I use samba-3.0.21b and kernel-2.6.9-22.0.2.ELsmp (RedHat EL4) as PDC. All the user accounts are stored in LDAP. This all works well. I use samba-3.0.21b and kernel-2.6.15.4 (RedHat FC4) as Domain Members, hostname NFS1. NFS1 smb.conf: [global] workgroup = LOCAL netbios name = NFS1 security = domain password server = * guest ok = no guest account = guest null passwords = yes map to guest = bad user enable privileges = yes local master = no os level = 33 domain master = no preferred master = no wins support = no passdb backend = ldapsam:ldaps://ldap.local ldap ssl = on ldap suffix = dc=local ldap admin dn = cn=admin,dc=local ldap user suffix = ou=users ldap group suffix = ou=group ldap machine suffix = ou=computers ldap idmap suffix = ou=users idmap backend = ldap:ldaps://ldap.local winbind use default domain = yes winbind cache time = 900 [tmp] path = /home/test browseable = yes nt acl support = yes inherit acls = yes map acl inherit = yes read only = no admin users = @"Domain Admins" The file system /home supports ACL. # mount | grep home /dev/hda3 on /home type ext3 (rw,noatime,acl,user_xattr) Hostname NFS1 use LDAP using pam_ldap and nss_ldap. service smb start service winbind start NFS1 join domain LOCAL # net rpc join -Uadministrator Password: Joined domain LOCAL. example: # mkdir /home/test/123 # setfacl -m u:promtov:rwx /home/test/123 # getfacl u:promtov:rwx /home/test/123 # file: /home/test/123 # owner: root # group: root user::rwx user:promtov:rwx group::r-x mask::rwx other::r-x Then, you open ACLs dialog with Windows Explorer, We see correct ACL LOCAL\promtov. At addition new ACL from a dialog with Windows Explorer, new ACL disappears! NFS1 loglevel 4: [2006/02/14 18:05:45, 5] lib/smbldap.c:smbldap_search_ext(1080) smbldap_search_ext: base =>[ou=group,dc=local], filter =>[(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-113194080-3713674248-2964181031-7264))], scope => [2] [2006/02/14 18:05:45, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 512) - sec_ctx_stack_ndx = 0 [2006/02/14 18:05:45, 0] smbd/posix_acls.c:create_canon_ace_lists(1405) create_canon_ace_lists: unable to map SID S-1-5-21-113194080-3713674248-2964181031-7264 to uid or gid. Why searches in ou=group,dc=local ??! I added the _user_ promtov (S-1-5-21-113194080-3713674248-2964181031-7264) who is located in ou=users. !! The same manipulations on PDC are correct!
In addition. Any actions (Domain Members) with ACL groups also are correct. SID searches in a way ldap group suffix = ou=groups, irrespective of a smb.conf: ldap user suffix = ou=users ldap group suffix = ou=group Anyone any ideas ?
I'm marking this fixed in 3.0.23 since we have reworked a lot of code surrounding users/groups in the current SAMBA_3_0 tree.