[Samba] create_canon_ace_lists: unable to map SID
I did search and found other folks with this issue but I didn't see a solution to my specific issue: I am running Samba 3.4.7 on ubuntu 10.04 LTS server configured to authenticate to active directory via Kerberos and LDAP for use with clients from OS X and Windows (no linux clients) On the advice of my local active directory team Winbind has been uninstalled and everything works nicely except except for not being able to set ACLs from the windows properties security tab. When I add a new user it shows fine in the security tab until I press apply at which point the newly added user disappears and the on the samba server the log shows: smbd/posix_acls.c:1711(create_canon_ace_lists) create_canon_ace_lists: unable to map SID S-1-5-21-503695880-695175589-3595387526-10512 to uid or gid. I can set and get ACLs from linux command line on the samba share files OK using setfacl and getfacl and those settings can be seen OK in the windows properties security tab and I have all the recommended ACL settings in smb.conf. getent passwd and getentgroup return the AD groups and users correctly. I read a mention of something similar here: http://help.lockergnome.com/linux/Samba-Samba-LDAP-error-windows-xp-ACL--ftopict509241.html but it is not clear to me from my searches or reading the documents on http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id2613465 if I must have winbind enabled to allow setting ACLs from windows. Is winbind required for setting ACLs from windows? Here's my smb.conf for reference: [global] unix extensions = no disable spoolss = Yes name resolve order = hosts workgroup = AD realm = AD.MYDOMAIN server string = %h server (Samba, Ubuntu) dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 log level = 0 logon home = logon path = panic action = /usr/share/samba/panic-action %d security = ads encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes pam password change = no map to guest = bad user usershare allow guests = no [asgs] comment = ASGS path = /shares/asgs browsable = Yes valid users = @ad\ASGSFileUsers write list = @ad\ASGSFileUsers create mask = 2660 force create mode = 0660 directory mask = 2770 force directory mode = 0770 and here's nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis and my pam.d/samba @include common-auth @include common-account @include common-session auth required pam_unix.so nullok_secure auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass account sufficient pam_ldap.so use_first_pass session sufficient pam_ldap.so Thanks for your insight. Grant -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] create_canon_ace_lists: unable to map SID
I know this is probably something very simple but I can't for the life of me figure out what's going on. This is a very basic setup using domain security and joined NT style in an AD running in Mixed Mode. I am *not* using winbind, all user and group accounts are represented locally in /etc/passwd and /etc/group. For the most part this is functional, from a windows client I am able to modify access permissions for users already in the ACL (using acl support, filesystem is mounted with acl option etc.). What I cannot do is add users to the acl from the windows side. Does anyone know what I am doing wrong? Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] create_canon_ace_lists: unable to map SID
Oooh, this one sounds like profile acls or something like that? I don't have it in front of me, but take a look for acl and profile in the man page for smb.conf. _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | | Ryan Novosielski - Jr. UNIX Systems Admin |$| |__| | | |__/ | \| _| | [EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630 On Fri, 23 Apr 2004, Mac wrote: The searching I've done so far suggests that I might be able to workaround this with:- nt acl support = no That hasn't helped. So I'm still getting:- [2004/04/23 12:42:13, 1] smbd/service.c:make_connection_snum(705) dltest2 (212.219.217.98) connect to service profiles initially as user jsmith (uid=1935, gid=100) (pid 12038) [2004/04/23 12:42:13, 0] smbd/posix_acls.c:create_canon_ace_lists(1380) create_canon_ace_lists: unable to map SID S-1-5-21-973294077-3660535-3933214913-4632 to uid or gid. accompanied by :- Windows did not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Windows did not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrator's group must be the owner of the folder. Contact your network administrator. on the Windows XP Pro client. Any suggestions? Mac Assistant Systems Adminstrator @nibsc.ac.uk [EMAIL PROTECTED] Work: +44 1707 641565 Everything else: +44 7956 237670 (anytime) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] create_canon_ace_lists: unable to map SID
