[Samba] Change default samba 4.1. ACL behaviour

Rowland Penny rowlandpenny241155 at gmail.com
Mon Nov 16 12:52:18 UTC 2015

On 16/11/15 12:23, Alex Sviridov wrote:
>   I use samba 4.1 as dc with acl. I have user with uid 3000023. However, I don't have group with guid 3000023. However, when this user creates a folder samba in acl list creates permissions for group 3000023 and as result I have broken link.
> Rowland Penny (thanks to him) said that I could see the type: ID_TYPE_BOTH setting in /usr/local/samba/private/idmap.ldb.
> As I understood I must change type to  ID_TYPE_UID. But , I can't understand what is the nice way to do it.
> As new users are added via samba-tool. So, should I manually change "type" option in idmap.ldb for every
> new user? Or there is another way.
> I am sorry, If I ask something stupid. Please, just say what I understand wrong and how to fix these broken links.

They may not be broken links, first and foremost, just who is '3000023' ?

can you post the entire object from idmap.ldb

It should look something like this:

dn: CN=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-501
cn: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-501
objectClass: sidMap
objectSid: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-501
xidNumber: 3000011
distinguishedName: CN=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-501

NOTE: real numbers replaced with 'x'


More information about the samba mailing list