I think I've looked over every post that has acl or sid or winbind in it. I
don't think this has been discussed quite this way.
The symptom is similar to other posts but the environment is a bit different.
We can do perms through samba, and we can see acls that have been set using
setfacl, but we can't change the acls (e.g., add a user). We get:
[2002/11/15 17:02:17, 0] smbd/posix_acls.c:create_canon_ace_lists(823)
create_canon_ace_lists: unable to map SID
S-1-5-21-1831498067-1181229849-1093625069-1172 to uid or gid.
We have Solaris file servers and use acls for shared directories. This is a
great way to avoid excess group membership problems, and gives the owner of the
shared directory control of perms.
We use NIS (yes, still, but ldap is coming soon :) for all UNIX workstations and
the servers, and we also use a NT domain controller (PDC and BDCs) for the
windows workstations. The user names are the same on both account databases.
So I'm dpullman on windows and on UNIX logins.
We maintain a consistent uid and username in NIS on each account with a master
database at our facility. Lets us use shared resources across otherwise
disconnected political boundaries, i.e., the login is the same and so the user
is known.
Our windows logins map the homedir from a samba server and they can map drives
to a shared directory server. We'd like to give the users the ability to
manipulate the perms, including acls, from the windows boxes. BTW, we have NT4
and w2k but its becoming moslty w2k so I'm testing with w2k.
I asked about this at Jerry's presentation at LISA and he suggested winbind
and also said get to 2.2.6. I'm testing 2.2.6, but unless I'm missing
something, we can't go to winbind. We need to use the NIS uids on the perms
and it seems (it tried it on a test server) that the only way to use winbind is
to use an arbitrary list of uids (e.g., 10000-20000).
Has anyone been able to get acl manipulation, specifically adding users to an
acl, to work with a solaris file server? I tried winbind, and I tried putting
the usernames in /etc/passwd (which would not be pretty). I have not yet tried
ldap. The essential issue seems to be that samba can't find a uid if given
a sid. It can find the sid from the uid, as it shows the username (albeit a
machine domain/username) when the existing acl is inspected from the security
dialog.
Heres some of the smb.conf on my test server:
[global]
workgroup = MELNT
server string = Test Samba Server
hosts allow = @cme, @mel
log file = /var/spool/samba/%m
log level = 2
max log size = 1000
security = domain
socket options = TCP_NODELAY
local master = no
os level = 20
domain master = no
preferred master = no
wins support = no
wins server = 129.6.71.15
wins proxy = no
dns proxy = no
password server = wart
encrypt passwords = yes
load printers = no
#==================== file creation and security masks ======================#
creation masks
# files
create mask = 0755
force create mode = 0000
map archive = no
map hidden = no
map system = no
# directories
directory mask = 0755
force directory mode = 0000
# security masks
# files
security mask = 0777
force security mode = 0000
# directories
directory security mask = 0777
force directory security mode = 0000
Thanks very much.
Dave
--
David Pullman
Systems Administrator
Manufacturing Engineering Laboratory
National Institute of Standards & Technology
Mail Stop 8203
Gaithersburg, MD 20899-8260
Tel: (301) 975-5385
Fax: (301) 926-3842
E-mail: david.pullman@nist.gov
