I am sure somebody asks this question about once a week. Since I have not found an answer I assume the worst -- it just does not work.
So, here goes my problem. I am testing Samba 3.0.0. I have got UNIX and Windows domain users matching each other one-to-one. The server is running with "security = domain". Everything works fine and all Windows users connecting to Samba get mapped into their respective UNIX user ids. Everything is nice, simple and consistent.
Now I want to enable ACLs and fortunately the host OS supports them fine. Here the trouble starts. It looks like ACLs refuse to work in the absense of winbindd. So I start winbindd and... get random mapping of NT domain accounts into UNIX ids in the range of "idmap uid/gid".
So, for example, if I create a file from the windows side it gets ownership of:
solovam/uid=1001
on the UNIX side. Windows says the owner is:
\SAMBA-SERVER\solovam
Which is already strange, I expect \DOMAIN\solovam like on all NT boxes.
If I try to add and ACL entry for myself to this file, I get a POSIX acl entry for:
???/uid=40000
which is what winbindd assigned for my SID. At this point Windows says this was an ACL entry for user:
\DOMAIN\solovam
So, this is basically the problem. When I connect to Samba server I connect as \DOMAIN\solovam and use domain password. The files I create belong to my UNIX account "solovam". At the same time if I check ownership, I see that I act as \SAMBA-SERVER\solovam! If I try to change ACLs, I am back to being \DOMAIN\solovam, but my SID is now mapped by winbindd to something randomly selected.
Well, there are a lot of funny implications at this point (like change UNIX permissions to 000 and try to add "full control" ACL for the domain user, which resets UNIX permissions again!), but the bottom line is that Samba in this area is completely broken and horribly inconsistent.
I hope I am missing something really obvious, but after a day of looking at documentation I doubt it is so.
--
Anton Solovyev
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
