Hi Denis, on both samba hosts (donald and pluto) these commands work great:
id johndoe getent group getent passwd My pluto:/etc/nsswitch.conf looks like that: [...] passwd: compat ldap group: compat ldap shadow: compat ldap [...] I want to add, that the described problem works fine if I try it on a share on "donald", my domain controller. The users are displayed fine under the security tab. So where could be the problem? Lucas Втр 14 Май 2013 19:57:00 +0400, Denis Cardon написал: Hi Lucas, > I am struggling around with Windows ACLs and cannot find a solution nor how > to troubleshoot that. I have two samba3 hosts. Hostname "donald" is my domain > controller with samba 3.x + OpenLDAP server running. Hostname "pluto" is my > other samba 3.x server which was joined to my domain. I use LDAP for my > users+groups. I dont have winbind on my machines. On hostname "pluto" I have > a share in smb.conf which says: > > [free4all] > path = /data/free4all > read onlyXSSCleaned= No > create mask = 0777 > directory mask = 0777 > vfs object = acl_xattr > nt acl support = yes > dos filemode = yes > > "testparm -s -a -v |grep acl" shows me: > > acl compatibility = auto > acl check permissions = Yes > acl group control = No > acl map full control = Yes > force unknown acl user = No > inherit acls = No > nt acl support = Yes > profile acls = No > map acl inherit = No > vfs objects = acl_xattr > force unknown acl user = Yes > > On a windows client I am right-clicking on \\pluto\free4all\subdir and choose > the "Security" tab. I see a user called "Everyone" and a user without > username, but only SID number. The SID is > S-1-5-21-blablabla-1234567-blabla-500. I manually checked this SID at my > LDAP database. Funnily I have two users with this same SID, one is called > "root" and the is called "admin". Weird, but not important imho at this point. Rid -500 is part of the well known SID, it should be for admin user and shouldn't be used for root (http://support.microsoft.com/kb/243330) > Back on the windows client, inside the "Security" tab, I click on "Add" and > choose a user of my Domain Users. I see him in the list. But as soon as I > click "Apply" on this window, the user disappears from the security tab list. > The logfile at samba-server hostname=pluto outputs: > > [2013/05/14 15:48:08.861822, 0] > smbd/posix_acls.c:1755(create_canon_ace_lists) > create_canon_ace_lists: unable to map SID > S-1-5-21-1062190697-4189521229-2202214947-129762 to uid or gid. > > This SID was the user I tried to add. Why does this not work and how should I > fix or even troubleshoot that? I really need some assistance, I have no clue > what else to try. Thanks to everyone. Are you sure that there is a uid/gid mapping for your samba users on your server. For instance, if you type "id myusername" or "getent passwd", do you get a uid? If not, you should check if your /etc/nsswitch.conf configuration is ok. If you don't use winbind, you should have nssldap configured. Cheers, Denis > > Lucas. > -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr ----- Конец пересылаемого письма ----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba