samba - Nov 2013 - My samba can't see its own groups! (4.0.9 as solo AD DC)

My samba thinks its own groups don't exist.


Background: I had a samba3 server operating as a NAS with some desktops
joined to the domain.  I'm migrating it to samba 4.0.9 as an AD domain.

Users can log in and browse their home share -- but the other shares
aren't working.  They're per-project shares set up to allow that
project's group access, and to forcibly make all files uploaded
accessible to that group:

    [fnord]
    comment                 = Project Fnord
    path                    = /srv/share/fnord
    create mask             = 0664
    force create mode       = 0664
    directory mask          = 0775
    force directory mode    = 0775
    read only               = no
    force group             = fnord
    valid users             = @fnord

With those settings, and "cyber" in the fnord group,

    $ smbclient -U cyber //gumbo/fnord
    tree connect failed: NT_STATUS_ACCESS_DENIED

If I comment out the last two lines, it works.

If I comment out the last line, I get

    tree connect failed: NT_STATUS_NO_SUCH_GROUP

If I comment out the "force group" line, and change the last line to
"valid users = cyber", it also works.

I'm using nss_winbind to make users and groups visible to gumbo's
unix-land, but it seems that samba-talking-to-unix-talking-to-samba
doesn't see the groups, though unix-talking-to-samba does.

    # getent group fnord
    PI\fnord:*:3000021:

    # getent passwd cyber
    PI\cyber:*:3000177:100:Cybersource tech:/home/PI/cyber:/bin/false

    # id cyber
    uid=3000177(PI\cyber) gid=100(users) groups=100(users),3000008(PI\Domain
Admins),3000021(PI\fnord),[...]


What should I do about this?

Should I be using those fancy NT recursive ACLs instead of doing this
in the share config?

Are those options simply not supported under samba4?

Plan B, which I really hate, is to simply remove "valid users" and
"force group" and write an hourly cron job that will run chgrp -R and
chmod -R across each project share.

On 09/11/13 01:16, Trent W. Buck wrote:
> My samba thinks its own groups don't exist.
>
>
> Background: I had a samba3 server operating as a NAS with some desktops
> joined to the domain.  I'm migrating it to samba 4.0.9 as an AD domain.
Some desktops? Linux?
>
> Users can log in and browse their home share -- but the other shares
> aren't working.  They're per-project shares set up to allow that
> project's group access, and to forcibly make all files uploaded
> accessible to that group:
>
>      [fnord]
>      comment                 = Project Fnord
>      path                    = /srv/share/fnord
>      create mask             = 0664
>      force create mode       = 0664
>      directory mask          = 0775
>      force directory mode    = 0775
>      read only               = no
>      force group             = fnord
>      valid users             = @fnord
>
> With those settings, and "cyber" in the fnord group,
>
>      $ smbclient -U cyber //gumbo/fnord
>      tree connect failed: NT_STATUS_ACCESS_DENIED
>
> If I comment out the last two lines, it works.
>
> If I comment out the last line, I get
>
>      tree connect failed: NT_STATUS_NO_SUCH_GROUP
>
> If I comment out the "force group" line, and change the last line
to
> "valid users = cyber", it also works.
>
> I'm using nss_winbind to make users and groups visible to gumbo's
> unix-land, but it seems that samba-talking-to-unix-talking-to-samba
> doesn't see the groups, though unix-talking-to-samba does.
>
>      # getent group fnord
>      PI\fnord:*:3000021:
>
>      # getent passwd cyber
>      PI\cyber:*:3000177:100:Cybersource tech:/home/PI/cyber:/bin/false
>
>      # id cyber
>      uid=3000177(PI\cyber) gid=100(users)
groups=100(users),3000008(PI\Domain Admins),3000021(PI\fnord),[...]
>
>
> What should I do about this?
>
> Should I be using those fancy NT recursive ACLs instead of doing this
> in the share config?
>
> Are those options simply not supported under samba4?
>
> Plan B, which I really hate, is to simply remove "valid users"
and
> "force group" and write an hourly cron job that will run chgrp -R
and
> chmod -R across each project share.
>
If your clients are linux running samba3, I think that you are running 
into the 'samba3 winbind != samba4 winbind' problem, you need to use 
RFC2307 attributes to get your users to have the same uid & gid on the 
server as on the client.

Rowland

Hi Trent,

Quoting  "Trent W. Buck" <trentbuck at gmail.com>
> My samba thinks its own groups don't exist.
I am in a similar situation, using samba-4.0.8 under FreeBSD 9 (and  
want to migrate from an older samba 3.6 fileserver). However,  
everything seems to work for me, including force group etc.

(BTW: I am using s3fs (the same as under Linux) - not ntvfs)
> Background: I had a samba3 server operating as a NAS with some desktops
> joined to the domain.  I'm migrating it to samba 4.0.9 as an AD domain.
>
> Users can log in and browse their home share -- but the other shares
> aren't working.  They're per-project shares set up to allow that
> project's group access, and to forcibly make all files uploaded
> accessible to that group:
>
>     [fnord]
>     comment                 = Project Fnord
>     path                    = /srv/share/fnord
>     create mask             = 0664
>     force create mode       = 0664
>     directory mask          = 0775
>     force directory mode    = 0775
>     read only               = no
>     force group             = fnord
>     valid users             = @fnord
>
> With those settings, and "cyber" in the fnord group,
>
>     $ smbclient -U cyber //gumbo/fnord
>     tree connect failed: NT_STATUS_ACCESS_DENIED
>
> If I comment out the last two lines, it works.
Here my attempt:

 From the smb4.cfg

[global]
         workgroup = DOMAIN
         realm = DOMAIN.FDA
         netbios name = SAMBA4
         server role = active directory domain controller
         dns forwarder = 192.168.50.223

         # From the services - at the end only nbt removed

         server services = rpc, wrepl, ldap, cldap, kdc, drepl,  
winbind, ntp_signd,kcc, dnsupdate, dns, smb
         dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,  
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,  
eventlog6, backupkey, dnsserver, winreg, srvsvc

         vfs objects = zfsacl
         nsupdate command = /usr/local/bin/samba-nsupdate -g

         # Test according to
         # http://forums.freebsd.org/showthread.php?p=226901
         interfaces = bce0
         bind interfaces only = yes
         # hosts allow does not seem to work
         #   it blocks socket communications from Winbind?

         # According to https://glsan.com/community/samba4/zfs-share-setup/

         ea support = yes
         csc policy = disable
         store dos attributes = yes

[petertestet]
         path = /shares/petertestet
         read only = no
         browseable = yes
         guest ok = no
         delete readonly = yes
         valid users = @petertestet
         force group = petertestet
         create mask = 0770
         directory mask = 2770

I have a domain user petertest in a domain group petertestet:

# id petertest
uid=3000007(DOMAIN\petertest) gid=20(staff)  
groups=20(staff),3000020(DOMAIN\petertestet)

At the moment, I have a Windows 7 and a XP VM joined to the domain,  
and could connect (map network drive) and create a document with  
expected permissions:

# ls -lisa /shares/petertestet
total 4
17037 2 drwxrws---  2 DOMAIN\petertest  DOMAIN\petertestet  3 Nov 11 11:40 .
16817 2 drwxr-xr-x  4 root              wheel               4 Nov 11 11:32 ..
17046 1 -rw-rw----  1 DOMAIN\petertest  DOMAIN\petertestet  6 Nov 11  
11:40 dada.txt

I changed /etc/nsswitch.conf:

group: files winbind
passwd: files winbind

So it looks as "my samba" is happy with winbind domain groups and can
deal with "force group" etc.

Regards
Peter