Matthew Richardson
2022-Aug-17 11:31 UTC
[Samba] unix_primary_group not used when writing files
I have a samba server (v4.13.17 - Ubuntu 20.04) set up joined to an AD domain, with the following idmap config: [global] workgroup = MYDOM realm = MYDOM.EXAMPLE.COM security = ads idmap config * : backend = tdb idmap config * : range = 3000 - 9999 idmap config MYDOM : backend = ad idmap config MYDOM : schema_mode = rfc2307 idmap config MYDOM : range = 10000 - 9999999 idmap config MYDOM : unix_primary_group = yes idmap config MYDOM : unix_nss_info = yes winbind use default domain = yes All users in the domain have the unix attributes set (gidNumber, loginShell etc). There is also a group with the same gid as the user's gidNumber, and that user is a member of that group. This shows up fine using the nss commands, e.g.: $ getent passwd alice alice:*:12345:12345:Alice Smith:/home/alice:/bin/bash $ getent group alice alice:x:12345: $ groups alice alice : alice domain users However if I connect using smbclient and write files, they are always group owned by 'domain users': $ smbclient -k -L //server.example.com/alice> put test.txt$ ls -l /home/alice -rwxrwxr-x+ 1 alice domain users 38 Aug 16 20:29 test.txt Samba logging (debug level 4) during this file write correctly identifies the primary group: UNIX token of user 12345 Primary group is 12345 and contains 164 supplementary groups However it then uses domain users when writing (gid 273711): [2022/08/16 19:12:02.052968, 2] ../../source3/smbd/open.c:1524(open_file) MYDOM\alice opened file test.txt read=Yes write=Yes (numopen=1) [2022/08/16 19:12:02.060177, 3] ../../source3/smbd/posix_acls.c:1205(unpack_nt_owners) unpack_nt_owners: owner sid mapped to uid 12345 [2022/08/16 19:12:02.060584, 3] ../../source3/smbd/posix_acls.c:1226(unpack_nt_owners) unpack_nt_owners: group sid mapped to gid 273711 [2022/08/16 19:12:02.060994, 3] ../../source3/smbd/posix_acls.c:3760(set_nt_acl) set_nt_acl: chown test.txt. uid = 12345, gid = 273711. Can anyone suggest what might be going on here? Thanks, Matthew The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th? ann an Oilthigh Dh?n ?ideann, cl?raichte an Alba, ?ireamh cl?raidh SC005336.
Rowland Penny
2022-Aug-17 12:31 UTC
[Samba] unix_primary_group not used when writing files
On Wed, 2022-08-17 at 12:31 +0100, Matthew Richardson via samba wrote:> I have a samba server (v4.13.17 - Ubuntu 20.04) set up joined to an > AD > domain, with the following idmap config: > > [global] > workgroup = MYDOM > realm = MYDOM.EXAMPLE.COM > security = ads > idmap config * : backend = tdb > idmap config * : range = 3000 - 9999 > idmap config MYDOM : backend = ad > idmap config MYDOM : schema_mode = rfc2307 > idmap config MYDOM : range = 10000 - 9999999 > idmap config MYDOM : unix_primary_group = yes > idmap config MYDOM : unix_nss_info = yes > winbind use default domain = yes > > All users in the domain have the unix attributes set (gidNumber, > loginShell etc). There is also a group with the same gid as the > user's > gidNumber, and that user is a member of that group. > > This shows up fine using the nss commands, e.g.: > > $ getent passwd alice > > alice:*:12345:12345:Alice Smith:/home/alice:/bin/bash > > $ getent group alice > > alice:x:12345: > > $ groups alice > > alice : alice domain usersHow have you managed to have a user called 'alice' and a group called 'alice' ? Rowland
What do you see if you run : id username And run : getfacl on the folder/files to see more.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba <samba-bounces at lists.samba.org> Namens Matthew > Richardson via samba > Verzonden: woensdag 17 augustus 2022 13:32 > Aan: samba at lists.samba.org > Onderwerp: [Samba] unix_primary_group not used when writing files > > I have a samba server (v4.13.17 - Ubuntu 20.04) set up joined to an AD > domain, with the following idmap config: > > [global] > workgroup = MYDOM > realm = MYDOM.EXAMPLE.COM > security = ads > idmap config * : backend = tdb > idmap config * : range = 3000 - 9999 > idmap config MYDOM : backend = ad > idmap config MYDOM : schema_mode = rfc2307 > idmap config MYDOM : range = 10000 - 9999999 > idmap config MYDOM : unix_primary_group = yes > idmap config MYDOM : unix_nss_info = yes > winbind use default domain = yes > > All users in the domain have the unix attributes set (gidNumber, loginShell > etc). There is also a group with the same gid as the user's gidNumber, and > that user is a member of that group. > > This shows up fine using the nss commands, e.g.: > > $ getent passwd alice > > alice:*:12345:12345:Alice Smith:/home/alice:/bin/bash > > $ getent group alice > > alice:x:12345: > > $ groups alice > > alice : alice domain users > > > However if I connect using smbclient and write files, they are always group > owned by 'domain users': > > $ smbclient -k -L //server.example.com/alice > > put test.txt > > $ ls -l /home/alice > > -rwxrwxr-x+ 1 alice domain users 38 Aug 16 20:29 test.txt > > Samba logging (debug level 4) during this file write correctly identifies the > primary group: > > UNIX token of user 12345 > Primary group is 12345 and contains 164 supplementary groups > > However it then uses domain users when writing (gid 273711): > > [2022/08/16 19:12:02.052968, 2] ../../source3/smbd/open.c:1524(open_file) > MYDOM\alice opened file test.txt read=Yes write=Yes (numopen=1) > [2022/08/16 19:12:02.060177, 3] > ../../source3/smbd/posix_acls.c:1205(unpack_nt_owners) > unpack_nt_owners: owner sid mapped to uid 12345 > [2022/08/16 19:12:02.060584, 3] > ../../source3/smbd/posix_acls.c:1226(unpack_nt_owners) > unpack_nt_owners: group sid mapped to gid 273711 > [2022/08/16 19:12:02.060994, 3] > ../../source3/smbd/posix_acls.c:3760(set_nt_acl) > set_nt_acl: chown test.txt. uid = 12345, gid = 273711. > > > Can anyone suggest what might be going on here? > > Thanks, > > Matthew > > > The University of Edinburgh is a charitable body, registered in Scotland, with > registration number SC005336. Is e buidheann carthannais a th? ann an > Oilthigh Dh?n ?ideann, cl?raichte an Alba, ?ireamh cl?raidh SC005336. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba