Hi list,
I need some help getting group mapping to work:
We've got a fileserver serving Linux clients via NFS.
NSS source for users and groups is LDAP (sssd).
nsswitch.conf:
[...]
passwd: compat sss
group: compat sss
shadow: compat sss
[...]
So far, this works quite well since years.
Now I tried to have our content served via Samba for our Windows
clients.
We've got an AD domain syncronized with all the users and groups
from our LDAP. AD and LDAP should coexist: LDAP for our
Linux clients and AD for Windows clients.
Using Windows, I can access files and directories that I own or which
are world readable, but I cannot access files and directories with
750 permissions:
[2013/04/12 16:01:22.852669, 3] smbd/service.c:190(set_current_service)
chdir (/vol/dep) failed, reason: Permission denied
$ ls -ld /vol/dep
drwxr-s--- 54 someuser dep 4096 Apr 12 14:48 /vol/dep
$ id asmithee
uid=24717(asmithee) gid=12000(stud) groups=12000(stud),6600(deptut),33300(dep)
In AD, user asmithee is also member of these groups:
$ net -U asmithee ads user info asmithee
Enter asmithee's password:
Domain Users
deptut
dep
stud
It seems as if group mapping from AD to NSS does not work:
[2013/04/12 16:01:21.224811, 5]
auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 24717
Primary group is 12000 and contains 4 supplementary groups
Group[ 0]: 1000000
Group[ 1]: 1000001
Group[ 2]: 1000003
Group[ 3]: 1001
I appreciate any hint ;)
My smb.conf:
-------------
#======================= Global Settings ======================
[global]
workgroup = MYORG
server string = Samba Server Version %v
dns proxy = no
kernel oplocks = no
lock spin time = 2000
#### Debugging/Accounting ####
log file = /var/log/samba/log.%m
#log level = 1
log level = 9
max log size = 20480
syslog = 0
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
security = ads
realm = AD.MY-ORG.NET
netbios name = samba
password server = dc1.AD.MY-ORG.NET
domain master = no
local master = no
preferred master = no
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
idmap config *: backend = tdb
idmap config *: range = 1000000-9999999
idmap config MYORG: backend = ad
idmap config MYORG: range = 1000-99999
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
map to guest = Bad User
guest account = nobody
#======================= Share Definitions ======================
[...]
[dep]
comment = Foobar Comment
path = /vol/dep
read only = no
valid users = @"MYORG+dep"
directory mode = 0770
create mode = 0660
acl group control = yes
inherit acls = yes
# Hide share from users who don't have access
access based share enum = yes
# Hide files/directories if user doesn't have read access
hide unreadable = yes
[...]
