samba-users August 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: [Samba] Users mapping in security tab

[Samba] Users mapping in security tab

From: tizo <tizone_at_nospam>
Date: Fri Aug 20 2010 - 16:57:28 GMT
To: samba@lists.samba.org

Hi there,

I have a Samba installation acting as a Domain Member with a disk share (the
partiton is mounted with acl and user_xattr options). I am not using
winbind, because I want the domain users to be mapped to Unix users.
Everything works right, excepting the users in the Windows Explorer security
tab. I will try to explain the situation with an example.

I have username map, that maps Administrator and domainuser into root and
unixuser respectively. I also have another user that do not need the
mapping, as the username is the same in both systems. The three users can
login correctly to the share, and when a user creates a file, the owner of
the new file is the mapped user corresponding to the logged user.

The problem arise in the Windows Explorer security tab of a file. The users
seen there, are the Unix users and not the domain ones; for example, I can
see something like "unixuser (Unix User\unixuser)" or for groups "unixgroup
(Unix Group\unixgroup)". I can modify the permissions of an entry here (and
the modifications can be seen in the Posix ACLs in the file), but I cannot
add another user. For example, in a file that I do not have the unixuser
entry, I click the Add button, search for domainuser (of course, unixuser
cannot be obtained from here), add him, set some permissions, and when I
click "Apply" the new entry dissapears. In that moment, the Samba log says
something like (and the symptoms are the same for the users in the map, and
for the user that have the same username on both systems):

smbd/posix_acls.c:create_canon_ace_lists(1510)
  create_canon_ace_lists: unable to map SID
X-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX to uid or gid.

So, I guess that Samba is not using the same mechanism for the login, than
for administering ACLs. Maybe that is not possible; I simply do not know
because I am relatively new to Samba. Can someone explain how Samba should
work with the security tab?. Shouldn't it map users in both directions so
from Windows only domain users can be seen?

My smb.conf:

[global]
    workgroup = DUMMY
    netbios name = PRUEBA-ARCHIVOS
    server string = %h (Samba %v)
    security = DOMAIN
    username map = /etc/samba/mapeousuarios
    log level = 2
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    name resolve order = wins host bcast
    wins server = 192.168.X.X, 192.168.X.X
    panic action = /usr/share/samba/panic-action %d

[datos-usu]
    path = /exports/datos
    read only = No
    map acl inherit = Yes
    store dos attributes = Yes

Thanks very much,

tizo
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba