Michael Adam
2015-Nov-16 13:28 UTC
[Samba] Samba 4.1. creates group rights for not existing group.
On 2015-11-16 at 12:57 +0000, Rowland Penny wrote:> On 16/11/15 12:53, Michael Adam wrote: > >On 2015-11-16 at 11:14 +0000, Rowland Penny wrote: > >>On 16/11/15 10:11, Alex Sviridov wrote: > >>> I use samba 4.1 as dc with acl. I have user with uid 3000023. However, I don't have group with guid 3000023. However, when this user creates a folder samba in acl list creates permissions for group 3000023 and as result I have broken link. How to fix it? > >>> > >>> > >>Hi, allow me to introduce you to the concept of a user being also a group > >>and vica-versa. If you examine idmap.ldb: > >> > >>ldbedit -e nano -H /usr/local/samba/private/idmap.ldb > >> > >>You will find lines like this: > >> > >>type: ID_TYPE_BOTH > >> > >>This means that your user can be both a user and a group > >> > >>It has to be like this so that the 'Administrators' group can own > >>directories and files in sysvol. > >Very true. > >This can't be over-emphasized, since it seems > >to puzzle people: This is by design. > > > >And regarding non-existence of that group: > > > >If you do the supported thing, namely put > >winbind into /etc/nsswitch.conf, then this > >group exists. :-) > > > >Cheers - Michael > > er, when did it become supported to put winbind into > /etc/nsswitch.conf on a DC?To my understanding, it was supported from the beginning (i.e. Samba 4.0.0).> You only need to do this if you actually need to log into the DC and this is > not recommended on the wiki.Well it is also cosmetic for when e.g. an admin wants to look at files/perms on the console. And btw, 'not recommended' does not mean 'not supported'. Of course, not putting anything winbind-ish into nsswitch, might also be considered supported, but I'd say that for a complete setup, winbind belongs into nsswitch.conf. If you don't put anything, then also the corresponding uid won't be resolved in 'ls -l' and friends, so one could complain that that user does not exist just as well. (With existence defined as 'getent passwd foo' or 'getent group bar' knows them...) So my point was that putting stuff into /etc/nsswitch.conf makes users and groups exist. And if you put the *right* thing into nsswitch (i.e. winbind and not, e.g. sssd), then these groups do exist. Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20151116/676829bc/signature.sig>
Rowland Penny
2015-Nov-16 13:40 UTC
[Samba] Samba 4.1. creates group rights for not existing group.
On 16/11/15 13:28, Michael Adam wrote:> On 2015-11-16 at 12:57 +0000, Rowland Penny wrote: >> On 16/11/15 12:53, Michael Adam wrote: >>> On 2015-11-16 at 11:14 +0000, Rowland Penny wrote: >>>> On 16/11/15 10:11, Alex Sviridov wrote: >>>>> I use samba 4.1 as dc with acl. I have user with uid 3000023. However, I don't have group with guid 3000023. However, when this user creates a folder samba in acl list creates permissions for group 3000023 and as result I have broken link. How to fix it? >>>>> >>>>> >>>> Hi, allow me to introduce you to the concept of a user being also a group >>>> and vica-versa. If you examine idmap.ldb: >>>> >>>> ldbedit -e nano -H /usr/local/samba/private/idmap.ldb >>>> >>>> You will find lines like this: >>>> >>>> type: ID_TYPE_BOTH >>>> >>>> This means that your user can be both a user and a group >>>> >>>> It has to be like this so that the 'Administrators' group can own >>>> directories and files in sysvol. >>> Very true. >>> This can't be over-emphasized, since it seems >>> to puzzle people: This is by design. >>> >>> And regarding non-existence of that group: >>> >>> If you do the supported thing, namely put >>> winbind into /etc/nsswitch.conf, then this >>> group exists. :-) >>> >>> Cheers - Michael >> er, when did it become supported to put winbind into >> /etc/nsswitch.conf on a DC? > To my understanding, it was supported from the beginning > (i.e. Samba 4.0.0).OK, change 'supported' to 'recommended'> >> You only need to do this if you actually need to log into the DC and this is >> not recommended on the wiki. > Well it is also cosmetic for when e.g. an admin > wants to look at files/perms on the console.You cannot do it for just one user, if all users have uidNumbers.> > And btw, 'not recommended' does not mean 'not supported'.Thinking about it, doesn't saying that something is supported also mean you can do this?> Of course, not putting anything winbind-ish into nsswitch, > might also be considered supported, but I'd say that > for a complete setup, winbind belongs into nsswitch.conf.Totally agree, but only when winbindd works fully.> If you don't put anything, then also the corresponding > uid won't be resolved in 'ls -l' and friends, so one > could complain that that user does not exist just as well. > (With existence defined as 'getent passwd foo' or > 'getent group bar' knows them...) > > So my point was that putting stuff into /etc/nsswitch.conf > makes users and groups exist. And if you put the *right* > thing into nsswitch (i.e. winbind and not, e.g. sssd), then > these groups do exist.Well, half correct and you know what half isn't correct on an AD DC :-) I would also like to point out that most of what sssd and nlscd can do, winbind can do, the only difference is when it comes to the DC. Rowland> Michael >
Michael Adam
2015-Nov-16 14:24 UTC
[Samba] Samba 4.1. creates group rights for not existing group.
On 2015-11-16 at 13:40 +0000, Rowland Penny wrote:> On 16/11/15 13:28, Michael Adam wrote: > >On 2015-11-16 at 12:57 +0000, Rowland Penny wrote: > >>On 16/11/15 12:53, Michael Adam wrote: > >>>On 2015-11-16 at 11:14 +0000, Rowland Penny wrote: > >>>>On 16/11/15 10:11, Alex Sviridov wrote: > >>>>> I use samba 4.1 as dc with acl. I have user with uid 3000023. However, I don't have group with guid 3000023. However, when this user creates a folder samba in acl list creates permissions for group 3000023 and as result I have broken link. How to fix it? > >>>>> > >>>>> > >>>>Hi, allow me to introduce you to the concept of a user being also a group > >>>>and vica-versa. If you examine idmap.ldb: > >>>> > >>>>ldbedit -e nano -H /usr/local/samba/private/idmap.ldb > >>>> > >>>>You will find lines like this: > >>>> > >>>>type: ID_TYPE_BOTH > >>>> > >>>>This means that your user can be both a user and a group > >>>> > >>>>It has to be like this so that the 'Administrators' group can own > >>>>directories and files in sysvol. > >>>Very true. > >>>This can't be over-emphasized, since it seems > >>>to puzzle people: This is by design. > >>> > >>>And regarding non-existence of that group: > >>> > >>>If you do the supported thing, namely put > >>>winbind into /etc/nsswitch.conf, then this > >>>group exists. :-) > >>> > >>>Cheers - Michael > >>er, when did it become supported to put winbind into > >>/etc/nsswitch.conf on a DC? > >To my understanding, it was supported from the beginning > >(i.e. Samba 4.0.0). > > OK, change 'supported' to 'recommended' > > >>You only need to do this if you actually need to log into the DC and this is > >>not recommended on the wiki.I am wondering what you are referring to. I don't see explicit mentioning of it not being recommended.> >Well it is also cosmetic for when e.g. an admin > >wants to look at files/perms on the console. > > You cannot do it for just one user, if all users have uidNumbers.Er?... I was talking about treating all users/groups at a time. Currently, this fully works as designed, afaiac: Winbind consistently reports those uids/gids to nsswitch that samba will also use internally when providing SMB/AD access (on the DC!). Whether is the design that users would like is a completely different topic. But it works and is supported. :-)> >And btw, 'not recommended' does not mean 'not supported'. > > Thinking about it, doesn't saying that something is supported also mean you > can do this?Oh, if something is said to be supported, it should be possible to do it... Where is the contradiction?> >Of course, not putting anything winbind-ish into nsswitch, > >might also be considered supported, but I'd say that > >for a complete setup, winbind belongs into nsswitch.conf. > > Totally agree, but only when winbindd works fully.It does, as designed, see above. The request to always use the RFC XIDs on the DC, and also to use the shell and homedir from there, are imho feature requests.> >If you don't put anything, then also the corresponding > >uid won't be resolved in 'ls -l' and friends, so one > >could complain that that user does not exist just as well. > >(With existence defined as 'getent passwd foo' or > >'getent group bar' knows them...) > > > >So my point was that putting stuff into /etc/nsswitch.conf > >makes users and groups exist. And if you put the *right* > >thing into nsswitch (i.e. winbind and not, e.g. sssd), then > >these groups do exist. > > Well, half correct and you know what half isn't correct on an AD DC :-)What is correct? What Samba does internally is by definition correct. And on a DC this is currently the mix of idmap.ldb and optionally rfc2307 attributes. (On a member, there is great flexibility to configure ID-mapping, but this is not the topic here.) So in order to have something correct in nsswitch, it needs to produce the exact same id mapping as samba is using internally. Hence winbind is the correct thing to put into nsswitch. I am also puzzled that the wiki does not say anything about nsswitch in the ad/dc setup. I think this is simply an omission.> I would also like to point out that most of what sssd and nlscd can do, > winbind can do, the only difference is when it comes to the DC.I don't know what they can do. But in can not be fully correct, unless they read the idmap.ldb. Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20151116/370a6245/signature.sig>
Reasonably Related Threads
- Samba 4.1. creates group rights for not existing group.
- Samba 4.1. creates group rights for not existing group.
- Samba 4.1. creates group rights for not existing group.
- Samba 4.1. creates group rights for not existing group.
- Change default samba 4.1. ACL behaviour