On 25/09/2020 10:14, Aur?lien Aptel via samba wrote:> Ken Bass via samba <samba at lists.samba.org> writes: >> Can you please expand on this, I am confused as to what you are >> suggesting.? If 'getent pass' works properly and shows no >> overlap/confusion, this seems to be related to cifsacl. > It's still hard to say at this point. > > cifs.idmap logs messages in the syslog. > Can you try mounting with cifsacl, then look at logs in one window > > # journalctl --since=now > > While you do a > > # ls -l /path/to/cifsaclmount/some_file > > If a mapping fails you should see something like this: > > cifs.idmap[8370]: key description: cifs.idmap;0;0;39010000;os:S-1-5-18 > cifs.idmap[8370]: Unable to convert cifs.idmap;0;0;39010000;os:S-1-5-18 to UID: Some IDs could not be mapped. > > "os" means it's the file owner (Owner Sid) > "gs" means the file group (Group Sid). > > You can try to map the bad SID manually with wbinfo: > > # wbinfo --sid-to-uid S-1-5-18 > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-18 to uid > > And then it's a samba/winbind problem.Not sure how this could be a Samba problem ? 'S-1-5-18' is SYSTEM and from the looks of it, neither cifs.idmap or winbind maps it on a Unix domain member (it does map on a Samba DC). It is hard to understand from the manpages, does cifsacls use the same ID's as Winbind, or does it calculate its own ? Rowland
Rowland penny via samba <samba at lists.samba.org> writes:> 'S-1-5-18' is SYSTEM and from the looks of it, neither cifs.idmap or > winbind maps it on a Unix domain member (it does map on a Samba DC). It > is hard to understand from the manpages, does cifsacls use the same ID's > as Winbind, or does it calculate its own ?* cifsacl is the mount option. * When passed, it makes cifs.ko call the userspace program cifs.idmap everytime it has to map a SID. * cifs.idmap has a winbind or sssd backend (dynamicly loaded librairies aka plugins). * The winbind backend is idmapwb.so and is linked against libwbclient and uses the same calls as wbinfo to do the mapping. Thus it returns the same IDs. I picked this SID as an example of a SID that doesn't map, I don't know what sort of SID Ken is seeing. If Ken is seeing a mapping error in the logs and also with wbinfo for regular AD users it is likely something is wrong with his winbind setup. Cheers, -- Aur?lien Aptel / SUSE Labs Samba Team GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 N?rnberg, DE GF: Felix Imend?rffer, Mary Higgins, Sri Rasiah HRB 247165 (AG M?nchen)
On 25/09/2020 13:37, Aur?lien Aptel wrote:> Rowland penny via samba <samba at lists.samba.org> writes: >> 'S-1-5-18' is SYSTEM and from the looks of it, neither cifs.idmap or >> winbind maps it on a Unix domain member (it does map on a Samba DC). It >> is hard to understand from the manpages, does cifsacls use the same ID's >> as Winbind, or does it calculate its own ? > * cifsacl is the mount option. > * When passed, it makes cifs.ko call the userspace program cifs.idmap > everytime it has to map a SID. > * cifs.idmap has a winbind or sssd backend (dynamicly loaded librairies > aka plugins). > * The winbind backend is idmapwb.so and is linked against libwbclient > and uses the same calls as wbinfo to do the mapping. Thus it returns > the same IDs. > > I picked this SID as an example of a SID that doesn't map, I don't know > what sort of SID Ken is seeing. > > If Ken is seeing a mapping error in the logs and also with wbinfo for > regular AD users it is likely something is wrong with his winbind setup. > > Cheers,OK, that explains it better than the manpage :-) The OP said that all his users and groups come from AD and he is using the 'ad' backend, but he hasn't actually said that he has added any rfc2307 attributes to AD. I do not really understand why he is using cifsacl in the mount anyway, surely vfs_acl_xattr will do it just as well ?? Rowland