Jerry wrote:- Mac wrote: | [2004/04/23 10:22:32, 0] smbd/posix_acls.c:create_canon_ace_lists(1380) | create_canon_ace_lists: unable to map SID | S-1-5-21-973294077-3660535-3933214913-1177 to uid or gid. Sounds like bug 1139 which was fixed in 3.0.3rc1. Err. nope. Have just downloaded 3.0.3rc1 and compiled. Same problem. Could some kind soul please explain just what _should_ happen here and how. I'm guessing that the XP Pro client has supplied a SID for some purpose and Samba is trying to match that to UNIX credentials. Clearly this can't work, _ever_, because the Samba server doesn't know anything about SIDs, especially not this one as it was generated by the AD domain controller when the user (jsmith) was created. How do I tell Samba what the SID is for any particular username? Should I use 'idmap'? (and pre-populate it from the AD?) Mac Assistant Systems Adminstrator @nibsc.ac.uk [EMAIL PROTECTED] Work: +44 1707 641565 Everything else: +44 7956 237670 (anytime) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] create_canon_ace_lists: unable to map SID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mac wrote: || create_canon_ace_lists: unable to map SID || S-1-5-21-973294077-3660535-3933214913-1177 to uid or gid. | |Sounds like bug 1139 which was fixed in 3.0.3rc1. | | Have just downloaded 3.0.3rc1 and compiled. | | Could some kind soul please explain just what _should_ | happen here and how. | | I'm guessing that the XP Pro client has supplied a SID | for some purpose and Samba is trying to match that to | UNIX credentials. | | Clearly this can't work, _ever_, because the Samba | server doesn't know anything about SIDs, especially not this | one as it was generated by the AD domain controller when | the user (jsmith) was created. | | How do I tell Samba what the SID is for any particular username? | | Should I use 'idmap'? (and pre-populate it from the AD?) Is this SID, S-1-5-21-973294077-3660535-3933214913-1177, from the AD domain or the local XP box ? Samba does understand SIDs. We receive the user's info during the net_samlogon() or by some other means. If all of the AD users and groups have matching pre-existing UNIX counterparts, then you can run winbindd and set 'winbindd trusted domains only = yes' to get the domain SID matched to existing UNIX account. If you do not run winbindd, the UNIX users and groups are matched to a SID local to the Samba server (and hence why you will sometimes see this error message in your logs). Hope this helps. cheers, jerry - -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ...a hundred billion castaways looking for a home. --- Sting -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAjmMHIR7qMdg1EfYRAm3UAJ0WwEzUTTRPs1hOTZj2Ny93N6YZ7QCgy7DQ pKWuYmFxrzq9otL73r4ENw0= =rd4S -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] create_canon_ace_lists: unable to map SID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mac wrote: | [2004/04/23 10:22:32, 0] smbd/posix_acls.c:create_canon_ace_lists(1380) | create_canon_ace_lists: unable to map SID | S-1-5-21-973294077-3660535-3933214913-1177 to uid or gid. Sounds like bug 1139 which was fixed in 3.0.3rc1. cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAjWN7IR7qMdg1EfYRAjM7AJ0cU81QBdVFKGXWT4aBgd9sZ52P2wCeNObi AOpZtRqgKZ2n7hRO1Smx7D8= =oouU -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] create_canon_ace_lists: unable to map SID
Hi all, I'm trying to get a Samba server (which is a member of a Samba controlled domain) to store WinXP Pro user's profiles. The XP user is authenticating against a 2003 Active Directory server, which then tells it to store it's profile on my Samba server. The 'profiles' share exists and is writeable and under some circumstances we can get profiles to be stored there, however, most times we get:- [2004/04/23 10:22:32, 0] smbd/posix_acls.c:create_canon_ace_lists(1380) create_canon_ace_lists: unable to map SID S-1-5-21-973294077-3660535-3933214913-1177 to uid or gid. in the samba log files accompanied by an error message on the client. This is with Samba 3.0.2a on Solaris 9 (the Samba DC is 2.2.8a on IRIX) The searching I've done so far suggests that I might be able to workaround this with:- nt acl support = no but I can't find that in Samba 3.x doco? Has it been retired? My gut feeling is that the Samba server (or possibly the DC) needs to know what the user's SID is. But (since it's not joined to the AD) it doesn't, and attempts at autogenerating one will fail to match. Is this close? Mac Assistant Systems Adminstrator @nibsc.ac.uk [EMAIL PROTECTED] Work: +44 1707 641565 Everything else: +44 7956 237670 (anytime) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] create_canon_ace_lists: unable to map SID
