Hi,
Some advice, if I may..
I have two Samba4 domain controllers, that I recently switched to
using sssd (against these same DCs) for UNIX user authentication -
this part works perfectly.
However, I am using one of these as a Samba file server also. When I
create a file via a SMB share, the UNIX UID the file is owned by is
the old 'winbind' UID (e.g. 3000007) rather than the new 'sssd'
UID
(e.g. 1514701182)
I have /etc/nsswitch.conf set to use 'files sss' for passwd and group.
'id <username>' works fine and returns the correct (new) UID.
'getent -s sss passwd <username>' returns the new UID (that I want
to use).
'getent -s winbind passwd <username>' returns the old UID (that I
don't want).
I've restarted samba, I've run 'net cache flush', I've tried
adding
"-winbind" to the 'server services' line in smb.conf.
Presumably I've got something fundamentally wrong.. but I'm not sure
what. Can this even be done? I want files created/accessed via Samba
for my AD users to have the same UID as when the same user logs in via
ssh or similar (and gets the UID via sssd)...
Cheers,
Jonathan
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein
On 03/06/15 01:37, Jonathan Hunter wrote:> > I've restarted samba, I've run 'net cache flush', I've tried adding > "-winbind" to the 'server services'Either go back to the stable 4.1 series (recommended) or use: server services = +winbind, -winbindd
(meant to send this to the list this morning also)
Thanks buhorojo.
I was looking at the smb.conf man page at
https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html for
inspiration, and only saw the 'winbind' option, not the
'winbindd'
option - looks like the man page isn't exhaustive on that (I would have
expected it to be.. oops)
Unfortunately I've tried changing this as above.. still no luck, it
doesn't work :(
I now have:
server services = -dns +winbind -winbindd
which has actually broken authentication for me (at least,
radiusd/ntlm_auth doesn't work with smb.conf in that state) - so I've
since reverted that change.
I don't think 4.1 is an easy option for me as there are other fixes in
4.2 that I am using (I'm on 4.2.2 at the moment) - and is downgrading
a good idea?
At the moment I'm testing by editing smb.conf and restarting samba,
then creating a new directory in \\servername\users\myusername, and
checking with "ls -nld" to see what UID it has been created with. So
far, only the old UID (3000007) is used, not the new UID which I need.
Interestingly, despite having previously run 'net cache flush' and
restarted Samba, there were still many items in the cache ('net cache
list') when I checked just now. This time, I stopped Samba, *then* ran
'net cache flush' and that seems to have worked better, I now have an
empty cache.
It's still creating files with the old UID, though :(
Really, I want algorithmic RID mapping on my DC. That seems to not yet
be available, so I have tried sssd.. which seems to not work fully in
my scenario (see above), either.
I have a feeling that there is an open bug in the tracker that relates
to this - but I can't remember which one it is, unfortunately. Anyone
know (and is it due for resolution in 4.3??)
I would dearly love to help with this via code contributions, but I've
never worked on the samba codebase and it seems to be a bit of a big
nut to crack as a first attempt...
