samba - Jan 2013 - Mapping SID>UID (and reverse)

Hi

I have a new Samba 3.6.10 server running on Solaris 10.

The server is a member of the local Active Directory (which I'll call
"DOMAIN" in this email). Unix username resolution is via NIS. All
domain users have NIS usernames as well.Winbind is running to allow SMBD to
perform sid>uid mapping and I have setup idmap_nss. I am not using winbind in
/etc/nsswitch.conf as NIS performs that function already.

The "issue":


If I create a file or ACL through Windows for user "jack", the
security tab ACL appears as "DOMAIN\jack".

If I add a file or filesystem ACL through Unix for user "jill", the
Windows security tab shows the ACL as "Unix User\jill".

However, if I later add a file, or ACL to a file, through Windows for user
"jill", the Windows security tab now reports the ACL as
"DOMAIN\jill". Files that previously reported "Unix
User\jill" now correctly report "DOMAIN\jill".


So it would appear that Winbind is performing and storing the SID>UID mapping
when an ACL is *set* through Samba, but it is not storing the mapping (or
performing a UID>SID mapping) when performing a *read* of existing Unix file
ownership or ACLs.

Is this by design, a bug, or have I made a mistake somewhere?

I would like it so that if a file or ACL is created on a file through Unix, then
Samba will automatically map this to the domain SID. Can this be done?

Thanks for any help!

JR

Hi

Further to my previous mail on this problem, I've found that 
when I connect to the Samba server from a Windows 7 PC, the 
"log.winbindd-idmap" file reports the following messages:

On opening the file share: \\fs01:

[2013/01/21 11:18:42.474060,? 1] winbindd/idmap.c:288(idmap_init_named_domain)
? no backend defined for idmap config CSS
[2013/01/21 11:18:42.722730,? 1] winbindd/idmap.c:288(idmap_init_named_domain)
? no backend defined for idmap config NT AUTHORITY
[2013/01/21 11:18:42.726528,? 1] winbindd/idmap.c:288(idmap_init_named_domain)
? no backend defined for idmap config AD
[2013/01/21 11:18:42.736245,? 1] winbindd/idmap.c:288(idmap_init_named_domain)
? no backend defined for idmap config CSS


(CSS and AD are both Active Directory domains in the same forest).

When I open the contents of the share and mouse-over a file, the following is
logged:

[2013/01/21 11:20:20.821208,? 4]
winbindd/winbindd_dual.c:1549(fork_domain_child)
? child daemon request 59
[2013/01/21 11:20:20.823030,? 5] passdb/pdb_tdb.c:562(tdbsam_getsampwnam)
? pdb_getsampwnam (TDB): error fetching database.
?? Key: USER_jsmith
[2013/01/21 11:20:20.823250,? 5]
passdb/pdb_interface.c:1347(pdb_default_uid_to_sid)
? pdb_default_uid_to_sid: Did not find user jsmith (4510)
[2013/01/21 11:20:21.279879,? 4]
winbindd/winbindd_dual.c:1557(fork_domain_child)
? Finished processing child request 59


The user "jsmith" is both a NIS Unix user and a Windows AD user in the
"CSS" domain.

When
 I right-click onthe file and select Properties, then select the 
Security tab, I see the list of ACLs listed by SID before they are 
resolved. In the above instance, the user "jsmith" SID is 
"S-1-22-1-4510". A couple of seconds later this is resolved to
"Unix
User\jsmith". I've checked that the 4510 in the SID is the same as the 
Unix UID stored in NIS.


If I open the properties of another file and add an ACL entry for user
"CSS\jsmith", the following is logged:

[2013/01/22 11:17:27.030191,? 4]
winbindd/winbindd_dual.c:1549(fork_domain_child)
? child daemon request 59
[2013/01/22 11:17:27.031587,? 5] lib/username.c:171(Get_Pwnam_alloc)
? Finding user jsmith
[2013/01/22 11:17:27.031765,? 5] lib/username.c:116(Get_Pwnam_internals)
? Trying _Get_Pwnam(), username as lowercase is jsmith
[2013/01/22 11:17:27.034069,? 5] lib/username.c:149(Get_Pwnam_internals)
? Get_Pwnam_internals did find user [jsmith]!
[2013/01/22 11:17:27.034825,? 4]
winbindd/winbindd_dual.c:1557(fork_domain_child)
? Finished processing child request 59


The
 entry appears in the file properties box correctly (as CSS\jsmith) and 
when I now open the properties of the original file, the file is now 
owned by CSS\jsmith and not Unix User\jsmith. I would like it so that it
 always maps the Unix UID to the CSS domain SID. Is this possible?


Please can someone advise what I'm doing wrong? 


Thanks!!!

JR


This is the output of testparm:

[global]
??????? workgroup = CSS
??????? realm = CSS.AD.COMPANYNAME.CO.UK
??????? server string = Samba %v
??????? security = ADS
??????? kerberos method = system keytab
??????? log file = /var/log/samba/smbd.log
??????? max log size = 50
??????? max protocol = SMB2
??????? unix extensions = No
??????? load printers = No
??????? printcap name = /dev/null
??????? disable spoolss = Yes
??????? template shell = /bin/bash
??????? idmap config * : range = 500-999999
??????? idmap config * : backend = nss
??????? ea support = Yes
??????? printing = bsd
??????? print command = lpr -r -P'%p' %s
??????? lpq command = lpq -P'%p'
??????? lprm command = lprm -P'%p' %j
??????? dfree command = /usr/local/bin/dfree

[zfsshare]
??????? comment = ZFS share
??????? path = /testpool/samba
??????? read only = No
??????? inherit permissions = Yes
??????? map archive = No
??????? map readonly = no
??????? store dos attributes = Yes
??????? wide links = Yes
??????? vfs objects = shadow_copy2, streams_xattr, zfsacl
??????? zfsacl:acesort = dontcare
??????? nfs4:mode = special
??????? nfs4:chown = yes
??????? nfs4:acedup = merge
??????? shadow:format = GMT-%Y.%m.%d-%H.%M.%S
??????? shadow:snapdir = .zfs/snapshot
??????? shadow:basedir = /testpool/samba