We have updated our long-standing Samba install on a Solaris 8 box to
3.0.24 and are interested in making use of the Windows ACL mapping
capabilities to help take over a Windows share. However, there is a
snag - the pre-existing box has usernames that differ from people's
Windows logins, i.e. their Unix login is freddy, and their Windows
login is fred_smith.
I have our AD domain membership working on the box and can see the ACLs
work with a dummy account set up to match someone's Windows login (i.e.
if in the above example, I set up a fred_smith account on the Unix
box), but could find no way in the documentation to do a username
mapping (equivalent to what is being done for logins) for the ACLs. Is
it there and I just didn't see it, or does it not exist?
Let me know if any more information about my install/config is required
- thanks!
Bill Knox
Lead Operating Systems Programmer/Analyst
The MITRE Corporation
On Thu, Mar 15, 2007 at 12:02:03AM -0400, Knox, Bill wrote:> We have updated our long-standing Samba install on a Solaris 8 box to > 3.0.24 and are interested in making use of the Windows ACL mapping > capabilities to help take over a Windows share. However, there is a > snag - the pre-existing box has usernames that differ from people's > Windows logins, i.e. their Unix login is freddy, and their Windows > login is fred_smith. > > I have our AD domain membership working on the box and can see the ACLs > work with a dummy account set up to match someone's Windows login (i.e. > if in the above example, I set up a fred_smith account on the Unix > box), but could find no way in the documentation to do a username > mapping (equivalent to what is being done for logins) for the ACLs. Is > it there and I just didn't see it, or does it not exist?So this is when you're doing a right-click, security-tab, show ACLs on the Windows client ? I think we currently just display the usernames we get from the SID mapping subsystem when the client does the SID -> name lookup to display these. I need to look at the code to see how easy it would be to do a reverse username map lookup for this - although it would be lossy as username map allows multiple Windows names to map onto one UNIX one. Jeremy.
Yes - I assumed that is what is allowing it to work if I create a
fred_smith user on the Unix box (which then works fine), and what is
letting wbinfo work. It seems to really be the mapping that would be
required to make winbindd know that fred_smith in the domain is the
same as freddy on the Unix box.
Bill Knox
Lead Operating Systems Programmer/Analyst
The MITRE Corporation
-----Original Message-----
From: Jeremy Allison [mailto:jra@samba.org]
Sent: Thursday, March 15, 2007 5:17 PM
To: Knox, Bill
Cc: samba@lists.samba.org
Subject: Re: [Samba] Question about AD user/ACL mapping
On Thu, Mar 15, 2007 at 03:16:47PM -0400, Knox, Bill
wrote:> Yes, in the security-tab when I am trying to add an ACL to a file on
> the Samba share.
>
> Let me extend the example a bit to explain what we are doing:
>
> The server has a local username freddy, and the domain contains a
user> fred_smith
> The usernamemap file contains:
> freddy = DOMAIN\fred_smith
>
> When I try to add permissions for fred_smith in the security tab on
> Windows, I get an error in the log file like this:
>
> [2007/03/14 15:17:38, 0]
smbd/posix_acls.c:create_canon_ace_lists(1399)> create_canon_ace_lists: unable to map SID
> S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXXX to uid or gid.
>
> However, I can access shares as fred_smith and my access gets mapped
to> the freddy user, and I can run wbinfo -n fred_smith on the box to get
a> SID back.
>
> When viewing ACLs in the tab that are set on the filesystem itself,
> they come back as "<username> (Unix User\<username>)"
in the listing
as> well.
>
> It would also work if there were a tool to manually populate the
> winbindd_idmap.tdb file - does such a thing exist that is fairly
> useable? What are the implications for my interaction with the AD if
I> did something as screwball as that?
Ok, this is the function : sid_to_uid() or sid_to_gid()
failing to return a valid value. Are you running
winbindd here ?
Jeremy.
We have updated our long-standing Samba install on a Solaris 8 box to
3.0.24 and are interested in making use of the Windows ACL mapping
capabilities to help take over a Windows share. However, there is a
snag - the pre-existing box has usernames that differ from people's
Windows logins, i.e. their Unix login is freddy, and their Windows
login is fred_smith.
I have our AD domain membership working on the box and can see the ACLs
work with a dummy account set up to match someone's Windows login (i.e.
if in the above example, I set up a fred_smith account on the Unix
box), but could find no way in the documentation to do a username
mapping (equivalent to what is being done for logins) for the ACLs. Is
it there and I just didn't see it, or does it not exist?
Let me know if any more information about my install/config is required
- thanks!
Bill Knox
Lead Operating Systems Programmer/Analyst
The MITRE Corporation