Thanks Rowland. 'getent passwd mydomainuser' does return the correct (new, sssd) UID e.g. 1514701182 In my /etc/nsswitch.conf I have: passwd: files sss group: files sss The problem is that when I create a file from a client machine into a samba share on this server, e.g. creating the file \\servername\sharename\newfile.txt, this new file is not owned by UID 1514701182, but rather 3000007. Before I ran 'net cache flush', a simple "ls -l" showed the file as being owned by the right user 'mydomainuser' - the wrong UID only showed up via "ls -nl", which tells ls to display UIDs rather than usernames. Now, however, when I run "ls -l", I just see the UID - ls is unable to resolve this UID to a name (which I'd expect would be the case, as nsswitch.conf does not have winbind listed) So, a file created using Samba's file server functionality, by user mydomainuser, gets created as UID 3000007 (also seen via 'net cache list', but not 'getent'); a file created using anything else on the machine uses the 'getent' UID of 1514701182 for mydomainuser. It is entirely possible that there is some process I haven't restarted on the machine, of course, that is causing this - but if so, I don't know what that would be. I have made sure (ps axuw|grep mb; also grep samba, grep bind) that there are no samba processes still running when I shut down samba, before restarting it. I'm reluctant to restart the whole machine but will do so if that's likely to help things along. (I'm reminded of the old joke that 90% of problems on Windows machines are fixed by restarting the computer, but 90% of problems on Unix machines are *triggered* by restarting the computer! :)) On 3 June 2015 at 19:06, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 03/06/15 00:37, Jonathan Hunter wrote: >> >> Hi, >> >> Some advice, if I may.. >> >> I have two Samba4 domain controllers, that I recently switched to >> using sssd (against these same DCs) for UNIX user authentication - >> this part works perfectly. >> >> However, I am using one of these as a Samba file server also. When I >> create a file via a SMB share, the UNIX UID the file is owned by is >> the old 'winbind' UID (e.g. 3000007) rather than the new 'sssd' UID >> (e.g. 1514701182) > > > The UID you refer to, has nothing to do with winbind, it is coming from > idmap.ldb and if by running 'getent passwd adomainuser' you are getting > something like this: > > DOMAIN\adomainuser:*:3000007:100:Adomain User:/home/DOMAIN/rowland:/bin/bash > > Then you must have a line like this in /etc/nsswitch.conf: > > passwd compat winbind > > As you have now installed sssd, replace 'winbind' with 'sss' and you should > get the number you are after. > > Rowland > >> >> I have /etc/nsswitch.conf set to use 'files sss' for passwd and group. >> 'id <username>' works fine and returns the correct (new) UID. >> >> 'getent -s sss passwd <username>' returns the new UID (that I want to >> use). >> 'getent -s winbind passwd <username>' returns the old UID (that I don't >> want). >> >> I've restarted samba, I've run 'net cache flush', I've tried adding >> "-winbind" to the 'server services' line in smb.conf. >> >> Presumably I've got something fundamentally wrong.. but I'm not sure >> what. Can this even be done? I want files created/accessed via Samba >> for my AD users to have the same UID as when the same user logs in via >> ssh or similar (and gets the UID via sssd)... >> >> Cheers, >> >> Jonathan >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Hi Jonathan, I think the reason might be this: - You are using "idmap_ldb:use rfc2307" in your Samba config, which means that Samba will use the ID's specified in the unix attributes in your AD (uidNumber, gidNumber). - You are using "ldap_id_mapping = True" in sssd.conf, which means that sssd will map uid and gid from the objectSID attribute. I think if you set "ldap_id_mapping = False" in sssd.conf you'll get the same uid on both (that's how I use it anyway). See the manpage of sssd-ad for more information on the ldap_id_mapping param. I hope this helps, Regards, Roel Jonathan Hunter writes:> Thanks Rowland. > > 'getent passwd mydomainuser' does return the correct (new, sssd) UID > e.g. 1514701182 > > In my /etc/nsswitch.conf I have: > passwd: files sss > group: files sss > > The problem is that when I create a file from a client machine into a > samba share on this server, e.g. creating the file > \\servername\sharename\newfile.txt, this new file is not owned by UID > 1514701182, but rather 3000007. > > Before I ran 'net cache flush', a simple "ls -l" showed the file as > being owned by the right user 'mydomainuser' - the wrong UID only > showed up via "ls -nl", which tells ls to display UIDs rather than > usernames. Now, however, when I run "ls -l", I just see the UID - ls > is unable to resolve this UID to a name (which I'd expect would be the > case, as nsswitch.conf does not have winbind listed) > > So, a file created using Samba's file server functionality, by user > mydomainuser, gets created as UID 3000007 (also seen via 'net cache > list', but not 'getent'); a file created using anything else on the > machine uses the 'getent' UID of 1514701182 for mydomainuser. > > It is entirely possible that there is some process I haven't restarted > on the machine, of course, that is causing this - but if so, I don't > know what that would be. I have made sure (ps axuw|grep mb; also grep > samba, grep bind) that there are no samba processes still running when > I shut down samba, before restarting it. > > I'm reluctant to restart the whole machine but will do so if that's > likely to help things along. (I'm reminded of the old joke that 90% of > problems on Windows machines are fixed by restarting the computer, but > 90% of problems on Unix machines are *triggered* by restarting the > computer! :)) > > On 3 June 2015 at 19:06, Rowland Penny <rowlandpenny at googlemail.com> wrote: > > On 03/06/15 00:37, Jonathan Hunter wrote: > >> > >> Hi, > >> > >> Some advice, if I may.. > >> > >> I have two Samba4 domain controllers, that I recently switched to > >> using sssd (against these same DCs) for UNIX user authentication - > >> this part works perfectly. > >> > >> However, I am using one of these as a Samba file server also. When I > >> create a file via a SMB share, the UNIX UID the file is owned by is > >> the old 'winbind' UID (e.g. 3000007) rather than the new 'sssd' UID > >> (e.g. 1514701182) > > > > > > The UID you refer to, has nothing to do with winbind, it is coming from > > idmap.ldb and if by running 'getent passwd adomainuser' you are getting > > something like this: > > > > DOMAIN\adomainuser:*:3000007:100:Adomain > User:/home/DOMAIN/rowland:/bin/bash > > > > Then you must have a line like this in /etc/nsswitch.conf: > > > > passwd compat winbind > > > > As you have now installed sssd, replace 'winbind' with 'sss' and you should > > get the number you are after. > > > > Rowland > > > >> > >> I have /etc/nsswitch.conf set to use 'files sss' for passwd and group. > >> 'id <username>' works fine and returns the correct (new) UID. > >> > >> 'getent -s sss passwd <username>' returns the new UID (that I want to > >> use). > >> 'getent -s winbind passwd <username>' returns the old UID (that I don't > >> want). > >> > >> I've restarted samba, I've run 'net cache flush', I've tried adding > >> "-winbind" to the 'server services' line in smb.conf. > >> > >> Presumably I've got something fundamentally wrong.. but I'm not sure > >> what. Can this even be done? I want files created/accessed via Samba > >> for my AD users to have the same UID as when the same user logs in via > >> ssh or similar (and gets the UID via sssd)... > >> > >> Cheers, > >> > >> Jonathan > >> > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > "If we knew what it was we were doing, it would not be called > research, would it?" > - Albert Einstein > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 04/06/15 16:58, Roel van Meer wrote:> Hi Jonathan, > > I think the reason might be this: > - You are using "idmap_ldb:use rfc2307" in your Samba config, which > means that Samba will use the ID's specified in the unix attributes in > your AD (uidNumber, gidNumber). > - You are using "ldap_id_mapping = True" in sssd.conf, which means > that sssd will map uid and gid from the objectSID attribute. > > I think if you set "ldap_id_mapping = False" in sssd.conf you'll get > the same uid on both (that's how I use it anyway). >No, we don't think so because the user does not have the rfc2307 attributes in the directory and doesn't want to put them there. Maybe on the contrary, comment the idmap_ldb:use rfc2307.