On 21/06/12 17:50, Jeremy Allison wrote:
I've done some poking and I've found an answer as to why it won't work with username to username mapping. Quite simply, the client doesn't ask samba to apply an ACL to a username. It is instead asked to apply it to an SIDOn Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote:Note the DOMAIN and not "Unix User". Clicking apply simply makes the new entry disappear. If username mapping is working correctly, why does adding an ACL for DOMAIN\nigel not set an ACL for Unix User\nigel?I'm not sure username mapping is being done in that codepath. This is designed to work (and normally tested with) winbindd. Jeremy.
[2012/06/22 15:22:10.495700, 0] smbd/posix_acls.c:1735(create_canon_ace_lists) create_canon_ace_lists: unable to map SID S-1-5-21-2516220118-3886572273-1107914255-8269 to uid or gid.
[2012/06/22 15:22:10.498944, 10] smbd/posix_acls.c:3412(posix_get_nt_acl) posix_get_nt_acl: called for file test2/New Text Document.txt I'm not running winbind so samba can't map the SID to a UID. All is not lost though!net -P ads sid S-1-5-21-2516220118-3886572273-1107914255-8269 works correctly.
I can obviously grep the username/groupname out of there and use id to turn it into a valid unix uid or gid
A simple script could do this easily if I add some code to source3/smbd/posix_acls.c and add an option such as "username sid map script =" to the smb.conf.
Is this completely nuts or would a patch like this be accepted? regards, Colin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Linux] [Info Cyrus] [LARTC] [Bugtraq] [Netfilter] [Internet Dating Forums] [RAID] [Yosemite News] [Photography]