samba - May 2013 - Fwd: Re: Re: Cannot ad­d/mo­dify ACL through win­dows ­client

Hi Denis,

on both samba hosts (donald and pluto) these commands work great:

id johndoe
getent group
getent passwd

My pluto:/etc/nsswitch.conf looks like that:
[...]
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
[...]

I want to add, that the described problem works fine if I try it on a share on
"donald", my domain controller. The users are displayed fine under the
security tab. So where could be the problem?

Lucas

??? 14 ??? 2013 19:57:00 +0400, Denis Cardon  ???????:
Hi Lucas,
> I am struggling around with Windows ACLs and cannot find a solution nor how
to troubleshoot that. I have two samba3 hosts. Hostname "donald" is my
domain controller with samba 3.x + OpenLDAP server running. Hostname
"pluto" is my other samba 3.x server which was joined to my domain. I
use LDAP for my users+groups. I dont have winbind on my machines. On hostname
"pluto" I have a share in smb.conf which says:
>
> [free4all]
> path = /data/free4all
> read onlyXSSCleaned= No
>                create mask = 0777
>                directory mask = 0777
>                vfs object = acl_xattr
>                nt acl support = yes
>                dos filemode = yes
>
> "testparm -s -a -v |grep acl" shows me:
>
> acl compatibility = auto
>          acl check permissions = Yes
>          acl group control = No
>          acl map full control = Yes
>          force unknown acl user = No
>          inherit acls = No
>          nt acl support = Yes
>          profile acls = No
>          map acl inherit = No
>          vfs objects = acl_xattr
>          force unknown acl user = Yes
>
> On a windows client I am right-clicking on \\pluto\free4all\subdir and
choose the "Security" tab. I see a user called "Everyone"
and a user without username, but only SID number. The SID is
S-1-5-21-blablabla-1234567-blabla-500.  I manually checked this SID at my LDAP
database. Funnily I have two users with this same SID, one is called
"root" and the is called "admin". Weird, but not important
imho at this point.
Rid -500 is part of the well known SID, it should be for admin user and 
shouldn't be used for root (http://support.microsoft.com/kb/243330)
> Back on the windows client, inside the "Security" tab, I click on
"Add" and choose a user of my Domain Users. I see him in the list. But
as soon as I click "Apply" on this window, the user disappears from
the security tab list. The logfile at samba-server hostname=pluto outputs:
>
> [2013/05/14 15:48:08.861822,  0]
smbd/posix_acls.c:1755(create_canon_ace_lists)
>    create_canon_ace_lists: unable to map SID
S-1-5-21-1062190697-4189521229-2202214947-129762 to uid or gid.
>
> This SID was the user I tried to add. Why does this not work and how should
I fix or even troubleshoot that? I really need some assistance, I have no clue
what else to try. Thanks to everyone.
Are you sure that there is a uid/gid mapping for your samba users on 
your server. For instance, if you type "id myusername" or "getent
passwd", do you get a uid?

If not, you should check if your /etc/nsswitch.conf configuration is ok. 
If you don't use winbind, you should have nssldap configured.

Cheers,

Denis
>
> Lucas.
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, b?timent A
12 avenue Jules Verne
44230 Saint S?bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

----- ????? ????????????? ?????? -----

Hi Lucas,
> on both samba hosts (donald and pluto) these commands work great:
>
> id johndoe
> getent group
> getent passwd
>
> My pluto:/etc/nsswitch.conf looks like that:
> [...]
> passwd:         compat ldap
> group:          compat ldap
> shadow:         compat ldap
> [...]
>
> I want to add, that the described problem works fine if I try it on a share
on "donald", my domain controller. The users are displayed fine under
the security tab. So where could be the problem?
Users may be displayed because through query to the PDC.

If your nsswitch works properly, then I think we ought to look into your 
smb.conf. Could you please post the global part? Are you using 
security=user or security=domain?

What do you get with pdbedit -L -v ?

By the way, samba4 rocks and it is much easier to setup. You should try it.

Cheers,

Denis
>
> Lucas
>
> ??? 14 ??? 2013 19:57:00 +0400, Denis Cardon  ???????:
> Hi Lucas,
>
>> I am struggling around with Windows ACLs and cannot find a solution nor
how to troubleshoot that. I have two samba3 hosts. Hostname "donald"
is my domain controller with samba 3.x + OpenLDAP server running. Hostname
"pluto" is my other samba 3.x server which was joined to my domain. I
use LDAP for my users+groups. I dont have winbind on my machines. On hostname
"pluto" I have a share in smb.conf which says:
>>
>> [free4all]
>> path = /data/free4all
>> read onlyXSSCleaned= No
>>                 create mask = 0777
>>                 directory mask = 0777
>>                 vfs object = acl_xattr
>>                 nt acl support = yes
>>                 dos filemode = yes
>>
>> "testparm -s -a -v |grep acl" shows me:
>>
>> acl compatibility = auto
>>           acl check permissions = Yes
>>           acl group control = No
>>           acl map full control = Yes
>>           force unknown acl user = No
>>           inherit acls = No
>>           nt acl support = Yes
>>           profile acls = No
>>           map acl inherit = No
>>           vfs objects = acl_xattr
>>           force unknown acl user = Yes
>>
>> On a windows client I am right-clicking on \\pluto\free4all\subdir and
choose the "Security" tab. I see a user called "Everyone"
and a user without username, but only SID number. The SID is
S-1-5-21-blablabla-1234567-blabla-500.  I manually checked this SID at my LDAP
database. Funnily I have two users with this same SID, one is called
"root" and the is called "admin". Weird, but not important
imho at this point.
>
> Rid -500 is part of the well known SID, it should be for admin user and
> shouldn't be used for root (http://support.microsoft.com/kb/243330)
>
>> Back on the windows client, inside the "Security" tab, I
click on "Add" and choose a user of my Domain Users. I see him in the
list. But as soon as I click "Apply" on this window, the user
disappears from the security tab list. The logfile at samba-server
hostname=pluto outputs:
>>
>> [2013/05/14 15:48:08.861822,  0]
smbd/posix_acls.c:1755(create_canon_ace_lists)
>>     create_canon_ace_lists: unable to map SID
S-1-5-21-1062190697-4189521229-2202214947-129762 to uid or gid.
>>
>> This SID was the user I tried to add. Why does this not work and how
should I fix or even troubleshoot that? I really need some assistance, I have no
clue what else to try. Thanks to everyone.
>
> Are you sure that there is a uid/gid mapping for your samba users on
> your server. For instance, if you type "id myusername" or
"getent
> passwd", do you get a uid?
>
> If not, you should check if your /etc/nsswitch.conf configuration is ok.
> If you don't use winbind, you should have nssldap configured.
>
> Cheers,
>
> Denis
>
>>
>> Lucas.
>>
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, b?timent A
12 avenue Jules Verne
44230 Saint S?bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr