Bug 402 - can't call set_nt_acl with foreign SID
Summary: can't call set_nt_acl with foreign SID
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.0preX
Hardware: All Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact:
Depends on:
Reported: 2003-09-04 06:57 UTC by Waider
Modified: 2005-11-14 09:29 UTC (History)
1 user (show)

See Also:

samba-3.0.11-orphan_sids.patch (816 bytes, patch)
2005-02-16 11:19 UTC, mezozoy
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Waider 2003-09-04 06:57:44 UTC
while trying to clone an NT server's ACLs using various ACL-cloning tools (BX
tools, sectools) I repeatedly got "access denied" messages from the server.
Investigation reveals that this is due to the fact that Samba is unable to
resolve the SIDs, since they are foreign, and thus the ACLs are discarded. The
process fails early enough that none of the ACLs are applied, even if there are
ACLs there that Samba /would/ be able to parse (e.g. Everyone, or domain usernames)
Comment 1 Gerald (Jerry) Carter (dead mail address) 2004-03-12 07:06:23 UTC
won't address this now.  Marking a 'later'.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2005-02-07 09:06:01 UTC
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
Comment 3 mezozoy 2005-02-16 11:19:36 UTC
Created attachment 968 [details]

We had the same issue:
Using robocopy to migrate files from Windows to linux/samba (v3.0.11) is
failing to migrate ACLs for some of folders- getting "Access Denied" on Windows
and "create_canon_ace_lists: unable to map SID S-1-5-21.... to uid or gid." in
samba log.
  Attached is the patch that works for us. You also have to set "force unknown
acl user = Yes" in your smb.conf (reintroduced in samba-3.0.6 by Guenther
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-11-14 09:29:03 UTC
database cleanup