samba - Jun 2012 - ACLS without winbind (but WITH correct user mapping)

On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler
wrote:
> 
> Note the DOMAIN and not "Unix User". Clicking apply simply makes
the
> new entry disappear.
> 
> If username mapping is working correctly, why does adding an ACL for
> DOMAIN\nigel not set an ACL for Unix User\nigel?
I'm not sure username mapping is being done in that
codepath. This is designed to work (and normally tested
with) winbindd.

Jeremy.

Thanks to some of the guys on #samba-technical (obnox in particular!), I 
now have a working samba configuration.

The environment:

In our setup each user has an entry in both openldap (no samba schemes) 
and AD. Each account has the same name and even has a Unix UID entry in 
AD. Our users ssh into Linux boxes, authenticating off of openldap. 
Files are shared via samba.
Due to the account duplication the config I use has NO winbind. Instead 
the username map script option is used with echo
username map script = echo
A rather simple but beatiful solution thanks to the IRC lads. User
"bob"
auths via AD, the AD username is mapped to unix username and file 
permissions work perfectly.

ACLS:
The filesystem supports ACLS. When I view the security tab on a Windows 
7 client, I see the user perissions as following

Everyone
bob (Unix User\bob)
staff (Unix Group\staff)


If I add an acl for tom on the unix server via setfacl I then see

Everyone
bob (Unix User\bob)
tom (Unix User\tom)
staff (Unix Group\staff)

Great!

Attempting to add a user to the ACLs from the windows side fails however.
I click edit, then add and type in a username
In the box I now have

bob (Unix User\bob)
tom (Unix User\tom)
nigel (DOMAIN\nigel)
staff (Unix Group\staff)

Note the DOMAIN and not "Unix User". Clicking apply simply makes the
new
entry disappear.

If username mapping is working correctly, why does adding an ACL for 
DOMAIN\nigel not set an ACL for Unix User\nigel?


Any help appreciated!

Colin

On 26/06/12 11:54, Colin Fowler wrote:
> On 26/06/12 06:48, Andrew Bartlett wrote:
>> On Fri, 2012-06-22 at 16:11 +0100, Colin Fowler wrote:
>>> On 21/06/12 17:50, Jeremy Allison wrote:
>>>> On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote:
>>>>> Note the DOMAIN and not "Unix User". Clicking
apply simply makes the
>>>>> new entry disappear.
>>>>>
>>>>> If username mapping is working correctly, why does adding
an ACL for
>>>>> DOMAIN\nigel not set an ACL for Unix User\nigel?
>>>> I'm not sure username mapping is being done in that
>>>> codepath. This is designed to work (and normally tested
>>>> with) winbindd.
>>>>
>>>> Jeremy.
>>> I've done some poking and I've found an answer as to why it
won't work
>>> with username to username mapping. Quite simply, the client
doesn't ask
>>> samba to apply an ACL to a username. It is instead asked to apply
it to
>>> an SID
>>>
>>> [2012/06/22 15:22:10.495700,  0]
>>> smbd/posix_acls.c:1735(create_canon_ace_lists)
>>>     create_canon_ace_lists: unable to map SID
>>> S-1-5-21-2516220118-3886572273-1107914255-8269 to uid or gid.
>>> [2012/06/22 15:22:10.498944, 10]
smbd/posix_acls.c:3412(posix_get_nt_acl)
>>>     posix_get_nt_acl: called for file test2/New Text Document.txt
>>>
>>> I'm not running winbind so samba can't map the SID to a
UID.
>>>
>>> All is not lost though!
>>>
>>> net -P ads sid S-1-5-21-2516220118-3886572273-1107914255-8269 works
>>> correctly.
>>>
>>> I can obviously grep the username/groupname out of there and use id
to
>>> turn it into a valid unix uid or gid
>>>
>>> A simple script could do this easily if I add some code to
>>> source3/smbd/posix_acls.c and add an option such as "username
sid map
>>> script =" to the smb.conf.
>>>
>>> Is this completely nuts or would a patch like this be accepted?
>> This would essentially be the same as running winbindd and using
>> idmap_nss as I understand it.
>>
>> We wrote winbindd for a purpose, and it handles many of the important
>> tasks of being in an AD domain.  We do support not running it, but it
is
>> a degraded mode.
>>
>> Andrew Bartlett
>>
>
> Thanks Andrew,
>         I'll take a good look at idmap_nss now.
>
>
For the last week we've trialled idmap_nss and so far everything seems 
to be working great! Thanks for all the suggestions. Our last problem is 
with Dreamweaver CS6 not being able to save files (when notepad can!), 
but we're debugging that now :)

regards,
           Colin