> See the manpage of sssd-ad for more information on the ldap_id_mapping > param. > > I hope this helps, > > Regards, Roel > > > Jonathan Hunter writes: > >> Thanks Rowland. >> >> 'getent passwd mydomainuser' does return the correct (new, sssd) UID >> e.g. 1514701182 >> >> In my /etc/nsswitch.conf I have: >> passwd: files sss >> group: files sss >> >> The problem is that when I create a file from a client machine into a >> samba share on this server, e.g. creating the file >> \\servername\sharename\newfile.txt, this new file is not owned by UID >> 1514701182, but rather 3000007. >> >> Before I ran 'net cache flush', a simple "ls -l" showed the file as >> being owned by the right user 'mydomainuser' - the wrong UID only >> showed up via "ls -nl", which tells ls to display UIDs rather than >> usernames. Now, however, when I run "ls -l", I just see the UID - ls >> is unable to resolve this UID to a name (which I'd expect would be the >> case, as nsswitch.conf does not have winbind listed) >> >> So, a file created using Samba's file server functionality, by user >> mydomainuser, gets created as UID 3000007 (also seen via 'net cache >> list', but not 'getent'); a file created using anything else on the >> machine uses the 'getent' UID of 1514701182 for mydomainuser. >> >> It is entirely possible that there is some process I haven't restarted >> on the machine, of course, that is causing this - but if so, I don't >> know what that would be. I have made sure (ps axuw|grep mb; also grep >> samba, grep bind) that there are no samba processes still running when >> I shut down samba, before restarting it. >> >> I'm reluctant to restart the whole machine but will do so if that's >> likely to help things along. (I'm reminded of the old joke that 90% of >> problems on Windows machines are fixed by restarting the computer, but >> 90% of problems on Unix machines are *triggered* by restarting the >> computer! :)) >> >> On 3 June 2015 at 19:06, Rowland Penny <rowlandpenny at googlemail.com> >> wrote: >> > On 03/06/15 00:37, Jonathan Hunter wrote: >> >> >> >> Hi, >> >> >> >> Some advice, if I may.. >> >> >> >> I have two Samba4 domain controllers, that I recently switched to >> >> using sssd (against these same DCs) for UNIX user authentication - >> >> this part works perfectly. >> >> >> >> However, I am using one of these as a Samba file server also. When I >> >> create a file via a SMB share, the UNIX UID the file is owned by is >> >> the old 'winbind' UID (e.g. 3000007) rather than the new 'sssd' UID >> >> (e.g. 1514701182) >> > >> > >> > The UID you refer to, has nothing to do with winbind, it is coming >> from >> > idmap.ldb and if by running 'getent passwd adomainuser' you are >> getting >> > something like this: >> > >> > DOMAIN\adomainuser:*:3000007:100:Adomain >> User:/home/DOMAIN/rowland:/bin/bash >> > >> > Then you must have a line like this in /etc/nsswitch.conf: >> > >> > passwd compat winbind >> > >> > As you have now installed sssd, replace 'winbind' with 'sss' and >> you should >> > get the number you are after. >> > >> > Rowland >> > >> >> >> >> I have /etc/nsswitch.conf set to use 'files sss' for passwd and >> group. >> >> 'id <username>' works fine and returns the correct (new) UID. >> >> >> >> 'getent -s sss passwd <username>' returns the new UID (that I want to >> >> use). >> >> 'getent -s winbind passwd <username>' returns the old UID (that I >> don't >> >> want). >> >> >> >> I've restarted samba, I've run 'net cache flush', I've tried adding >> >> "-winbind" to the 'server services' line in smb.conf. >> >> >> >> Presumably I've got something fundamentally wrong.. but I'm not sure >> >> what. Can this even be done? I want files created/accessed via Samba >> >> for my AD users to have the same UID as when the same user logs in >> via >> >> ssh or similar (and gets the UID via sssd)... >> >> >> >> Cheers, >> >> >> >> Jonathan >> >> >> > >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> >> >> >> -- >> "If we knew what it was we were doing, it would not be called >> research, would it?" >> - Albert Einstein >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba