[Samba] Fwd: Re: Re: Cannot add/modify ACL through windows client
?icro MEGAS
micromegas at mail333.com
Wed May 15 01:13:08 MDT 2013
Hi Denis,
on both samba hosts (donald and pluto) these commands work great:
id johndoe
getent group
getent passwd
My pluto:/etc/nsswitch.conf looks like that:
[...]
passwd: compat ldap
group: compat ldap
shadow: compat ldap
[...]
I want to add, that the described problem works fine if I try it on a share on "donald", my domain controller. The users are displayed fine under the security tab. So where could be the problem?
Lucas
Втр 14 Май 2013 19:57:00 +0400, Denis Cardon написал:
Hi Lucas,
> I am struggling around with Windows ACLs and cannot find a solution nor how to troubleshoot that. I have two samba3 hosts. Hostname "donald" is my domain controller with samba 3.x + OpenLDAP server running. Hostname "pluto" is my other samba 3.x server which was joined to my domain. I use LDAP for my users+groups. I dont have winbind on my machines. On hostname "pluto" I have a share in smb.conf which says:
>
> [free4all]
> path = /data/free4all
> read onlyXSSCleaned= No
> create mask = 0777
> directory mask = 0777
> vfs object = acl_xattr
> nt acl support = yes
> dos filemode = yes
>
> "testparm -s -a -v |grep acl" shows me:
>
> acl compatibility = auto
> acl check permissions = Yes
> acl group control = No
> acl map full control = Yes
> force unknown acl user = No
> inherit acls = No
> nt acl support = Yes
> profile acls = No
> map acl inherit = No
> vfs objects = acl_xattr
> force unknown acl user = Yes
>
> On a windows client I am right-clicking on \\pluto\free4all\subdir and choose the "Security" tab. I see a user called "Everyone" and a user without username, but only SID number. The SID is S-1-5-21-blablabla-1234567-blabla-500. I manually checked this SID at my LDAP database. Funnily I have two users with this same SID, one is called "root" and the is called "admin". Weird, but not important imho at this point.
Rid -500 is part of the well known SID, it should be for admin user and
shouldn't be used for root (http://support.microsoft.com/kb/243330)
> Back on the windows client, inside the "Security" tab, I click on "Add" and choose a user of my Domain Users. I see him in the list. But as soon as I click "Apply" on this window, the user disappears from the security tab list. The logfile at samba-server hostname=pluto outputs:
>
> [2013/05/14 15:48:08.861822, 0] smbd/posix_acls.c:1755(create_canon_ace_lists)
> create_canon_ace_lists: unable to map SID S-1-5-21-1062190697-4189521229-2202214947-129762 to uid or gid.
>
> This SID was the user I tried to add. Why does this not work and how should I fix or even troubleshoot that? I really need some assistance, I have no clue what else to try. Thanks to everyone.
Are you sure that there is a uid/gid mapping for your samba users on
your server. For instance, if you type "id myusername" or "getent
passwd", do you get a uid?
If not, you should check if your /etc/nsswitch.conf configuration is ok.
If you don't use winbind, you should have nssldap configured.
Cheers,
Denis
>
> Lucas.
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
----- Конец пересылаемого письма -----
More information about the samba
mailing list