[Samba] create_canon_ace_lists: unable to map SID

grant little grantliddle at gmail.com
Tue Aug 31 15:29:07 MDT 2010 

I did search and found other folks with this issue but I didn't see a
solution to my specific issue:

I am running Samba 3.4.7 on ubuntu 10.04 LTS server configured to
authenticate to active directory via Kerberos and LDAP for use with clients
from OS X and Windows (no linux clients)
On the advice of my local active directory team Winbind has been uninstalled
and everything works nicely except except for not being able to set ACLs
from the windows properties security tab.
When I add a new user it shows fine in the security tab until I press apply
at which point the newly added user disappears and the on the samba server
the log shows:

 smbd/posix_acls.c:1711(create_canon_ace_lists)
  create_canon_ace_lists: unable to map SID
S-1-5-21-503695880-695175589-3595387526-10512 to uid or gid.

I can set and get  ACLs from linux command line on the samba share files OK
using setfacl and getfacl and those settings can be seen OK in the windows
properties security tab and I have all the recommended ACL settings in
smb.conf.
getent passwd and getentgroup return the AD groups and users correctly.

I read a mention of something similar here:
http://help.lockergnome.com/linux/Samba-Samba-LDAP-error-windows-xp-ACL--ftopict509241.html


but it is not clear to me from my searches or reading the documents on
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/<http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id2613465>
if
I must have winbind enabled to allow setting ACLs from windows.

Is winbind required for setting ACLs from windows?

Here's my smb.conf for reference:

[global]
  unix extensions = no
  disable spoolss = Yes
  name resolve order = hosts
  workgroup = AD
  realm = AD.MYDOMAIN
  server string = %h server (Samba, Ubuntu)
  dns proxy = no
  log file = /var/log/samba/log.%m
  max log size = 1000
  syslog = 0
  log level = 0
  logon home = ""
  logon path = ""
  panic action = /usr/share/samba/panic-action %d
  security = ads
  encrypt passwords = true
  passdb backend = tdbsam
  obey pam restrictions = yes
  unix password sync = yes
  pam password change = no
  map to guest = bad user
  usershare allow guests = no
[asgs]
  comment = ASGS
  path = /shares/asgs
  browsable = Yes
  valid users = @ad\ASGSFileUsers
  write list = @ad\ASGSFileUsers
  create mask = 2660
  force create mode = 0660
  directory mask = 2770
  force directory mode = 0770

and here's nsswitch.conf
passwd:         files ldap
group:          files ldap
shadow:         files ldap
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

and my pam.d/samba
@include common-auth
@include common-account
@include common-session
auth required pam_unix.so nullok_secure
auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass
account sufficient pam_ldap.so use_first_pass
session sufficient pam_ldap.so


Thanks for your insight.

Grant

More information about the samba mailing list