On Fri, Aug 20, 2010 at 9:57 AM, tizo <tizone at gmail.com> wrote:
> Hi there,
>
> I have a Samba installation acting as a Domain Member with a disk share
> (the
> partiton is mounted with acl and user_xattr options). I am not using
> winbind, because I want the domain users to be mapped to Unix users.
> Everything works right, excepting the users in the Windows Explorer
> security
> tab. I will try to explain the situation with an example.
>
> I have username map, that maps Administrator and domainuser into root and
> unixuser respectively. I also have another user that do not need the
> mapping, as the username is the same in both systems. The three users can
> login correctly to the share, and when a user creates a file, the owner of
> the new file is the mapped user corresponding to the logged user.
>
> The problem arise in the Windows Explorer security tab of a file. The users
> seen there, are the Unix users and not the domain ones; for example, I can
> see something like "unixuser (Unix User\unixuser)" or for groups
"unixgroup
> (Unix Group\unixgroup)". I can modify the permissions of an entry here
(and
> the modifications can be seen in the Posix ACLs in the file), but I cannot
> add another user. For example, in a file that I do not have the unixuser
> entry, I click the Add button, search for domainuser (of course, unixuser
> cannot be obtained from here), add him, set some permissions, and when I
> click "Apply" the new entry dissapears. In that moment, the Samba
log says
> something like (and the symptoms are the same for the users in the map, and
> for the user that have the same username on both systems):
>
> smbd/posix_acls.c:create_canon_ace_lists(1510)
> create_canon_ace_lists: unable to map SID
> X-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX to uid or gid.
>
> So, I guess that Samba is not using the same mechanism for the login, than
> for administering ACLs. Maybe that is not possible; I simply do not know
> because I am relatively new to Samba. Can someone explain how Samba should
> work with the security tab?. Shouldn't it map users in both directions
so
> from Windows only domain users can be seen?
>
> My smb.conf:
>
> [global]
> workgroup = DUMMY
> netbios name = PRUEBA-ARCHIVOS
> server string = %h (Samba %v)
> security = DOMAIN
> username map = /etc/samba/mapeousuarios
> log level = 2
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 1000
> name resolve order = wins host bcast
> wins server = 192.168.X.X, 192.168.X.X
> panic action = /usr/share/samba/panic-action %d
>
> [datos-usu]
> path = /exports/datos
> read only = No
> map acl inherit = Yes
> store dos attributes = Yes
>
> Thanks very much,
>
> tizo
>
>
Tizo,
I found the exact same thing using ldap/kerberos with security=ads and with
winbind disabled
I can set ACLs fine on the files from linux via setfacl and they show that
way when viewed from windows in the security tab but as
Unix User\username
it seems like it may be a case of windows not knowing how to handle Unix
User\username
here's my smb.conf for comparison (note am running a fileserver only, no
printers):
---------
[global]
# workaround symlink bug with wide links 2-5-2010
unix extensions = no
disable spoolss = Yes
name resolve order = hosts
workgroup = AD
realm = AD.MYDOMAIN.EDU
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ads
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
pam password change = no
map to guest = bad user
usershare allow guests = no
[sharename]
comment = SHARENAME
path = /shares/sharename
browsable = Yes
valid users = @ad\CertainFileUsers
write list = @ad\CertainFileUsers
create mask = 2660
force create mode = 0660
directory mask = 2770
--------
there's a bunch of ACL flags shown in man smb.conf that I'm not at all
sure
how to use and it may be that this is just a windows problem in that windows
might not be able to easily specify the Unix User of a file even when that
is an AD user with the uid set.
some of these may affect this:
acl group control
dos filemode
nt acl support (default=yes)
this might also have something to do with the behavior:
username level
I'm hoping that someone who knows more about this might coment.
Cheers,
Grant