I have never quite got uid/gid consistency working with member
servers. My domain controllers use an LDAP backend so they don't
have an issue. All the unix uid and gid is also in LDAP. This
keeps file permissions correct on the member servers when accessing from
windows clients. However you can NOT manage the file permissions from
windows. The existing permissions show up in windows a "Unix\someuser"
or "unix\somegroup." If you try to change permissions or add a domain
user, the permissions don't stick. This limits the flexibility of member
servers since users can only change permissions via a unix session.
This has been with samba 3.4.x and 3.5.x. My understanding of the
documentation is that samba should be able to use the unix uid/gid info
to create a consistent sid-to-uidNumber and sid-to-gidNumber mapping
but that hasn't been the case for me. I have tried to configure the
member servers to look up the id mapping info from the PDC ldap server
in read only mode- haven't got it working set but I think this is the
way to go.
On 07/31/13 21:05, Chris Hayes wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I'm wondering how essential it is to ensure that Samba User/Group to
UIDs/GIDs mapping across various Samba servers remain consistent.
I realise that Samba uses the extended ACLs and also uses extended
attributes to store blobs of Windows ACL information; specifically the
reason for this is that Windows ACLs don't map 1:1 with POSIX ones.
Basically, I want to know more about which Samba uses, how much it
tries to keep the two in sync, etc. For example, a moment ago I
changed the POSIX ACLs on a file that already had a security.NTACL
glob in the extended attributes; and my change to the POSIX ACL didn't
show up in the Security Properties information for that file.
By far the best documentation that I've found so far is this thread,
which might be out of date now and still leaves me unsure; as this
suggests that the security.NTACL glob should have been updated.
https://lists.samba.org/archive/samba/2011-February/160799.html
For that specific test, I was running quite an old file server (Samba
3.4.7) because it was what I had installed on an old machine.
Any information would be greatly appreciated.
Kind regards,
- --
Chris Hayes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJR+bRsAAoJELgO0A8EguAKXpEH/Awlyq1856PAzRpGSRWGZ9Aw
nuY85q3yrOWq1MkjAti4GLa34gu39HAHaw6kaz06rpZPlVOfR1ICFbq08GbPzR3j
RCBRbVG7Ai/zUx99ey8ByINq5OmkClW5h9uJCGfPuM6+keJwwj4gT6BiY8FrM3mB
Vk1BeYhzZciEXoy/uyP3dnbxWmV9LYGZWXSqwR2lC3ge6jFWRQyL9IES+1+7Ab/7
d+Qj+ObBZffLP5Gxmw3ETPpCMvrexM33B2VAIF5XLMaG+bbukFt8o2uW1UpFiaah
AWMdHJbqqAlT7IZD87U5io+ZfKrDvz8tmej4m6LzzJSJD49VzDCAV/4h0sW6U8c=
=soq+
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