The searching I've done so far suggests that I might be able to workaround this with:- nt acl support = no but I can't find that in Samba 3.x doco? Has it been retired? Whoops. It is still in there, but the Samba web pages are currently experiencing difficulties so my search failed to find it. I'm going to turn it on and see what happens. Mac Assistant Systems Adminstrator @nibsc.ac.uk [EMAIL PROTECTED] Work: +44 1707 641565 Everything else: +44 7956 237670 (anytime) Mac Assistant Systems Adminstrator @nibsc.ac.uk [EMAIL PROTECTED] Work: +44 1707 641565 Everything else: +44 7956 237670 (anytime) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] create_canon_ace_lists: unable to map SID
The searching I've done so far suggests that I might be able to workaround this with:- nt acl support = no That hasn't helped. So I'm still getting:- [2004/04/23 12:42:13, 1] smbd/service.c:make_connection_snum(705) dltest2 (212.219.217.98) connect to service profiles initially as user jsmith (uid=1935, gid=100) (pid 12038) [2004/04/23 12:42:13, 0] smbd/posix_acls.c:create_canon_ace_lists(1380) create_canon_ace_lists: unable to map SID S-1-5-21-973294077-3660535-3933214913-4632 to uid or gid. accompanied by :- Windows did not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Windows did not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrator's group must be the owner of the folder. Contact your network administrator. on the Windows XP Pro client. Any suggestions? Mac Assistant Systems Adminstrator @nibsc.ac.uk [EMAIL PROTECTED] Work: +44 1707 641565 Everything else: +44 7956 237670 (anytime) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] create_canon_ace_lists: unable to map SID
I have a samba server on linux with a LDAP DC, On a client server, I was do net join -S DOMSERV -Uadmin%PASSWORD and that's work The server member of DOMSERV have a share XFS filesystem. When I set manualy the acl (setfacl -m g:group:rwx the_file) It's ok, the other domain member see the ACL But when I set the acl with a Windows Workstation, that's don't work smbd/posix_acls.c:create_canon_ace_lists(1380) create_canon_ace_lists: unable to map SID my client smb.conf [global] workgroup = TOTODOM server string = Samba Server security = DOMAIN password server = domain-srv log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No dns proxy = No ldap ssl = no map acl inherit = Yes my server smb.conf [global] unix charset = ASCII workgroup = DOMSERV server string = Samba Server update encrypted = Yes passdb backend = ldapsam:ldap://192.168.53.58, guest passwd program = /usr/bin/smbpasswd %u passwd chat = *new*password* %n\n *new*password* %n\n *changed* passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* unix password sync = no encrypt passwords = Yes passwd chat debug = Yes log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 bind interfaces only = no interfaces = eth0 lo pam password change = yes add user script = /usr/bin/smbpasswd -a %u -D 256 delete user script = /usr/bin/smbpasswd -x %u -D 256 add machine script = /usr/bin/smbpasswd -m -a %u$ -D 256 logon script = netlogon.bat logon path = \\srv-image\profiles\%u logon drive = X: logon home = \\srv-image\%u domain logons = Yes os level = 65 preferred master = No domain master = Yes dns proxy = No ldap suffix = dc=domserv,dc=com ldap machine suffix = ou=hosts ldap user suffix = ou=People ldap group suffix = ou=Groups ldap admin dn = cn=manager,dc=domserv,dc=com #ldap delete dn = Yes #ldap trust ids = Yes ldap ssl = no ldap passwd sync = Yes admin users = Administrator root hosts allow = 192.168.53.0/255.255.255.0 127.0.0.1 #ldap filter = ((uid=%u) (objectclass=sambaAccount)) ldap delete dn =yes Someone can help me?? -- Daniel Chnard Croesus Finansoft Inc. 2 Place Laval, Suite 510 Laval, Quebec Canada H7N 5N6 Site Web: www.croesus.com [EMAIL PROTECTED] Tel: +1 450-662-6101, 145 Fax: +1 450-662-3629 Please Note: The Light at the End of The Tunnel will be turned off until further notice due to budget cutbacks. --The Managemen -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba