From: Ralph B. <rb...@ne...> - 2013-12-05 18:16:31
|
Andreas Am 05.12.2013 um 17:59 schrieb Andreas Triller <And...@zw...>: > I have a test setup consisting of an Ubuntu 12.04 VM with netatalk 3.1.0 compiled from source, which shall replace a physical Mac OS X file server in the future. > The Mac server is joined to the Active Directory and works fine, including file system ACLs involving ADS users and groups. Its ADS connector generates Unix UIDs and GIDs from ADS UUIDs. > Example: ADS UUID of a user: {463841ea-c5ad-4ef7-b6cc-840605b3a536} > Mac OS UID = 1178092010 > This is derived from the first block (463841ea) converted to decimal, as it seems. > > My problem is this: The Linux box is also joined to ADS via Samba winbind. Netatalk uses ldap as well to make UUID mapping consistent. > Winbind uses some kind of different mapping (tried default one and idmap backend = rid). > It generates Unix UIDs from the last part of the SID in ADS, as documented in the Samba manual. > This results in error messages on a Mac client, because the finder sees the correct ADS user name, but with a different UID (ls –l in the Terminal.app on the Client shows the Linux UID which is different from the one Mac OS computes for the same ADS user). > > I have not managed to sync the file system UID on the Linux side with that of Mac OS. > Or am I getting this completely wrong and there is something else I need to do? > If I deactivate ldap in netatalk the UIDs in Terminal.app are correct, but then the client’s Finder shows no useful ACL information and I cannot make changes there. > > Has anyone managed to get this kind of setup working, including single sign on and consistent UUIDs? afair I've run into this issue before too. What would be needed here is a new Samba idmap backend that generated ids the same way OS X does (ie from the first four bytes of the UUID). Cheers! -Ralph -- Ralph Böhme <rb...@ne...> Netatalk Developer | Support | Services http://www.netafp.com/ |