Administrator Maps winbind GID to 100 (sys)

Eric Roseme <eroseme@xxxxxxxxxxxxxxxxxxxx> · Wed, 14 May 2008 15:51:48 -0700

Samba 3.0.22a (with backports from up to 3.0.25) on HP-UX 11iv3 (HP CIFS 

Server), "security=ADS" to W2003R2 domain, winbind running with "idmap 

backend = rid:", and "root = DOMAIN+Administrator" in username.map.

From Administrator on a domain Vista client, using Explore to map a 

share and then set an ACL from Properties/Security/Permissions, I choose 

a Windows group from the list to add to the directory ACL.  The winbind 

GID is 12011.  The correct groupname is displayed in the Explorer 

window, but when doing a getacl from unix, the GID is 100, or sys - the 

Administrator home group.

So I went to /var/opt/samba/locks and deleted all of the cache files and 

restarted - same result.

If I set the directory to a different owner, and add the same GID with a 

different client user, then the correct winbind GID is added to the ACL.

Any idea why Administrator=root maps the sys GID to a winbind group 

name?  Log entry and smb.conf below.  Thanks,

Eric Roseme

[2008/05/14 09:57:02, 10] passdb/passdb.c:local_sid_to_gid(1318)
  local_sid_to_gid: Fall back to algorithmic mapping
[2008/05/14 09:57:02, 10] passdb/passdb.c:local_sid_to_gid(1325)

  local_sid_to_gid: mapping: 

S-1-5-21-463747597-202940698-2940076759-1201 -> 100

[2008/05/14 09:57:02, 10] passdb/lookup_sid.c:sid_to_gid(1245)
  sid_to_gid: S-1-5-21-463747597-202940698-2940076759-1201 -> 100
[2008/05/14 09:57:02, 10] smbd/posix_acls.c:create_canon_ace_lists(1453)
  create_canon_ace_lists: adding dir ACL:

  canon_ace index 0. Type = allow SID = 

S-1-5-21-463747597-202940698-2940076759-1201 gid 100 (100) S

MB_ACL_GROUP perms r-x
[2008/05/14 09:57:02, 10] smbd/posix_acls.c:create_canon_ace_lists(1511)
  create_canon_ace_lists: adding file ACL:

  canon_ace index 0. Type = allow SID = 

S-1-5-21-463747597-202940698-2940076759-1201 gid 100 (100) S

MB_ACL_GROUP perms r-x

# Samba config file created using SWAT
# from 16.93.45.222 (16.93.45.222)
# Date: 2006/04/28 10:10:56

# Global parameters
[global]
	workgroup = SNSLATC
 	realm = SNSLATC.HP.COM
	server string = Samba Server
	interfaces = xx.xxx.xxx.xx
	bind interfaces only = Yes
        netbios name = SERVER14   
	security = ADS             
	client schannel = No
	server schannel = No
	password server = SNSLATC-DC.SNSLATC.HP.COM
	log level = 10
	log file = /var/opt/samba/log.%m
        username map = /etc/opt/samba/username.map
	max log size = 1000
	machine password timeout = 300
	local master = No
	wins server = xx.xxx.xxx.xx
	ldap ssl = no
 	idmap uid = 10000-20000
 	idmap gid = 10000-20000
        idmap backend = rid:SNSLATC=10000-20000
	template homedir = /home/%U
        template shell = /usr/bin/sh
 	winbind separator = +
        winbind use default domain = yes
        allow trusted domains = no
        winbind enum users = yes
        winbind enum groups = yes
	read only = No
	short preserve case = No
  	dos filetime resolution = Yes
#        use kerberos keytab = yes

[homes]
	comment = Home Directories
	valid users = %S
	browseable = No

[tmp]
	comment = Temporary file space
	path = /tmp

[sbx_interface]
      path = /home/sbx_interface

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba