[Samba] UIDs/GIDs Mapping and Permissions in Samba

[Gaiseric Vandal]

I have never quite got uid/gid consistency working with member 
servers.      My domain controllers use an LDAP backend so they don't 
have an issue.   All the unix uid and gid is also in LDAP.     This 
keeps file permissions correct on the member servers when accessing from 
windows clients.  However you can NOT manage the file permissions from 
windows.  The existing permissions show up in windows a "Unix\someuser" 
or "unix\somegroup."    If you try to change permissions or add a domain 
user, the permissions don't stick. This limits the flexibility of member 
servers since users can only change permissions via a unix session.

This has been with samba 3.4.x and 3.5.x.   My understanding of the 
documentation is that samba should be able to use the unix uid/gid info 
to create a consistent sid-to-uidNumber and sid-to-gidNumber mapping  
but that hasn't been the case for me. I have tried to configure the 
member servers to look up the id mapping info from the PDC ldap server 
in read only mode-  haven't got it working set but I think this is the 
way to go.




On 07/31/13 21:05, Chris Hayes wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I'm wondering how essential it is to ensure that Samba User/Group to
> UIDs/GIDs mapping across various Samba servers remain consistent.
>
> I realise that Samba uses the extended ACLs and also uses extended
> attributes to store blobs of Windows ACL information; specifically the
> reason for this is that Windows ACLs don't map 1:1 with POSIX ones.
>
> Basically, I want to know more about which Samba uses, how much it
> tries to keep the two in sync, etc. For example, a moment ago I
> changed the POSIX ACLs on a file that already had a security.NTACL
> glob in the extended attributes; and my change to the POSIX ACL didn't
> show up in the Security Properties information for that file.
>
> By far the best documentation that I've found so far is this thread,
> which might be out of date now and still leaves me unsure; as this
> suggests that the security.NTACL glob should have been updated.
>
> https://lists.samba.org/archive/samba/2011-February/160799.html
>
> For that specific test, I was running quite an old file server (Samba
> 3.4.7) because it was what I had installed on an old machine.
>
> Any information would be greatly appreciated.
>
> Kind regards,
> - -- 
> Chris Hayes
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJR+bRsAAoJELgO0A8EguAKXpEH/Awlyq1856PAzRpGSRWGZ9Aw
> nuY85q3yrOWq1MkjAti4GLa34gu39HAHaw6kaz06rpZPlVOfR1ICFbq08GbPzR3j
> RCBRbVG7Ai/zUx99ey8ByINq5OmkClW5h9uJCGfPuM6+keJwwj4gT6BiY8FrM3mB
> Vk1BeYhzZciEXoy/uyP3dnbxWmV9LYGZWXSqwR2lC3ge6jFWRQyL9IES+1+7Ab/7
> d+Qj+ObBZffLP5Gxmw3ETPpCMvrexM33B2VAIF5XLMaG+bbukFt8o2uW1UpFiaah
> AWMdHJbqqAlT7IZD87U5io+ZfKrDvz8tmej4m6LzzJSJD49VzDCAV/4h0sW6U8c=
> =soq+
> -----END PGP SIGNATURE-----