Re: [Samba] Question about AD user/ACL mapping
On Thu, Mar 15, 2007 at 12:02:03AM -0400, Knox, Bill wrote: We have updated our long-standing Samba install on a Solaris 8 box to 3.0.24 and are interested in making use of the Windows ACL mapping capabilities to help take over a Windows share. However, there is a snag - the pre-existing box has usernames that differ from people's Windows logins, i.e. their Unix login is freddy, and their Windows login is fred_smith. I have our AD domain membership working on the box and can see the ACLs work with a dummy account set up to match someone's Windows login (i.e. if in the above example, I set up a fred_smith account on the Unix box), but could find no way in the documentation to do a username mapping (equivalent to what is being done for logins) for the ACLs. Is it there and I just didn't see it, or does it not exist? So this is when you're doing a right-click, security-tab, show ACLs on the Windows client ? I think we currently just display the usernames we get from the SID mapping subsystem when the client does the SID - name lookup to display these. I need to look at the code to see how easy it would be to do a reverse username map lookup for this - although it would be lossy as username map allows multiple Windows names to map onto one UNIX one. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Question about AD user/ACL mapping
Yes, in the security-tab when I am trying to add an ACL to a file on the Samba share. Let me extend the example a bit to explain what we are doing: The server has a local username freddy, and the domain contains a user fred_smith The usernamemap file contains: freddy = DOMAIN\fred_smith When I try to add permissions for fred_smith in the security tab on Windows, I get an error in the log file like this: [2007/03/14 15:17:38, 0] smbd/posix_acls.c:create_canon_ace_lists(1399) create_canon_ace_lists: unable to map SID S-1-5-21-XX-X-XX-X to uid or gid. However, I can access shares as fred_smith and my access gets mapped to the freddy user, and I can run wbinfo -n fred_smith on the box to get a SID back. When viewing ACLs in the tab that are set on the filesystem itself, they come back as username (Unix User\username) in the listing as well. It would also work if there were a tool to manually populate the winbindd_idmap.tdb file - does such a thing exist that is fairly useable? What are the implications for my interaction with the AD if I did something as screwball as that? Thanks for the help. Bill Knox Lead Operating Systems Programmer/Analyst The MITRE Corporation -Original Message- From: Jeremy Allison [mailto:[EMAIL PROTECTED] Sent: Thursday, March 15, 2007 12:54 PM To: Knox, Bill Cc: samba@lists.samba.org Subject: Re: [Samba] Question about AD user/ACL mapping On Thu, Mar 15, 2007 at 12:02:03AM -0400, Knox, Bill wrote: We have updated our long-standing Samba install on a Solaris 8 box to 3.0.24 and are interested in making use of the Windows ACL mapping capabilities to help take over a Windows share. However, there is a snag - the pre-existing box has usernames that differ from people's Windows logins, i.e. their Unix login is freddy, and their Windows login is fred_smith. I have our AD domain membership working on the box and can see the ACLs work with a dummy account set up to match someone's Windows login (i.e. if in the above example, I set up a fred_smith account on the Unix box), but could find no way in the documentation to do a username mapping (equivalent to what is being done for logins) for the ACLs. Is it there and I just didn't see it, or does it not exist? So this is when you're doing a right-click, security-tab, show ACLs on the Windows client ? I think we currently just display the usernames we get from the SID mapping subsystem when the client does the SID - name lookup to display these. I need to look at the code to see how easy it would be to do a reverse username map lookup for this - although it would be lossy as username map allows multiple Windows names to map onto one UNIX one. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Question about AD user/ACL mapping
On Thu, Mar 15, 2007 at 03:16:47PM -0400, Knox, Bill wrote: Yes, in the security-tab when I am trying to add an ACL to a file on the Samba share. Let me extend the example a bit to explain what we are doing: The server has a local username freddy, and the domain contains a user fred_smith The usernamemap file contains: freddy = DOMAIN\fred_smith When I try to add permissions for fred_smith in the security tab on Windows, I get an error in the log file like this: [2007/03/14 15:17:38, 0] smbd/posix_acls.c:create_canon_ace_lists(1399) create_canon_ace_lists: unable to map SID S-1-5-21-XX-X-XX-X to uid or gid. However, I can access shares as fred_smith and my access gets mapped to the freddy user, and I can run wbinfo -n fred_smith on the box to get a SID back. When viewing ACLs in the tab that are set on the filesystem itself, they come back as username (Unix User\username) in the listing as well. It would also work if there were a tool to manually populate the winbindd_idmap.tdb file - does such a thing exist that is fairly useable? What are the implications for my interaction with the AD if I did something as screwball as that? Ok, this is the function : sid_to_uid() or sid_to_gid() failing to return a valid value. Are you running winbindd here ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Question about AD user/ACL mapping
Yes - I assumed that is what is allowing it to work if I create a fred_smith user on the Unix box (which then works fine), and what is letting wbinfo work. It seems to really be the mapping that would be required to make winbindd know that fred_smith in the domain is the same as freddy on the Unix box. Bill Knox Lead Operating Systems Programmer/Analyst The MITRE Corporation -Original Message- From: Jeremy Allison [mailto:[EMAIL PROTECTED] Sent: Thursday, March 15, 2007 5:17 PM To: Knox, Bill Cc: samba@lists.samba.org Subject: Re: [Samba] Question about AD user/ACL mapping On Thu, Mar 15, 2007 at 03:16:47PM -0400, Knox, Bill wrote: Yes, in the security-tab when I am trying to add an ACL to a file on the Samba share. Let me extend the example a bit to explain what we are doing: The server has a local username freddy, and the domain contains a user fred_smith The usernamemap file contains: freddy = DOMAIN\fred_smith When I try to add permissions for fred_smith in the security tab on Windows, I get an error in the log file like this: [2007/03/14 15:17:38, 0] smbd/posix_acls.c:create_canon_ace_lists(1399) create_canon_ace_lists: unable to map SID S-1-5-21-XX-X-XX-X to uid or gid. However, I can access shares as fred_smith and my access gets mapped to the freddy user, and I can run wbinfo -n fred_smith on the box to get a SID back. When viewing ACLs in the tab that are set on the filesystem itself, they come back as username (Unix User\username) in the listing as well. It would also work if there were a tool to manually populate the winbindd_idmap.tdb file - does such a thing exist that is fairly useable? What are the implications for my interaction with the AD if I did something as screwball as that? Ok, this is the function : sid_to_uid() or sid_to_gid() failing to return a valid value. Are you running winbindd here ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
