[Samba] create_canon_ace_lists: unable to map SID
grant little
grantliddle at gmail.com
Tue Aug 31 15:29:07 MDT 2010
I did search and found other folks with this issue but I didn't see a
solution to my specific issue:
I am running Samba 3.4.7 on ubuntu 10.04 LTS server configured to
authenticate to active directory via Kerberos and LDAP for use with clients
from OS X and Windows (no linux clients)
On the advice of my local active directory team Winbind has been uninstalled
and everything works nicely except except for not being able to set ACLs
from the windows properties security tab.
When I add a new user it shows fine in the security tab until I press apply
at which point the newly added user disappears and the on the samba server
the log shows:
smbd/posix_acls.c:1711(create_canon_ace_lists)
create_canon_ace_lists: unable to map SID
S-1-5-21-503695880-695175589-3595387526-10512 to uid or gid.
I can set and get ACLs from linux command line on the samba share files OK
using setfacl and getfacl and those settings can be seen OK in the windows
properties security tab and I have all the recommended ACL settings in
smb.conf.
getent passwd and getentgroup return the AD groups and users correctly.
I read a mention of something similar here:
http://help.lockergnome.com/linux/Samba-Samba-LDAP-error-windows-xp-ACL--ftopict509241.html
but it is not clear to me from my searches or reading the documents on
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/<http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id2613465>
if
I must have winbind enabled to allow setting ACLs from windows.
Is winbind required for setting ACLs from windows?
Here's my smb.conf for reference:
[global]
unix extensions = no
disable spoolss = Yes
name resolve order = hosts
workgroup = AD
realm = AD.MYDOMAIN
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
log level = 0
logon home = ""
logon path = ""
panic action = /usr/share/samba/panic-action %d
security = ads
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
pam password change = no
map to guest = bad user
usershare allow guests = no
[asgs]
comment = ASGS
path = /shares/asgs
browsable = Yes
valid users = @ad\ASGSFileUsers
write list = @ad\ASGSFileUsers
create mask = 2660
force create mode = 0660
directory mask = 2770
force directory mode = 0770
and here's nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
and my pam.d/samba
@include common-auth
@include common-account
@include common-session
auth required pam_unix.so nullok_secure
auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass
account sufficient pam_ldap.so use_first_pass
session sufficient pam_ldap.so
Thanks for your insight.
Grant
More information about the samba
mailing list