[Samba] ACLS without winbind (but WITH correct user mapping)

Andrew Bartlett abartlet at samba.org
Mon Jun 25 23:48:19 MDT 2012

On Fri, 2012-06-22 at 16:11 +0100, Colin Fowler wrote:
> On 21/06/12 17:50, Jeremy Allison wrote:
> > On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote:
> >> Note the DOMAIN and not "Unix User". Clicking apply simply makes the
> >> new entry disappear.
> >>
> >> If username mapping is working correctly, why does adding an ACL for
> >> DOMAIN\nigel not set an ACL for Unix User\nigel?
> > I'm not sure username mapping is being done in that
> > codepath. This is designed to work (and normally tested
> > with) winbindd.
> >
> > Jeremy.
> I've done some poking and I've found an answer as to why it won't work 
> with username to username mapping. Quite simply, the client doesn't ask 
> samba to apply an ACL to a username. It is instead asked to apply it to 
> an SID
> [2012/06/22 15:22:10.495700,  0] 
> smbd/posix_acls.c:1735(create_canon_ace_lists)
>    create_canon_ace_lists: unable to map SID 
> S-1-5-21-2516220118-3886572273-1107914255-8269 to uid or gid.
> [2012/06/22 15:22:10.498944, 10] smbd/posix_acls.c:3412(posix_get_nt_acl)
>    posix_get_nt_acl: called for file test2/New Text Document.txt
> I'm not running winbind so samba can't map the SID to a UID.
> All is not lost though!
> net -P ads sid S-1-5-21-2516220118-3886572273-1107914255-8269 works 
> correctly.
> I can obviously grep the username/groupname out of there and use id to 
> turn it into a valid unix uid or gid
> A simple script could do this easily if I add some code to 
> source3/smbd/posix_acls.c and add an option such as "username sid map 
> script =" to the smb.conf.
> Is this completely nuts or would a patch like this be accepted?

This would essentially be the same as running winbindd and using
idmap_nss as I understand it. 

We wrote winbindd for a purpose, and it handles many of the important
tasks of being in an AD domain.  We do support not running it, but it is
a degraded mode.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list