I have a solution! The problem (where files created in Unix were not being mapped to the domain username) was due to a problem in the smb.conf. I had:
idmap config * : range = 500-999999 idmap config * : backend = nss But I needed to _also_ have a section for the current domain (CSS): idmap config * : range = 500-999999 idmap config * : backend = nss idmap config CSS : range = 500-999999 idmap config CSS : backend = nss With both added, files created on the Unix command line automatically map to the domain user in Windows Explorer. Hope this helps others. JR ----- Original Message ----- From: "jrmailgate-sa...@yahoo.co.uk" <jrmailgate-sa...@yahoo.co.uk> To: "samba@lists.samba.org" <samba@lists.samba.org> Cc: Sent: Tuesday, 22 January 2013, 11:48 Subject: Re: [Samba] Mapping SID>UID (and reverse) Hi Further to my previous mail on this problem, I've found that when I connect to the Samba server from a Windows 7 PC, the "log.winbindd-idmap" file reports the following messages: On opening the file share: \\fs01: [2013/01/21 11:18:42.474060, 1] winbindd/idmap.c:288(idmap_init_named_domain) no backend defined for idmap config CSS [2013/01/21 11:18:42.722730, 1] winbindd/idmap.c:288(idmap_init_named_domain) no backend defined for idmap config NT AUTHORITY [2013/01/21 11:18:42.726528, 1] winbindd/idmap.c:288(idmap_init_named_domain) no backend defined for idmap config AD [2013/01/21 11:18:42.736245, 1] winbindd/idmap.c:288(idmap_init_named_domain) no backend defined for idmap config CSS (CSS and AD are both Active Directory domains in the same forest). When I open the contents of the share and mouse-over a file, the following is logged: [2013/01/21 11:20:20.821208, 4] winbindd/winbindd_dual.c:1549(fork_domain_child) child daemon request 59 [2013/01/21 11:20:20.823030, 5] passdb/pdb_tdb.c:562(tdbsam_getsampwnam) pdb_getsampwnam (TDB): error fetching database. Key: USER_jsmith [2013/01/21 11:20:20.823250, 5] passdb/pdb_interface.c:1347(pdb_default_uid_to_sid) pdb_default_uid_to_sid: Did not find user jsmith (4510) [2013/01/21 11:20:21.279879, 4] winbindd/winbindd_dual.c:1557(fork_domain_child) Finished processing child request 59 The user "jsmith" is both a NIS Unix user and a Windows AD user in the "CSS" domain. When I right-click onthe file and select Properties, then select the Security tab, I see the list of ACLs listed by SID before they are resolved. In the above instance, the user "jsmith" SID is "S-1-22-1-4510". A couple of seconds later this is resolved to "Unix User\jsmith". I've checked that the 4510 in the SID is the same as the Unix UID stored in NIS. If I open the properties of another file and add an ACL entry for user "CSS\jsmith", the following is logged: [2013/01/22 11:17:27.030191, 4] winbindd/winbindd_dual.c:1549(fork_domain_child) child daemon request 59 [2013/01/22 11:17:27.031587, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user jsmith [2013/01/22 11:17:27.031765, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is jsmith [2013/01/22 11:17:27.034069, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [jsmith]! [2013/01/22 11:17:27.034825, 4] winbindd/winbindd_dual.c:1557(fork_domain_child) Finished processing child request 59 The entry appears in the file properties box correctly (as CSS\jsmith) and when I now open the properties of the original file, the file is now owned by CSS\jsmith and not Unix User\jsmith. I would like it so that it always maps the Unix UID to the CSS domain SID. Is this possible? Please can someone advise what I'm doing wrong? Thanks!!! JR This is the output of testparm: [global] workgroup = CSS realm = CSS.AD.COMPANYNAME.CO.UK server string = Samba %v security = ADS kerberos method = system keytab log file = /var/log/samba/smbd.log max log size = 50 max protocol = SMB2 unix extensions = No load printers = No printcap name = /dev/null disable spoolss = Yes template shell = /bin/bash idmap config * : range = 500-999999 idmap config * : backend = nss ea support = Yes printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j dfree command = /usr/local/bin/dfree [zfsshare] comment = ZFS share path = /testpool/samba read only = No inherit permissions = Yes map archive = No map readonly = no store dos attributes = Yes wide links = Yes vfs objects = shadow_copy2, streams_xattr, zfsacl zfsacl:acesort = dontcare nfs4:mode = special nfs4:chown = yes nfs4:acedup = merge shadow:format = GMT-%Y.%m.%d-%H.%M.%S shadow:snapdir = .zfs/snapshot shadow:basedir = /testpool/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba