Bug 3511 - samba domain members: ACL's fails
Summary: samba domain members: ACL's fails
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.21b
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-02-14 05:05 UTC by Andrey
Modified: 2006-04-10 07:18 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrey 2006-02-14 05:05:46 UTC 
I use samba-3.0.21b and kernel-2.6.9-22.0.2.ELsmp (RedHat EL4) as PDC. All the user accounts are stored in LDAP.
This all works well.

I use samba-3.0.21b and kernel-2.6.15.4 (RedHat FC4) as Domain Members, hostname NFS1.
NFS1 smb.conf:
[global]
    workgroup = LOCAL
    netbios name = NFS1
    security = domain
    password server = *
    guest ok = no
    guest account = guest
    null passwords = yes
    map to guest = bad user
    enable privileges = yes
    local master = no
    os level = 33
    domain master = no
    preferred master = no
    wins support = no
    passdb backend = ldapsam:ldaps://ldap.local
    ldap ssl = on
    ldap suffix = dc=local
    ldap admin dn = cn=admin,dc=local
    ldap user suffix = ou=users
    ldap group suffix = ou=group
    ldap machine suffix = ou=computers
    ldap idmap suffix = ou=users
    idmap backend = ldap:ldaps://ldap.local
    winbind use default domain = yes
    winbind cache time = 900
[tmp]
   path = /home/test
   browseable = yes
   nt acl support = yes
   inherit acls = yes
   map acl inherit = yes
   read only = no
   admin users = @"Domain Admins"

The file system /home supports ACL.
# mount | grep home
/dev/hda3 on /home type ext3 (rw,noatime,acl,user_xattr)

Hostname NFS1 use LDAP using pam_ldap and nss_ldap.

service smb start
service winbind start

NFS1 join domain LOCAL
# net rpc join -Uadministrator
Password:
Joined domain LOCAL.

example:

# mkdir /home/test/123
# setfacl -m u:promtov:rwx /home/test/123
# getfacl u:promtov:rwx /home/test/123

# file: /home/test/123
# owner: root
# group: root
user::rwx
user:promtov:rwx
group::r-x
mask::rwx
other::r-x

Then, you open ACLs dialog with Windows Explorer, We see correct ACL LOCAL\promtov.
At addition new ACL from a dialog with Windows Explorer, new ACL disappears!

NFS1 loglevel 4:
[2006/02/14 18:05:45, 5] lib/smbldap.c:smbldap_search_ext(1080)
                          smbldap_search_ext: base =>[ou=group,dc=local],
                        filter =>[(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-113194080-3713674248-2964181031-7264))],
                        scope => [2]
[2006/02/14 18:05:45, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 512) - sec_ctx_stack_ndx = 0
[2006/02/14 18:05:45, 0] smbd/posix_acls.c:create_canon_ace_lists(1405)
                         create_canon_ace_lists: unable to map SID
                         S-1-5-21-113194080-3713674248-2964181031-7264 to uid or gid.

Why searches in ou=group,dc=local ??! 
I added the _user_ promtov (S-1-5-21-113194080-3713674248-2964181031-7264) who is located in ou=users. !!
The same manipulations on PDC are correct!
Comment 1 Andrey 2006-02-21 23:34:02 UTC 
In addition.
Any actions (Domain Members) with ACL groups also are correct.
SID searches in a way ldap group suffix = ou=groups, 
irrespective of a smb.conf:
ldap user suffix = ou=users
ldap group suffix = ou=group

Anyone any ideas ?
Comment 2 Gerald (Jerry) Carter (dead mail address) 2006-04-10 07:18:16 UTC 
I'm marking this fixed in 3.0.23 since we have reworked a lot of 
code surrounding users/groups in the current SAMBA_3_0 tree.