[Samba] ACLS without winbind (but WITH correct user mapping)

Colin Fowler cfowler at scss.tcd.ie
Fri Jun 22 09:11:08 MDT 2012

On 21/06/12 17:50, Jeremy Allison wrote:
> On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote:
>> Note the DOMAIN and not "Unix User". Clicking apply simply makes the
>> new entry disappear.
>> If username mapping is working correctly, why does adding an ACL for
>> DOMAIN\nigel not set an ACL for Unix User\nigel?
> I'm not sure username mapping is being done in that
> codepath. This is designed to work (and normally tested
> with) winbindd.
> Jeremy.
I've done some poking and I've found an answer as to why it won't work 
with username to username mapping. Quite simply, the client doesn't ask 
samba to apply an ACL to a username. It is instead asked to apply it to 
an SID

[2012/06/22 15:22:10.495700,  0] 
   create_canon_ace_lists: unable to map SID 
S-1-5-21-2516220118-3886572273-1107914255-8269 to uid or gid.
[2012/06/22 15:22:10.498944, 10] smbd/posix_acls.c:3412(posix_get_nt_acl)
   posix_get_nt_acl: called for file test2/New Text Document.txt

I'm not running winbind so samba can't map the SID to a UID.

All is not lost though!

net -P ads sid S-1-5-21-2516220118-3886572273-1107914255-8269 works 

I can obviously grep the username/groupname out of there and use id to 
turn it into a valid unix uid or gid

A simple script could do this easily if I add some code to 
source3/smbd/posix_acls.c and add an option such as "username sid map 
script =" to the smb.conf.

Is this completely nuts or would a patch like this be accepted?


More information about the samba mailing list