Just from general observations on the mailing list over the last few
weeks, I'm certainly not the only one who is hit by the different
behaviour of a DC vs a member server in terms of ID mapping :(
Cheers,
Jonathan
On 3 June 2015 at 06:30, buhorojo <buhorojo.lcb at gmail.com>
wrote:> On 03/06/15 01:37, Jonathan Hunter wrote:
>>
>>
>> I've restarted samba, I've run 'net cache flush',
I've tried adding
>> "-winbind" to the 'server services'
>
>
> Either go back to the stable 4.1 series (recommended) or use:
>
> server services = +winbind, -winbindd
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein
On 03/06/15 00:37, Jonathan Hunter wrote:> Hi, > > Some advice, if I may.. > > I have two Samba4 domain controllers, that I recently switched to > using sssd (against these same DCs) for UNIX user authentication - > this part works perfectly. > > However, I am using one of these as a Samba file server also. When I > create a file via a SMB share, the UNIX UID the file is owned by is > the old 'winbind' UID (e.g. 3000007) rather than the new 'sssd' UID > (e.g. 1514701182)The UID you refer to, has nothing to do with winbind, it is coming from idmap.ldb and if by running 'getent passwd adomainuser' you are getting something like this: DOMAIN\adomainuser:*:3000007:100:Adomain User:/home/DOMAIN/rowland:/bin/bash Then you must have a line like this in /etc/nsswitch.conf: passwd compat winbind As you have now installed sssd, replace 'winbind' with 'sss' and you should get the number you are after. Rowland> > I have /etc/nsswitch.conf set to use 'files sss' for passwd and group. > 'id <username>' works fine and returns the correct (new) UID. > > 'getent -s sss passwd <username>' returns the new UID (that I want to use). > 'getent -s winbind passwd <username>' returns the old UID (that I don't want). > > I've restarted samba, I've run 'net cache flush', I've tried adding > "-winbind" to the 'server services' line in smb.conf. > > Presumably I've got something fundamentally wrong.. but I'm not sure > what. Can this even be done? I want files created/accessed via Samba > for my AD users to have the same UID as when the same user logs in via > ssh or similar (and gets the UID via sssd)... > > Cheers, > > Jonathan >
Thanks Rowland. 'getent passwd mydomainuser' does return the correct (new, sssd) UID e.g. 1514701182 In my /etc/nsswitch.conf I have: passwd: files sss group: files sss The problem is that when I create a file from a client machine into a samba share on this server, e.g. creating the file \\servername\sharename\newfile.txt, this new file is not owned by UID 1514701182, but rather 3000007. Before I ran 'net cache flush', a simple "ls -l" showed the file as being owned by the right user 'mydomainuser' - the wrong UID only showed up via "ls -nl", which tells ls to display UIDs rather than usernames. Now, however, when I run "ls -l", I just see the UID - ls is unable to resolve this UID to a name (which I'd expect would be the case, as nsswitch.conf does not have winbind listed) So, a file created using Samba's file server functionality, by user mydomainuser, gets created as UID 3000007 (also seen via 'net cache list', but not 'getent'); a file created using anything else on the machine uses the 'getent' UID of 1514701182 for mydomainuser. It is entirely possible that there is some process I haven't restarted on the machine, of course, that is causing this - but if so, I don't know what that would be. I have made sure (ps axuw|grep mb; also grep samba, grep bind) that there are no samba processes still running when I shut down samba, before restarting it. I'm reluctant to restart the whole machine but will do so if that's likely to help things along. (I'm reminded of the old joke that 90% of problems on Windows machines are fixed by restarting the computer, but 90% of problems on Unix machines are *triggered* by restarting the computer! :)) On 3 June 2015 at 19:06, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 03/06/15 00:37, Jonathan Hunter wrote: >> >> Hi, >> >> Some advice, if I may.. >> >> I have two Samba4 domain controllers, that I recently switched to >> using sssd (against these same DCs) for UNIX user authentication - >> this part works perfectly. >> >> However, I am using one of these as a Samba file server also. When I >> create a file via a SMB share, the UNIX UID the file is owned by is >> the old 'winbind' UID (e.g. 3000007) rather than the new 'sssd' UID >> (e.g. 1514701182) > > > The UID you refer to, has nothing to do with winbind, it is coming from > idmap.ldb and if by running 'getent passwd adomainuser' you are getting > something like this: > > DOMAIN\adomainuser:*:3000007:100:Adomain User:/home/DOMAIN/rowland:/bin/bash > > Then you must have a line like this in /etc/nsswitch.conf: > > passwd compat winbind > > As you have now installed sssd, replace 'winbind' with 'sss' and you should > get the number you are after. > > Rowland > >> >> I have /etc/nsswitch.conf set to use 'files sss' for passwd and group. >> 'id <username>' works fine and returns the correct (new) UID. >> >> 'getent -s sss passwd <username>' returns the new UID (that I want to >> use). >> 'getent -s winbind passwd <username>' returns the old UID (that I don't >> want). >> >> I've restarted samba, I've run 'net cache flush', I've tried adding >> "-winbind" to the 'server services' line in smb.conf. >> >> Presumably I've got something fundamentally wrong.. but I'm not sure >> what. Can this even be done? I want files created/accessed via Samba >> for my AD users to have the same UID as when the same user logs in via >> ssh or similar (and gets the UID via sssd)... >> >> Cheers, >> >> Jonathan >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein