samba - Feb 2011 - Settings ACLS from Windows via member server

I have a purely samba domain: samba PDC, BDC, and a collection of
clustered member servers that provide CIFS access to our underlying file
system.  Things are working fine, with the exception of users being able
to set ACLS from Windows workstations.  When they try to do so, they can
search for and properly find domain members, but when they try to apply
the changes, the settings simply vanish from the Window!  We setup a
test share from our PDC and users **can** set permissions properly on
this share, so I would think we are looking at a configuration problem
on our member servers.

A couple generic questions about member servers:

1) Our password backend is stored in LDAP.  Currently, we only have the
LDAP configuration on the PDC and BDC samba setups.  My understanding is
that all other machines, including samba member servers, join the domain
and get their user information that way, correct?

2) With a non-AD environment, should our samba member servers run
winbind?  My understanding is not, but this could be part of the problem.

I'm happy to provide any other information that may be of help, this
problem is driving us nuts!

Thanks,

Mark

-- 
----------
I'd rather be burning carbohydrates than hydrocarbons

On Tue, Feb 22, 2011 at 11:04 AM, Mark Dieterich <mkd at cs.brown.edu>
wrote:
> I have a purely samba domain: samba PDC, BDC, and a collection of
> clustered member servers that provide CIFS access to our underlying file
> system. ?Things are working fine, with the exception of users being able
> to set ACLS from Windows workstations. ?When they try to do so, they can
> search for and properly find domain members, but when they try to apply
> the changes, the settings simply vanish from the Window! ?We setup a
> test share from our PDC and users **can** set permissions properly on
> this share, so I would think we are looking at a configuration problem
> on our member servers.
>
> A couple generic questions about member servers:
>
> 1) Our password backend is stored in LDAP. ?Currently, we only have the
> LDAP configuration on the PDC and BDC samba setups. ?My understanding is
> that all other machines, including samba member servers, join the domain
> and get their user information that way, correct?
>
> 2) With a non-AD environment, should our samba member servers run
> winbind? ?My understanding is not, but this could be part of the problem.
>
> I'm happy to provide any other information that may be of help, this
> problem is driving us nuts!
>
I believe the PDC/BDC does not need winbind but the member servers do.
Also you need idmap to work on the member servers. I believe I use a
nss backend for my idmap setup at work.

John

2011/2/23 Mark Dieterich <mkd at cs.brown.edu>:
(snip)
> Things are working fine, with the exception of users being able
> to set ACLS from Windows workstations.
(snip)
> 1) Our password backend is stored in LDAP.  Currently, we only have the
> LDAP configuration on the PDC and BDC samba setups.  My understanding is
> that all other machines, including samba member servers, join the domain
> and get their user information that way, correct?
Yes. Samba member servers does not need LDAP configurations.
> 2) With a non-AD environment, should our samba member servers run
> winbind?  My understanding is not, but this could be part of the problem.
If you want to set ACLs of domain users and groups, you have to run winbindd
regardless of  AD env. or not.

# You can set ACLs of server local users and groups without running winbindd.

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>

<SNIP>
>
>>
>> 2) With a non-AD environment, should our samba member servers run
>> winbind?  My understanding is not, but this could be part of the 
>> problem.
>
> If you want to set ACLs of domain users and groups, you have to run 
> winbindd
> regardless of  AD env. or not.
I've done acls just using nss_ldap.
>
>
>
> # You can set ACLs of server local users and groups without running 
> winbindd.
>
> ---
> TAKAHASHI Motonobu <monyo at samba.gr.jp>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

>
> X-SpamDetect-Info: ------------- End ASpam results -----------------
>
>
>>
>> If you want to set ACLs of domain users and groups, you have to run 
>> winbindd
>> regardless of  AD env. or not.
>>
>> # You can set ACLs of server local users and groups without running 
>> winbindd.
>
> Hmm... I was working from:
>
>
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2604553
>
> I have NSS setup to resolve via LDAP, which contains all of the
> appropriate user/group information that samba should need.  The second
> heading on this page, "Winbind is not used; users and groups resolved
> via NSS" seemed to read as though I didn't actually need winbind. 
My
> concern here is that winbind appears to be necessary to create unix
> users for non-existent Windows NT domain users.  This isn't our 
> case...
> ever user available in the Windows NT domain (managed by the samba
> PDC/BDC) exist in LDAP and, therefore, unix as well.
Do you have acls set on the file system for the member servers? 
Winbind is for authentication purposes, not files system
acls.
>
>
>
> Regardless... I enable winbind and the behavior is the same.  Once
> winbind is started, I can query most users (wbinfo -u) and groups
> (wbinfo -g).  For some reason, some groups don't show.  We have many
> groups and users, so I haven't checked them all, but a spot check
> suggests there are some missing.
>
> Mark
>
> --
> ----------
> I'd rather be burning carbohydrates than hydrocarbons
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

> Do you have acls set on the file system for the member servers? Winbind is
> for authentication purposes, not files system acls.
Without winbind I did not get users names in the ACLs tab under
windwows? Do you get these?

John

>
>
>>
>> Do you have acls set on the file system for the member servers? 
>> Winbind is
>> for authentication purposes, not files system acls.
>
> Without winbind I did not get users names in the ACLs tab under
> windwows? Do you get these?
I don't currently have any S3 servers to check...
>
>
>
> John

On Tue, Feb 22, 2011 at 2:23 PM,  <tms3 at tms3.com>
wrote:
>
>
>
> Do you have acls set on the file system for the member servers? Winbind is
> for authentication purposes, not files system acls.
>
> Without winbind I did not get users names in the ACLs tab under
> windwows? Do you get these?
>
BTW, for this comment I mean when a Windows PC connects to a samba
domain member server the ACLs tab displays SIDs instead of usernames.
On the PDC/BDC winbind is not needed for the display of user names in
the ACLs tab. In either case winbind has nothing to do with the
functionality of the acls. They still would work without winbind but
you just cant tell who has access writes that is unless you memorized
the SIDs...

-- 
John M. Drescher

>
> John,
>
> It would help the list to understand WHY you believe that winbind is 
> NOT
> needed by the PDC/BDC, and WHY it is needed on member servers.
Winbind, as the name suggests, does authentication for the unix 
server. Of course the manual has a very good write up of it:

"Winbind unifies UNIX and Windows NT account management by  allowing a 
UNIX box to become a full member of an NT domain. Once  this is done, 
the UNIX box will see NT users and groups as if  they were 
?native? UNIX users and groups, allowing the NT domain  to be used 
in much the same manner that NIS+ is used within  UNIX-only 
environments...
Additionally, Winbind provides an authentication service that hooks 
into the PAM system  to provide authentication via an NT domain to any 
PAM-enabled  applications. This capability solves the problem of 
synchronizing  passwords between systems, since all passwords are 
stored in a single  location (on the domain controller)."

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
>
>
>
> While subscribers keep explaining what they believe, and keep giving
> advice based on their belief system, rather than on well reasoned 
> fact,
> confusion will continue to exist and complaints regarding Samba
> documentation will continue also.
>
> Are you willing to take a brave step to explain your reasoning?
>
> Cheers,
> John T.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba