I think I've looked over every post that has acl or sid or winbind in it. I don't think this has been discussed quite this way. The symptom is similar to other posts but the environment is a bit different. We can do perms through samba, and we can see acls that have been set using setfacl, but we can't change the acls (e.g., add a user). We get:
[2002/11/15 17:02:17, 0] smbd/posix_acls.c:create_canon_ace_lists(823) create_canon_ace_lists: unable to map SID S-1-5-21-1831498067-1181229849-1093625069-1172 to uid or gid. We have Solaris file servers and use acls for shared directories. This is a great way to avoid excess group membership problems, and gives the owner of the shared directory control of perms. We use NIS (yes, still, but ldap is coming soon :) for all UNIX workstations and the servers, and we also use a NT domain controller (PDC and BDCs) for the windows workstations. The user names are the same on both account databases. So I'm dpullman on windows and on UNIX logins. We maintain a consistent uid and username in NIS on each account with a master database at our facility. Lets us use shared resources across otherwise disconnected political boundaries, i.e., the login is the same and so the user is known. Our windows logins map the homedir from a samba server and they can map drives to a shared directory server. We'd like to give the users the ability to manipulate the perms, including acls, from the windows boxes. BTW, we have NT4 and w2k but its becoming moslty w2k so I'm testing with w2k. I asked about this at Jerry's presentation at LISA and he suggested winbind and also said get to 2.2.6. I'm testing 2.2.6, but unless I'm missing something, we can't go to winbind. We need to use the NIS uids on the perms and it seems (it tried it on a test server) that the only way to use winbind is to use an arbitrary list of uids (e.g., 10000-20000). Has anyone been able to get acl manipulation, specifically adding users to an acl, to work with a solaris file server? I tried winbind, and I tried putting the usernames in /etc/passwd (which would not be pretty). I have not yet tried ldap. The essential issue seems to be that samba can't find a uid if given a sid. It can find the sid from the uid, as it shows the username (albeit a machine domain/username) when the existing acl is inspected from the security dialog. Heres some of the smb.conf on my test server: [global] workgroup = MELNT server string = Test Samba Server hosts allow = @cme, @mel log file = /var/spool/samba/%m log level = 2 max log size = 1000 security = domain socket options = TCP_NODELAY local master = no os level = 20 domain master = no preferred master = no wins support = no wins server = 129.6.71.15 wins proxy = no dns proxy = no password server = wart encrypt passwords = yes load printers = no #==================== file creation and security masks ======================= # creation masks # files create mask = 0755 force create mode = 0000 map archive = no map hidden = no map system = no # directories directory mask = 0755 force directory mode = 0000 # security masks # files security mask = 0777 force security mode = 0000 # directories directory security mask = 0777 force directory security mode = 0000 Thanks very much. Dave -- David Pullman Systems Administrator Manufacturing Engineering Laboratory National Institute of Standards & Technology Mail Stop 8203 Gaithersburg, MD 20899-8260 Tel: (301) 975-5385 Fax: (301) 926-3842 E-mail: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
