[Samba] ACLS without winbind (but WITH correct user mapping)
abartlet at samba.org
Mon Jun 25 23:48:19 MDT 2012
On Fri, 2012-06-22 at 16:11 +0100, Colin Fowler wrote:
> On 21/06/12 17:50, Jeremy Allison wrote:
> > On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote:
> >> Note the DOMAIN and not "Unix User". Clicking apply simply makes the
> >> new entry disappear.
> >> If username mapping is working correctly, why does adding an ACL for
> >> DOMAIN\nigel not set an ACL for Unix User\nigel?
> > I'm not sure username mapping is being done in that
> > codepath. This is designed to work (and normally tested
> > with) winbindd.
> > Jeremy.
> I've done some poking and I've found an answer as to why it won't work
> with username to username mapping. Quite simply, the client doesn't ask
> samba to apply an ACL to a username. It is instead asked to apply it to
> an SID
> [2012/06/22 15:22:10.495700, 0]
> create_canon_ace_lists: unable to map SID
> S-1-5-21-2516220118-3886572273-1107914255-8269 to uid or gid.
> [2012/06/22 15:22:10.498944, 10] smbd/posix_acls.c:3412(posix_get_nt_acl)
> posix_get_nt_acl: called for file test2/New Text Document.txt
> I'm not running winbind so samba can't map the SID to a UID.
> All is not lost though!
> net -P ads sid S-1-5-21-2516220118-3886572273-1107914255-8269 works
> I can obviously grep the username/groupname out of there and use id to
> turn it into a valid unix uid or gid
> A simple script could do this easily if I add some code to
> source3/smbd/posix_acls.c and add an option such as "username sid map
> script =" to the smb.conf.
> Is this completely nuts or would a patch like this be accepted?
This would essentially be the same as running winbindd and using
idmap_nss as I understand it.
We wrote winbindd for a purpose, and it handles many of the important
tasks of being in an AD domain. We do support not running it, but it is
a degraded mode.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba