I've reverted my test box fs back to winbindd and taken sssd out of the mix.
I'd love some more help on this as its now faring better in testing than
sssd with the macs, however I can set the users to be looked up but I'm
having issues with having the names of the groups show up. It seems to be
working however its now showing the GIDs as opposed to the group names.
For instance
digimag is now showing on the folder as 20008
but if I do a chgrp to something else and then change it back it digimag with
chown -R digimag it shows up as the numberic association and not the actual
group name.
I don't think its looking up the groups properly. Where would I look for
that. If I issue a wbinfo -g it returns all the groups properly as does a getent
group
Thank you
--
David
From: Rowland penny <rpenny at samba.org>
To: <samba at lists.samba.org>
Sent: 2/2/2016 3:26 PM
Subject: Re: [Samba] Mac OS X and ACL's
On 02/02/16 20:13, David Thompson wrote: > Hi all,
>
>
> I have a server that has ACL's enabled on it and the groups are set
properly from the domain that are applied on top of it for the shared folders. I
am running with Mac OS X 10.10.5 on the client side and am having nothing but
issues with getting them to respect the ACL's set on the files.
>
>
> The Server Setup is as follows:
>
>
> Domain Server: Debian 7.9 with Samba 4.3.4
>
>
> Member Server:
> Debian 7.9 with Samba 4.3.4
> SSSD - Version 1.8.4
>
>
> Here is the output of my smb.conf file:
>
>
>
-----------------------------------------------------------------------------------------------------------------
> [global] netbios name = fs workgroup = AUTH security = ADS realm
= AUTH.DOMAIN.COM dedicated keytab file = /etc/krb5.keytab kerberos method
= secrets and keytab idmap config *:backend = tdb idmap config *:range =
2000-9999 idmap config AUTH:backend = ad idmap config AUTH:schema_mode =
rfc2307 idmap config AUTH:range = 10000-99999 winbind nss info = rfc2307
winbind trusted domains only = no winbind use default domain = yes winbind
enum users = yes winbind enum groups = yes winbind refresh tickets = Yes
winbind cache time = 40 # vfs objects = acl_xattr map acl inherit = Yes
store dos attributes = Yes username map = /etc/samba/user_map socket options
= TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 unix extensions =
no [Groups] path = /Groups guest ok = yes browseable = yes writeable
= yes read only = no admin users = "Domain Admins" inherit
permissions = Yes inherit acls = Yes
>
>
-----------------------------------------------------------------------------------------------------------------
>
>
> Here is the output of my sssd.conf file
>
>
>
>
-----------------------------------------------------------------------------------------------------------------
>
>
> [sssd] services = nss, pam config_file_version = 2 domains = default [nss]
[pam] [domain/default] id_provider = ldap ldap_schema = rfc2307bis
ldap_referrals = false ldap_uri = ldap://dc01.auth.domain.com ldap_search_base =
dc=auth,dc=domain,dc=com ldap_force_upper_case_realm = true # See man
sssd-simple access_provider = simple # Uncomment to check for account expiration
in DC # access_provider = ldap # ldap_access_order = expire #
ldap_account_expire_policy = ad # Enumeration is discouraged for performance
reasons. # enumerate = true auth_provider = krb5 chpass_provider = krb5
ldap_sasl_mech = gssapi ldap_sasl_authid = dc01$@AUTH.DOMAIN.COM krb5_realm =
AUTH.DOMAIN.COM krb5_server = dc01.auth.domain.com krb5_kpasswd =
dc01.auth.domain.com ldap_krb5_keytab = /etc/krb5.sssd.keytab
ldap_user_object_class = user ldap_user_name = samAccountName
ldap_user_home_directory = unixHomeDirectory ldap_user_principal =
userPrincipalName ldap_user_shell = loginShell ldap_group_object_class =
g
roup >
>
>
>
-----------------------------------------------------------------------------------------------------------------
>
>
> Here is the getfacl on my Folder that I'm trying to get to respect
ACL's on for the Macs:
>
>
>
> getfacl /Groups/Digital\ Magazine/
> getfacl: Removing leading '/' from absolute path names
> # file: Groups/Digital Magazine/
> # owner: root
> # group: DigiMag
> user::rwx
> user:Administrator:rwx
> group::r-x
> group:Domain\040Admins:rwx
> group:DigiMag:rwx
> mask::rwx
> other::r-x
> default:user::rwx
> default:user:Administrator:rwx
> default:group::r-x
> default:group:Domain\040Admins:rwx
> default:group:DigiMag:rwx
> default:mask::rwx
> default:other::r-x
>
>
>
>
-----------------------------------------------------------------------------------------------------------------
>
>
> As you can see, the group: DigiMag has rwx on the folder.
>
>
> However when I create a file, the settings get changed to the group
"DigiMag" as only having r-- access on the file
>
>
> root at fs:/Groups/Digital Magazine# getfacl ROOT-FSTESTER.xlsx # file:
ROOT-FSTESTER.xlsx # owner: ftester # group: DigiMag user::rwx
user:Administrator:r-- user:ftester:rwx group::r-- group:Domain\040Admins:r--
group:DigiMag:rwx group:Domain\040Users:r-- mask::rwx other::r--
>
>
>
>
-----------------------------------------------------------------------------------------------------------------
>
>
> This also happens if I set an ACL on the file and give explicit access for
the users. If I have 2 users (ftester, and zeddy) and give them full rwx access
to the file(s), as soon as one of them opens up the files and saves it the ACL
is over written and only the first user to open and save the files then has
access to it. They take over ownership of the file(s) as well as change the
access to the files to be r-- for both the group (DigiMag) and the user (zeddy)
>
>
>
-----------------------------------------------------------------------------------------------------------------
> root at fs:/Groups/Digital Magazine# getfacl ROOT-FSTESTER.xlsx # file:
ROOT-FSTESTER.xlsx # owner: ftester # group: DigiMag user::rwx
user:Administrator:r-- user:ftester:rwx user:zeddy:r-- group::r--
group:Domain\040Admins:r-- group:DigiMag:rwx group:Domain\040Users:r-- mask::rwx
other::r--
>
-----------------------------------------------------------------------------------------------------------------
>
>
> The Macs are all Mac OS X 10.10.5 and newer, are all bound to the Domain,
and all logon to the domain with a username. If I do an ID on a user, it shows
the proper groups that they are a part of, from both the linux server and the
mac server. I am using the UNIX extensions and it all seems to work fine.
>
>
> id ftester uid=333345(ftester) gid=20023(Domain Users) groups=20023(Domain
Users),20003(Adv_Art),20021(web),20012(MandD),20008(DigiMag),20004(circ)
>
>
> uid=333346(zeddy) gid=20023(Domain Users) groups=20023(Domain
Users),20012(MandD),20008(DigiMag)
>
>
>
>
-----------------------------------------------------------------------------------------------------------------
>
>
>
>
>
>
> Everything seemingly works as far as I can tell. I can run a kinit and it
works fine, When I login on a mac as a network based user, I get my proper
kerberos tickets and access to the folders that I'm supposed to have access
to based on my groups in Samba DC.
>
>
> I can't for the life of me figure out how I can get the file shares to
give full access rwx to the files on the server.
>
>
> If someone could please please help me out, I would greatly appreciate it
and will provide any information that you I might have missed.
> Thank you for your time,
>
>
>
> --
>
>
> David
>
>
>
As you are using sssd for authentication, you may get better help from
the sssd mailing list, if however you decide to use winbind instead, I
can help you with that.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba