samba - Oct 2004 - Acl problems with 3.07 on solaris 9

Hi all

I get the following errors when trying to set acls, client os is NT4 and 
XP, server is 3.0.7 on solaris9

[2004/10/01 09:33:22, 0] smbd/posix_acls.c:create_canon_ace_lists(1385)
  create_canon_ace_lists: unable to map SID <sid number removed by me> 
to uid or gid.

Samba is a member in a NT4 domain, all permissions is managed by unix 
uid/gid which are in NIS, each unix user exists in NT but no groups. 
(passwords are syncronized.)
There is a user.map fil for those 5 user who doesn?t have the same 
username in unix as in the domain but those are admin accounts only.

Do I have to use winbind to get the mapping to work ?

[global]
        workgroup = <DOMAIN NAME>
        netbios name =<netbios NAME
        server string = <server name>
        security = DOMAIN
        encrypt passwords = Yes
        min passwd length = 6
        password server = <pdc> <bdc>
        username map = /usr/local/samba/lib/users.map
        #loglevel = 2
        log file = /var/opt/samba/log/%m
        name resolve order = host wins bcast
        time server = Yes
        deadtime = 10
        wins server = <wins1> <wins2>
        kernel oplocks = No
        host msdfs = Yes
        invalid users = smsclitoknacct& smsclisvcacct&
        create mask = 0644
        inherit acls = Yes

Samba is compiled with acl support.
ACL are used in the ufs filesystem and works.

This is slowly driving me insane.....

TIA
/Henrik

On Friday 01 October 2004 02:41, Henrik Beckman wrote:
> Hi all
>
> I get the following errors when trying to set acls, client os is NT4 and
> XP, server is 3.0.7 on solaris9
>
> [2004/10/01 09:33:22, 0] smbd/posix_acls.c:create_canon_ace_lists(1385)
>   create_canon_ace_lists: unable to map SID <sid number removed by
me>
> to uid or gid.
>
> Samba is a member in a NT4 domain, all permissions is managed by unix
> uid/gid which are in NIS, each unix user exists in NT but no groups.
> (passwords are syncronized.)
> There is a user.map fil for those 5 user who doesn?t have the same
> username in unix as in the domain but those are admin accounts only.
>
> Do I have to use winbind to get the mapping to work ?
>
> [global]
>         workgroup = <DOMAIN NAME>
>         netbios name =<netbios NAME
>         server string = <server name>
>         security = DOMAIN
>         encrypt passwords = Yes
This is already default behavior - no need to set it.
>         min passwd length = 6
>         password server = <pdc> <bdc>
This is worked out automatically - only need to specify it if you absolutely 
need to force samba to authenticate to a particular PDC or BDC server.
>         username map = /usr/local/samba/lib/users.map
>         #loglevel = 2
>         log file = /var/opt/samba/log/%m
>         name resolve order = host wins bcast
Suggest:
	name resolve order = wins bcast host
>         time server = Yes
>         deadtime = 10
>         wins server = <wins1> <wins2>
Specifiy only one WINS server.
>         kernel oplocks = No
>         host msdfs = Yes
>         invalid users = smsclitoknacct& smsclisvcacct&
>         create mask = 0644
>         inherit acls = Yes
Add:
	idmap uid = 15000-20000
	idmap gid = 15000-20000


Also, you must run winbindd. I hope you have added to your /etc/nsswitch.conf 
file:

	hosts: files dns wins
	passwd: files winbind
	shadow: files winbind
	group: files winbind

Make sure that the following work:

	wbinfo -u
	wbinfo -g
	getent passwd
	getent group

>
> Samba is compiled with acl support.
> ACL are used in the ufs filesystem and works.
>
> This is slowly driving me insane.....
http://www.samba.org/samba/docs/Samba-Guide.pdf 

See chapter 9.

It's all explained there. If it is not clear and I have failed to cover your
needs please let me know so I can update the documentation.

- John T.
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
OpenLDAP by Example, ISBN: 0131488732
Other books in production.