[Samba] ACLs on domain members

Didster didster at gmail.com
Tue May 7 05:26:46 MDT 2013


Hi,

I have a Samba PDC (Version 3.6.6) backed by LDAP and a number of Linux
Samba domain memebers (security = domain).

On the PDC I have ACLs configured and all this is working as expected.

On the domain members however, I have ACLs also enabled and while they
work, they only seem to work if I make ACL changes using the setfacl
commands on the box directly.

What I am looking for is the ability to configure ACLs via the Windows GUI
(allowing end users to change them for files they own) on files on the
domain members.

Assuming my name is DOMAIN\user and my group is DOMAIN\group, where the
group is mapped to the group (from LDAP) linux_group, then:

When I view the ACL pages on a file on the domain member they show "Unix
user\user" and "Unix group\linux_group" rather than what I would expect,
"DOMAIN\user" and "DOMIN\group".  When I make changes to the ACL list it
seems to except them until I press OK when they are removed and the dialog
closes with no error. And errors are shown in the logs about not being able
to map uid/gid to sids.

On both the PDC and the domain member I have NSS configured to point to the
LDAP backend for both users & groups.  "getent passwd" shows the full
domain user lists on both boxes.

I have only entered the "net rpc groupmap" commands on the PDC.

So my questions:

Is this enough to get group mapping working on the domain members, or do I
also need to add winbind?
If winbind is needed, why when the user entries in LDAP have the SIDs of
the each user and the group entries have the group SIDs?
Whats the best way of doing this, ideally with just LDAP

Thanks


More information about the samba mailing list