On Fri, 2012-06-22 at 16:11 +0100, Colin Fowler wrote: > On 21/06/12 17:50, Jeremy Allison wrote: > > On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote: > >> Note the DOMAIN and not "Unix User". Clicking apply simply makes the > >> new entry disappear. > >> > >> If username mapping is working correctly, why does adding an ACL for > >> DOMAIN\nigel not set an ACL for Unix User\nigel? > > I'm not sure username mapping is being done in that > > codepath. This is designed to work (and normally tested > > with) winbindd. > > > > Jeremy. > I've done some poking and I've found an answer as to why it won't work > with username to username mapping. Quite simply, the client doesn't ask > samba to apply an ACL to a username. It is instead asked to apply it to > an SID > > [2012/06/22 15:22:10.495700, 0] > smbd/posix_acls.c:1735(create_canon_ace_lists) > create_canon_ace_lists: unable to map SID > S-1-5-21-2516220118-3886572273-1107914255-8269 to uid or gid. > [2012/06/22 15:22:10.498944, 10] smbd/posix_acls.c:3412(posix_get_nt_acl) > posix_get_nt_acl: called for file test2/New Text Document.txt > > I'm not running winbind so samba can't map the SID to a UID. > > All is not lost though! > > net -P ads sid S-1-5-21-2516220118-3886572273-1107914255-8269 works > correctly. > > I can obviously grep the username/groupname out of there and use id to > turn it into a valid unix uid or gid > > A simple script could do this easily if I add some code to > source3/smbd/posix_acls.c and add an option such as "username sid map > script =" to the smb.conf. > > Is this completely nuts or would a patch like this be accepted?
This would essentially be the same as running winbindd and using idmap_nss as I understand it. We wrote winbindd for a purpose, and it handles many of the important tasks of being in an AD domain. We do support not running it, but it is a degraded mode. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba