Hi Lucas,
on both samba hosts (donald and pluto) these commands work great:
id johndoe
getent group
getent passwd
My pluto:/etc/nsswitch.conf looks like that:
[...]
passwd: compat ldap
group: compat ldap
shadow: compat ldap
[...]
I want to add, that the described problem works fine if I try it on a share on
"donald", my domain controller. The users are displayed fine under the security
tab. So where could be the problem?
Users may be displayed because through query to the PDC.
If your nsswitch works properly, then I think we ought to look into your
smb.conf. Could you please post the global part? Are you using
security=user or security=domain?
What do you get with pdbedit -L -v ?
By the way, samba4 rocks and it is much easier to setup. You should try it.
Cheers,
Denis
Lucas
Втр 14 Май 2013 19:57:00 +0400, Denis Cardon написал:
Hi Lucas,
I am struggling around with Windows ACLs and cannot find a solution nor how to troubleshoot that. I have two
samba3 hosts. Hostname "donald" is my domain controller with samba 3.x + OpenLDAP server running.
Hostname "pluto" is my other samba 3.x server which was joined to my domain. I use LDAP for my
users+groups. I dont have winbind on my machines. On hostname "pluto" I have a share in smb.conf
which says:
[free4all]
path = /data/free4all
read onlyXSSCleaned= No
create mask = 0777
directory mask = 0777
vfs object = acl_xattr
nt acl support = yes
dos filemode = yes
"testparm -s -a -v |grep acl" shows me:
acl compatibility = auto
acl check permissions = Yes
acl group control = No
acl map full control = Yes
force unknown acl user = No
inherit acls = No
nt acl support = Yes
profile acls = No
map acl inherit = No
vfs objects = acl_xattr
force unknown acl user = Yes
On a windows client I am right-clicking on \\pluto\free4all\subdir and choose the "Security" tab. I see a
user called "Everyone" and a user without username, but only SID number. The SID is
S-1-5-21-blablabla-1234567-blabla-500. I manually checked this SID at my LDAP database. Funnily I have two users with
this same SID, one is called "root" and the is called "admin". Weird, but not important imho at
this point.
Rid -500 is part of the well known SID, it should be for admin user and
shouldn't be used for root (http://support.microsoft.com/kb/243330)
Back on the windows client, inside the "Security" tab, I click on "Add" and choose a user
of my Domain Users. I see him in the list. But as soon as I click "Apply" on this window, the user
disappears from the security tab list. The logfile at samba-server hostname=pluto outputs:
[2013/05/14 15:48:08.861822, 0] smbd/posix_acls.c:1755(create_canon_ace_lists)
create_canon_ace_lists: unable to map SID
S-1-5-21-1062190697-4189521229-2202214947-129762 to uid or gid.
This SID was the user I tried to add. Why does this not work and how should I
fix or even troubleshoot that? I really need some assistance, I have no clue
what else to try. Thanks to everyone.
Are you sure that there is a uid/gid mapping for your samba users on
your server. For instance, if you type "id myusername" or "getent
passwd", do you get a uid?
If not, you should check if your /etc/nsswitch.conf configuration is ok.
If you don't use winbind, you should have nssldap configured.
Cheers,
Denis
Lucas.
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
