Hi * I encounter severe problems with changing ACL settings in Samba 3.0.2a after migrating users from NT PDC to LDAP-SAM.
I did not find anything about this in the mailing list yet. However, I have no idea (if) what I am doing wrong here. Although I can hardly believe that I am the first one to trigger that bug, it looks like a problem with the sid_to_gid routine. So please take a look at that: After migrating users from NT4 to samba you get lots of RIDs that do not match the rid algorithm. As one such user, prefereably one with an odd RID, create a new file on some samba share with Linux ACL enabled. Now open the Properties->Security->??? dialog (Eigenschaften->Sicherheit->Berechtigungen in German) and change anything. Add write permission to everyone, for example. Now take a look at that file in the Linux filesystem, specially the ACL on that file. The owner has lost write permission and some group has got full access instead. The GID of this (possible not even existing) group is exactly the result of the RID algorithm calculation. My brief investigations indicate that the function create_canon_ace_lists() from posix_acls.c calls both sid_to_gid() and sid_to_uid() in turn with the same SID just to try if it matches in one case or the other. Unfortunately, sid_to_gid() falls back to algorithmic mapping and in the case shown above it succeeds to calculate a gid out of the migrated users RID. Turning off algorithmic rid caluculation in general would solve the problem. However, I doubt that this is the correct solution at this time. For example, I would like to keep this algorithmic thing for automatic creation of new (machine) accounts. One possible solution might be, to use the algorithmic rid base to open a window of free RIDs for NT user migration. This could possibly be done by checking the return value of pdb_group_rid_to_gid to be a non negative value before assigning the gid (just a quick shot). Before I start coding and further testing I would like to get you involved. First of all, I would like you to either confirm the bug or help me blind man to find the misconfiguration on my side. Best regards, Sebastian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba