/log/samba/log.%m
  max log size = 1000
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  security = ads
  encrypt passwords = true
  passdb backend = tdbsam
  obey pam restrictions = yes
  unix password sync = yes
  pam password change = no
  map to guest = bad user
  usershare allow guests = no
[sharename]
  comment = SHARENAME
  path = /shares/sharename
  browsable = Yes
  valid users = @ad\CertainFileUsers
  write list = @ad\CertainFileUsers
  create mask = 2660
  force create mode = 0660
  directory mask = 2770
--------

there's a bunch of ACL flags shown in man smb.conf that I'm not at all sure
how to use and it may be that this is just a windows problem in that windows
might not be able to easily specify the Unix User of a file even when that
is an AD user with the uid set.

some of these may affect this:
acl group control
dos filemode
nt acl support (default=yes)

this might also have something to do with the behavior:
username level


I'm hoping that someone who knows more about this might coment.

Cheers,
Grant

More information about the samba mailing list