In Windows the owner can be a group SID, too, not only a user SID. When a client sets the owner to a group SID Samba returns NT_STATUS_INVALID_OWNER because in posix_acl.c line 1200 sid_to_uid fails with group sids. Several users reported problems due this limitation in the last years and it can be reproduced easily by setting the homepath of a user to a deep UNC path that does not (yet) exist using NT4 usrmgr. In the logs you get: [2011/05/18 11:05:54.544583, 10] smbd/posix_acls.c:3851(set_nt_acl) set_nt_acl: called for file dummy/dnwaq [2011/05/18 11:05:54.544607, 5] smbd/posix_acls.c:1191(unpack_nt_owners) unpack_nt_owners: validating owner_sids. [2011/05/18 11:05:54.544625, 3] smbd/posix_acls.c:1208(unpack_nt_owners) unpack_nt_owners: unable to validate owner sid for S-1-5-32-544 [2011/05/18 11:05:54.544644, 10] smbd/open.c:3210(create_file_unixpath) create_file_unixpath: NT_STATUS_INVALID_OWNER [2011/05/18 11:05:54.544669, 10] lib/dbwrap_tdb.c:100(db_tdb_fetch_locked) Locking key 01080000000000000E60 [2011/05/18 11:05:54.544687, 10] lib/dbwrap_tdb.c:129(db_tdb_fetch_locked) Allocated locked data 0x0xb824ceb8 [2011/05/18 11:05:54.544703, 10] locking/locking.c:552(parse_share_modes) parse_share_modes: delete_on_close: 0, owrt: Wed 18 May 2011 11:05:54 AM CEST CEST, cwrt: Thu 01 Jan 1970 01:00:00 AM CET CET, tok: 0, num_share_modes: 1 [2011/05/18 11:05:54.544749, 10] locking/locking.c:655(parse_share_modes) parse_share_modes: share_mode_entry[0]: pid = 4258, share_access = 0x3, private_options = 0x1, access_mask = 0x100081, mid = 0x0, type= 0x0, gen_id = 1, uid = 1003, flags = 0, file_id 801:68600e:0 [2011/05/18 11:05:54.544770, 10] lib/dbwrap_tdb.c:42(db_tdb_record_destr) Unlocking key 01080000000000000E60 [2011/05/18 11:05:54.544799, 5] smbd/files.c:497(file_free) freed files structure 11088 (0 used) [2011/05/18 11:05:54.544816, 10] smbd/open.c:3463(create_file_default) create_file: NT_STATUS_INVALID_OWNER [2011/05/18 11:05:54.544835, 3] smbd/error.c:80(error_packet_set) error packet at smbd/error.c(160) cmd=160 (SMBnttrans) NT_STATUS_INVALID_OWNER A limited hack to work around this would be to "set force unknown acl user" but a real fix for this would be good.
Please describe exactly how "a real fix for this" would work on a POSIX system. Jeremy.
as discussed with obnox and metze, this could be solved by a more sophisticated idmapping which allows sid<>uid mappings for groups SIDs. This is not an enhancement but rather a major bug as we refuse valid nt create calls with a misleading INVALID_OWNER errors.
Bjorn, this is the VERY DEFINITION of an enhancement. Please don't change the importance field again. Jeremy.
(In reply to comment #3) > Bjorn, this is the VERY DEFINITION of an enhancement. Please don't change the > importance field again. > > Jeremy. Err, what is the very definition of an enhancement? "Fix for a bug that has been around for very long..." :-) Cheers - Michael
(In reply to comment #4) > (In reply to comment #3) > > Bjorn, this is the VERY DEFINITION of an enhancement. Please don't change the > > importance field again. > > > > Jeremy. > > Err, what is the very definition of an enhancement? > "Fix for a bug that has been around for very long..." Isn't the fix for this in 4.0 (and master), there we have support for IDMAP_BOTH. The remaining problem is that not all backends support it yet.
This is not a blocker for 4.2
(In reply to comment #6) > This is not a blocker for 4.2 Currently, this one blocks bug #10077. Should it be removed or not?
Yeah I think it can now be removed as smbd supports IDMAP_BOTH. Jeremy.
Should be fixed in 4.x.y