[Samba] Administrator Maps winbind GID to 100 (sys)
- Date: Wed, 14 May 2008 15:51:48 -0700
- From: Eric Roseme <eroseme@xxxxxxxxxxxxxxxxxxxx>
- Subject: [Samba] Administrator Maps winbind GID to 100 (sys)
Samba 3.0.22a (with backports from up to 3.0.25) on HP-UX 11iv3 (HP CIFS Server), "security=ADS" to W2003R2 domain, winbind running with "idmap backend = rid:", and "root = DOMAIN+Administrator" in username.map.
From Administrator on a domain Vista client, using Explore to map a share and then set an ACL from Properties/Security/Permissions, I choose a Windows group from the list to add to the directory ACL. The winbind GID is 12011. The correct groupname is displayed in the Explorer window, but when doing a getacl from unix, the GID is 100, or sys - the Administrator home group.
So I went to /var/opt/samba/locks and deleted all of the cache files and restarted - same result.
If I set the directory to a different owner, and add the same GID with a different client user, then the correct winbind GID is added to the ACL.
Any idea why Administrator=root maps the sys GID to a winbind group name? Log entry and smb.conf below. Thanks,
Eric Roseme [2008/05/14 09:57:02, 10] passdb/passdb.c:local_sid_to_gid(1318) local_sid_to_gid: Fall back to algorithmic mapping [2008/05/14 09:57:02, 10] passdb/passdb.c:local_sid_to_gid(1325)local_sid_to_gid: mapping: S-1-5-21-463747597-202940698-2940076759-1201 -> 100
[2008/05/14 09:57:02, 10] passdb/lookup_sid.c:sid_to_gid(1245) sid_to_gid: S-1-5-21-463747597-202940698-2940076759-1201 -> 100 [2008/05/14 09:57:02, 10] smbd/posix_acls.c:create_canon_ace_lists(1453) create_canon_ace_lists: adding dir ACL:canon_ace index 0. Type = allow SID = S-1-5-21-463747597-202940698-2940076759-1201 gid 100 (100) S
MB_ACL_GROUP perms r-x [2008/05/14 09:57:02, 10] smbd/posix_acls.c:create_canon_ace_lists(1511) create_canon_ace_lists: adding file ACL:canon_ace index 0. Type = allow SID = S-1-5-21-463747597-202940698-2940076759-1201 gid 100 (100) S
MB_ACL_GROUP perms r-x
# Samba config file created using SWAT
# from 16.93.45.222 (16.93.45.222)
# Date: 2006/04/28 10:10:56
# Global parameters
[global]
workgroup = SNSLATC
realm = SNSLATC.HP.COM
server string = Samba Server
interfaces = xx.xxx.xxx.xx
bind interfaces only = Yes
netbios name = SERVER14
security = ADS
client schannel = No
server schannel = No
password server = SNSLATC-DC.SNSLATC.HP.COM
log level = 10
log file = /var/opt/samba/log.%m
username map = /etc/opt/samba/username.map
max log size = 1000
machine password timeout = 300
local master = No
wins server = xx.xxx.xxx.xx
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
idmap backend = rid:SNSLATC=10000-20000
template homedir = /home/%U
template shell = /usr/bin/sh
winbind separator = +
winbind use default domain = yes
allow trusted domains = no
winbind enum users = yes
winbind enum groups = yes
read only = No
short preserve case = No
dos filetime resolution = Yes
# use kerberos keytab = yes
[homes]
comment = Home Directories
valid users = %S
browseable = No
[tmp]
comment = Temporary file space
path = /tmp
[sbx_interface]
path = /home/sbx_interface
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
- Prev by Date: [Samba] monitoring file access levels?
- Next by Date: Re: [Samba] netlogon folder permissions
- Previous by thread: [Samba] monitoring file access levels?
- Next by thread: [Samba] HowTo clear a share using smbclient ?
- Index(es):