samba - Jul 2016 - distributing samba users to the local systems

On Tue, Jul 12, 2016 at 01:19:37AM +0200, Xen wrote:
> Jeremy Allison schreef op 12-07-2016 0:58:
> >On Mon, Jul 11, 2016 at 11:41:24PM +0200, Xen wrote:
> >>I wrote here how my filenames are getting mangled when getting sent
> >>or received to the server.
> >>
> >>Server: current Ubuntu lookalike.
> >>
> >>Client: Older Synology diskstation with probably a modified
> >>mount.cifs.
> >>
> >>When I send utf-8 it gets received as dos.
> >>
> >>"é" for instance is #c3a9 in utf-8, and it is used by the
server as
> >>#c3, #a9, two separate bytes, becoming é.
> >>
> >>The server is just configured with defaults for "dos" and
"unix"
> >>clients.
> >>
> >>The client tries to use iocharset=utf8.
> >>
> >>What can I do to enforce utf8 being recognised by the server?
> >
> >Set the parameter:
> >
> > unix charset = utf8
> >
> >in the [global] section of the synology smb.conf.
> 
> I did that.
> 
> I fixed it for now by copying what the web interface for the device
> does (the client).
> 
> It uses the "nounix" option and this fixes the issue.
> 
> I had to create a shell script as wrapper to capture its options :p.
> 
> Actually I tried both "utf8" and "UTF-8" in the config
section on
> the server.
> 
> I am sorry if I hadn't made that clear, I had thrown away all of the
> log output I had pasted in my email.
> 
> 
> I recompiled mount.cifs from source but this didn't make a
> difference. However compiling all of samba is near impossible due to
> all the missing libraries on that system.
> 
> (Even getting libwbclient proves to be quite a hassle).
> 
> This is the full line the device uses:
> 
> -o
soft,user=WORKGROUP\guest,pass=,iocharset=utf8,uid=1024,gid=100,nounix,file_mode=0777,dir_mode=0777,nocase
> 
> But only "nounix" was necessary here in this sense. However this
> apparently disables unix-extensions and so I do not see any longer
> the ownership of files now.
> 
> So basically with unix-extensions disabled, utf8 conversion fails to
> work???
With unix extensions disabled, I think the cifsfs client
does the private character area mapping to be able to
store ':' and other banned characters.

Jeremy Allison schreef op 12-07-2016 1:27:
> With unix extensions disabled, I think the cifsfs client
> does the private character area mapping to be able to
> store ':' and other banned characters.
The issue was not special characters in the first place.

With extensions enabled, what happened was this:

the server received every filename as:

2F F0 65 00

where 65 00 would for example be the first letter of the timename (like 
's' or something) and 2F F0 would be a preceding character.

This is little-endian notation. Apparently this is the buffer received 
by the server.

So it gets read as #F02F which is a unicode code point that translates 
to #ef80af in utf-8 on disk. So the file created by the client called 
"some_file" becomes

"^some_file" where ^ is the special character resulting from that utf8
character.

Equally, when reading files, the client apparent sends a request that 
gets received as that same. Consequently If I send a request for 
"some_file" the server receives it as a request for
"^some_file" and
cannot find the file requested.

I don't have the log right now. It is on another computer and I have a 
hard time walking.

But in the log with verbosity 10 you can see a buffer dump as above with 
little-ending 16-bit values and each time there will be that 2F F0 
preceding the actual filename.


At that point I started using special characters to see what would 
happen and found that multi-byte utf-8 was getting interpreted as 
individual unicode values (16-bit) by the server.

This doensn't happen on output *from* the server; ie. a directory 
listing is actually correct. Done by the client. However filenames 
requested or used by the client get mangled.

I want to ask what is the most common approach, and most functional 
smallest-subset-technology approach to achieving the following.


- a samba server is using different users for its clients and these 
users are general unix users, owning files and whatnot on the fs.

- a linux system as client now wants to "import" the users from the 
server without making them /fixed/ unix/passwd users on the local system

- the users need to be imported from a kind of directory service (ldap 
or whatever) or perhaps "active directory" or whatever it might be,
and
those extra virtual users are only valid for as long as the samba shares 
themselves are valid and accessible.

Mind you, I know nothing about "active directory" or "domain 
controllers" or what it might be. I also have very little understanding 
of what "nsswitch" is and the documentation for it and the entire
system
itself seems to be rather arcane.

