[Samba] cifsacl not working

Rowland penny rpenny at samba.org
Fri Sep 25 13:10:03 UTC 2020

On 25/09/2020 13:37, Aurélien Aptel wrote:
> Rowland penny via samba <samba at lists.samba.org> writes:
>> 'S-1-5-18' is SYSTEM and from the looks of it, neither cifs.idmap or
>> winbind maps it on a Unix domain member (it does map on a Samba DC). It
>> is hard to understand from the manpages, does cifsacls use the same ID's
>> as Winbind, or does it calculate its own ?
> * cifsacl is the mount option.
> * When passed, it makes cifs.ko call the userspace program cifs.idmap
>    everytime it has to map a SID.
> * cifs.idmap has a winbind or sssd backend (dynamicly loaded librairies
>    aka plugins).
> * The winbind backend is idmapwb.so and is linked against libwbclient
>    and uses the same calls as wbinfo to do the mapping. Thus it returns
>    the same IDs.
> I picked this SID as an example of a SID that doesn't map, I don't know
> what sort of SID Ken is seeing.
> If Ken is seeing a mapping error in the logs and also with wbinfo for
> regular AD users it is likely something is wrong with his winbind setup.
> Cheers,

OK, that explains it better than the manpage :-)

The OP said that all his users and groups come from AD and he is using 
the 'ad' backend, but he hasn't actually said that he has added any 
rfc2307 attributes to AD.

I do not really understand why he is using cifsacl in the mount anyway, 
surely vfs_acl_xattr will do it just as well ??


More information about the samba mailing list