On 26/06/12 11:54, Colin Fowler wrote:
On 26/06/12 06:48, Andrew Bartlett wrote:
On Fri, 2012-06-22 at 16:11 +0100, Colin Fowler wrote:
On 21/06/12 17:50, Jeremy Allison wrote:
On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote:
Note the DOMAIN and not "Unix User". Clicking apply simply makes the
new entry disappear.
If username mapping is working correctly, why does adding an ACL for
DOMAIN\nigel not set an ACL for Unix User\nigel?
I'm not sure username mapping is being done in that
codepath. This is designed to work (and normally tested
with) winbindd.
Jeremy.
I've done some poking and I've found an answer as to why it won't work
with username to username mapping. Quite simply, the client doesn't ask
samba to apply an ACL to a username. It is instead asked to apply it to
an SID
[2012/06/22 15:22:10.495700, 0]
smbd/posix_acls.c:1735(create_canon_ace_lists)
create_canon_ace_lists: unable to map SID
S-1-5-21-2516220118-3886572273-1107914255-8269 to uid or gid.
[2012/06/22 15:22:10.498944, 10] smbd/posix_acls.c:3412(posix_get_nt_acl)
posix_get_nt_acl: called for file test2/New Text Document.txt
I'm not running winbind so samba can't map the SID to a UID.
All is not lost though!
net -P ads sid S-1-5-21-2516220118-3886572273-1107914255-8269 works
correctly.
I can obviously grep the username/groupname out of there and use id to
turn it into a valid unix uid or gid
A simple script could do this easily if I add some code to
source3/smbd/posix_acls.c and add an option such as "username sid map
script =" to the smb.conf.
Is this completely nuts or would a patch like this be accepted?
This would essentially be the same as running winbindd and using
idmap_nss as I understand it.
We wrote winbindd for a purpose, and it handles many of the important
tasks of being in an AD domain. We do support not running it, but it is
a degraded mode.
Andrew Bartlett
Thanks Andrew,
I'll take a good look at idmap_nss now.
For the last week we've trialled idmap_nss and so far everything seems
to be working great! Thanks for all the suggestions. Our last problem is
with Dreamweaver CS6 not being able to save files (when notepad can!),
but we're debugging that now :)
regards,
Colin
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
