while trying to clone an NT server's ACLs using various ACL-cloning tools (BX tools, sectools) I repeatedly got "access denied" messages from the server. Investigation reveals that this is due to the fact that Samba is unable to resolve the SIDs, since they are foreign, and thus the ACLs are discarded. The process fails early enough that none of the ACLs are applied, even if there are ACLs there that Samba /would/ be able to parse (e.g. Everyone, or domain usernames)
won't address this now. Marking a 'later'.
originally reported against one of the 3.0.0rc[1-4] releases. Cleaning up non-production versions.
Created attachment 968 [details] samba-3.0.11-orphan_sids.patch We had the same issue: Using robocopy to migrate files from Windows to linux/samba (v3.0.11) is failing to migrate ACLs for some of folders- getting "Access Denied" on Windows and "create_canon_ace_lists: unable to map SID S-1-5-21.... to uid or gid." in samba log. Attached is the patch that works for us. You also have to set "force unknown acl user = Yes" in your smb.conf (reintroduced in samba-3.0.6 by Guenther Deschner).
database cleanup