It would require on the client:
- an additional source of local users that cannot actually be logged in 
to, but only serve as user interface elements.
Perhaps these local users would need to be mapped onto random numbers or 
something, but normally with unix extensions you see the raw numbers of 
the users on the central system (server).

So either those numbers would need to be replaced by names at domain while 
crossing the link and then mapped back to new numbers on the local 
system, that has imported the names at domain, or you'd need to find a 
fixed "range" of numbers for users that can stay fixed from system to 
system.

I haven't even been able to get idmapping to work for NFS, it just won't
work. I was using a "static" file for that but the thing would never 
read the static maps.

It would require on the server:

- a set of local users transformed into a directory service that clients 
can import or know about.


Is this possible and what technologies would I need for it?

Hi,

Let me try to re-formulate, please tell me if I'm wrong.

You have a bunch of users declared locally in /etc/passwd or something like
that on one system.

Now you would like to have another system using this users list with Samba.
You also want these users to be valid only as long as the share exist.
You don't want these users to be able to connect on system(s).

If I'm right, that sounds possible and not too complex to achieve, with a
minimum knowledge of UNIX systems. We can discuss about that once I know if
my understanding of your request was good enough ;)

Cheers,

mathias

2016-07-12 2:10 GMT+02:00 Xen <list at xenhideout.nl>:
> I want to ask what is the most common approach, and most functional
> smallest-subset-technology approach to achieving the following.
>
>
> - a samba server is using different users for its clients and these users
> are general unix users, owning files and whatnot on the fs.
>
> - a linux system as client now wants to "import" the users from
the server
> without making them /fixed/ unix/passwd users on the local system
>
> - the users need to be imported from a kind of directory service (ldap or
> whatever) or perhaps "active directory" or whatever it might be,
and those
> extra virtual users are only valid for as long as the samba shares
> themselves are valid and accessible.
>
> Mind you, I know nothing about "active directory" or "domain
controllers"
> or what it might be. I also have very little understanding of what
> "nsswitch" is and the documentation for it and the entire system
itself
> seems to be rather arcane.
>
> It would require on the client:
> - an additional source of local users that cannot actually be logged in
> to, but only serve as user interface elements.
> Perhaps these local users would need to be mapped onto random numbers or
> something, but normally with unix extensions you see the raw numbers of the
> users on the central system (server).
>
> So either those numbers would need to be replaced by names at domain while
> crossing the link and then mapped back to new numbers on the local system,
> that has imported the names at domain, or you'd need to find a fixed
"range"
> of numbers for users that can stay fixed from system to system.
>
> I haven't even been able to get idmapping to work for NFS, it just
won't
> work. I was using a "static" file for that but the thing would
never read
> the static maps.
>
> It would require on the server:
>
> - a set of local users transformed into a directory service that clients
> can import or know about.
>
>
> Is this possible and what technologies would I need for it?
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Tue, Jul 12, 2016 at 02:10:41AM +0200, Xen wrote:
> I want to ask what is the most common approach, and most functional
> smallest-subset-technology approach to achieving the following.
> 
> 
> - a samba server is using different users for its clients and these
> users are general unix users, owning files and whatnot on the fs.
> 
> - a linux system as client now wants to "import" the users from
the
> server without making them /fixed/ unix/passwd users on the local
> system
> 
> - the users need to be imported from a kind of directory service
> (ldap or whatever) or perhaps "active directory" or whatever it
> might be, and those extra virtual users are only valid for as long
> as the samba shares themselves are valid and accessible.
> 
> Mind you, I know nothing about "active directory" or "domain
> controllers" or what it might be. I also have very little
> understanding of what "nsswitch" is and the documentation for it
and
> the entire system itself seems to be rather arcane.
> 
> It would require on the client:
> - an additional source of local users that cannot actually be logged
> in to, but only serve as user interface elements.
> Perhaps these local users would need to be mapped onto random
> numbers or something, but normally with unix extensions you see the
> raw numbers of the users on the central system (server).
> 
> So either those numbers would need to be replaced by names at domain
> while crossing the link and then mapped back to new numbers on the
> local system, that has imported the names at domain, or you'd need to
> find a fixed "range" of numbers for users that can stay fixed
from
> system to system.
> 
> I haven't even been able to get idmapping to work for NFS, it just
> won't work. I was using a "static" file for that but the
thing would
> never read the static maps.
> 
> It would require on the server:
> 
> - a set of local users transformed into a directory service that
> clients can import or know about.
> 
> 
> Is this possible and what technologies would I need for it?
This sounds like NIS/YP to me :-). But I'm old... :-).