I'm not sure if this is an LDAP issue, a Samba issue, a BSD issue or a
FreeNAS issue...
I'm working at migrating a large block of file shares from an aging
CentOS/Samba 3.0.9 server to a FreeNAS (8.0.2) server. (The FreeNAS box is
running FreeBSD 8.2-RELEASE-p3 and Samba 3.5.11.) I will eventually be
migrating the entire domain and user base off of that server, but for the
time being, I have set up a process where I mirror the user and group
information from the Samba 3 domain to an LDAP (fedora 389) server. (Long
story...) I'm syncing the actual folders from the current production
server to the FreeNAS volumes, through either NFS or rsync. This maintains
all the original group and owner permissions on the files and directories.
One of the things I like about the FreeNAS server is that it can be
configured to talk to either AD (MS or Samba4) or LDAP. I have logged in
to the NAS and using the "getent" command, confirmed that it correctly
understands both the users and the groups from LDAP. One interesting
difference between LDAP and AD is that, when you use "getent passwd"
(or
"getent group"), the AD users are of the form
"DOMAIN\username", while the
LDAP users just list the name.
THE PROBLEM I AM SEEING is in setting access permissions based on secondary
group membership.
When I use the simple Unix owner/group/other permissions on our original
Samba server, I can effectively control which Windows users have permission
to read or write to files and folders based on what group owns the files,
and the groups the users are a member of. I can also specify through the
Samba configuration which groups are allowed to map the share ("valid users
= @groupname").
However, my observation in FreeNAS is that, using LDAP, THIS DOESN'T WORK.
If I set the Unix folder permissions in a share to "770", then the
actual
owner of the file/folder can open it up, but not other users who are in the
group. The only way to grant access to other users is to set the
permissions to "777" and open it up to the world. Also, the
"valid users"
parameter in the Samba conf file doesn't work with a group name. If I
specify a group, then noone can map the share.
One interesting thing is, if I use AD (Samba4) as the source of users and
groups, and the group based permissions (either "valid users" or
through
Unix group permissions) all seem to work as expected, both to allow and
disallow users by their group membership.
I've done a great deal of googling around, and have found lots of people
reporting similar problems, but no one with a solution... :-( Is there
any way to check how the Samba subsystem on the FreeNAS server is
validating group membership?
/etc/local/smb.conf (generated through the FreeNAS GUI):
[global]
encrypt passwords = yes
dns proxy = no
strict locking = no
read raw = yes
write raw = yes
oplocks = yes
max xmit = 65535
deadtime = 15
display charset = LOCALE
max log size = 10
syslog only = yes
syslog = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
getwd cache = yes
guest account = nobody
map to guest = Bad Password
netbios name = freenas2
workgroup = OMUSA
server string = FreeNAS Server
large readwrite = no
ea support = yes
store dos attributes = yes
local master = yes
security = user
passdb backend = ldapsam:ldap://abraham
ldap admin dn = cn=Directory manager
ldap suffix = dc=usa,dc=om,dc=org
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap ssl = off
ldap replication sleep = 1000
ldap passwd sync = yes
#ldap debug level = 1
#ldap debug threshold = 1
ldapsam:trusted = yes
idmap uid = 10000-39999
idmap gid = 10000-39999
create mask = 0666
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 10
aio read size = 1
aio write size = 1
[homes]
comment = Home Directories
valid users = %U
writable = yes
browseable = no
path = /mnt/Vol1/home/users/%U
[dept-it]
path = /mnt/Vol1/groups/computer
printable = no
veto files = /.snap/.windows/
comment = IT Department
writeable = yes
browseable = yes
inherit owner = no
inherit permissions = no
vfs objects = zfsacl
hosts allow = 10.4.0.0/23
inherit acls = Yes
map archive = No
map readonly = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
valid users=@computer
--
Charles Tryon
_________________________________________________________________________
"It's the job that's never started that takes longest to
finish."
-- Samwise Gamgee