Bug 402 - can't call set_nt_acl with foreign SID
can't call set_nt_acl with foreign SID
Status: RESOLVED LATER
Product: Samba 3.0
Classification: Unclassified
Component: File Services
3.0.0preX
All Linux
: P3 normal
: none
Assigned To: Samba Bugzilla Account
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-09-04 06:57 UTC by Waider
Modified: 2005-11-14 09:29 UTC (History)
1 user (show)

See Also:


Attachments
samba-3.0.11-orphan_sids.patch (816 bytes, patch)
2005-02-16 11:19 UTC, mezozoy
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Waider 2003-09-04 06:57:44 UTC
while trying to clone an NT server's ACLs using various ACL-cloning tools (BX
tools, sectools) I repeatedly got "access denied" messages from the server.
Investigation reveals that this is due to the fact that Samba is unable to
resolve the SIDs, since they are foreign, and thus the ACLs are discarded. The
process fails early enough that none of the ACLs are applied, even if there are
ACLs there that Samba /would/ be able to parse (e.g. Everyone, or domain usernames)
Comment 1 Gerald (Jerry) Carter 2004-03-12 07:06:23 UTC
won't address this now.  Marking a 'later'.
Comment 2 Gerald (Jerry) Carter 2005-02-07 09:06:01 UTC
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
Comment 3 mezozoy 2005-02-16 11:19:36 UTC
Created attachment 968 [details]
samba-3.0.11-orphan_sids.patch

We had the same issue:
Using robocopy to migrate files from Windows to linux/samba (v3.0.11) is
failing to migrate ACLs for some of folders- getting "Access Denied" on Windows
and "create_canon_ace_lists: unable to map SID S-1-5-21.... to uid or gid." in
samba log.
  Attached is the patch that works for us. You also have to set "force unknown
acl user = Yes" in your smb.conf (reintroduced in samba-3.0.6 by Guenther
Deschner).
Comment 4 Gerald (Jerry) Carter 2005-11-14 09:29:03 UTC
database cleanup