[Samba] How to troubleshoot an ACL error?

Rowland Penny rowlandpenny at googlemail.com
Tue Mar 4 13:18:29 MST 2014

On 04/03/14 19:11, Peter Clark wrote:
> On Tue, March 4, 2014 12:18 pm, Rowland Penny wrote:
>> On 04/03/14 16:06, Peter Clark wrote:
>>> Hi,
>>> Apparently they're not the same:
>>> [root at c3po ~]# getent passwd pclark
>>> pclark:x:500:500:Peter Clark:/home/pclark:/bin/bash
>> Are you using fedora or centos or similar and is pclark a local user?
> Fedora 20, yes, 'pclark' is also a local user.

Thought so, remove the local user, you cannot have the same user in AD 
and as a local user.

>>> [root at c3po ~]# wbinfo -n pclark
>>> S-1-5-21-3282403630-2364130862-3038773389-1105 SID_USER (1)
>>> [root at c3po ~]# ldbedit -e pico -H /usr/local/samba/private/idmap.ldb
>>> objectsid=S-1-5-21-3282403630-2364130862-3038773389-1105
>>> no matching records - cannot edit
>> So pclark is also a domain user, must be, he has a SID
> Yes, I created a domain user with a login 'pclark' with ADUC.

OK, use this user.

>>> I'm sure it's likely that this is some sort of operator error. I thought
>>> winbind was supposed to take care of this kind of mapping? The AD user
>>> and
>>> computer control panel on a Windows system shows the correct Unix
>>> username
>>> and home dir for the user?
>> Winbind will take of this, but the user cannot be a local user on the
>> server, he must only exist in AD. If the user is in AD then winbind
>> idmapping will map the user to a xidNumber (this is what you should find
>> in idmap.ldb), but this can be overridden by giving the user a uidNumber
>> (see UNIX Attributes tab in ADUC), Domain Users must also be given a
>> gidNumber and the user must also have this gidNumber, this is what
>> 'idmap_ldb:use rfc2307 = yes' in smb.conf is for.
> Alright, I'll try and reset the ADUC tab for the pclark user to have
> 500:500 like the local user and see how that goes.

Note that I never said this, but you might want to also set up sssd on 
the samba4 server.

> However, why can't the Administrator login get the security attributes of
> that share either?
It is probably because you are using [homes], this does not work with 
samba4, see:



> smbclient -U administrator \\\\localhost\\homes
> Enter administrator's password:
> Domain=[PHOUSE] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-ca3998d]
> smb: \> dir
>    .                                   D        0  Tue Mar  4 09:51:42 2014
>    ..                                  D        0  Tue Mar  4 03:30:54 2014
>    pclark                              D        0  Tue Mar  4 14:10:10 2014
>                  34001 blocks of size 8388608. 13438 blocks available
> smb: \> cd pclark
> cd \pclark\: NT_STATUS_INVALID_ACL
> smb: \>
>> Rowland

More information about the samba mailing list