samba - Nov 2016 - Clients can't write to group-writable files - plea for help

On Wed, Nov 16, 2016 at 08:44:35AM -0500, Josh Malone via samba
wrote:
> On 11/15/16 7:25 PM, Jeremy Allison wrote:
> >
> >The token is the list of uids/gids (or SIDs in Windows terms)
> >that this smbd is using to represent the user right now.
> 
> Okay - that makes sense. Thank you.
> 
> >>
> >>  canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root)
> >>SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
> >>  canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root)
> >>SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
> >>  canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
> >>ace_flags = 0x0 perms r-x
> >
> >Looks like a perm set of rwxr-xr-x on the file to me, with
> >owner and group of root.
> 
> But the file is not root:root - it's owned by uid 12477 and group
> 9006. Why is Samba getting the wrong owner/group for this file?
That is the core of your problem. What does the full debug
level 10 log say around this message ?

On 11/16/16 2:32 PM, Jeremy Allison via samba wrote:
>>
>> But the file is not root:root - it's owned by uid 12477 and group
>> 9006. Why is Samba getting the wrong owner/group for this file?
>
> That is the core of your problem. What does the full debug level 10
> log say around this message ?
>
Nothing that I can see.

In any case, I've resolved my issue. By setting a user map script that
just returns $1, the problem goes away. It's as if samba wasn't
processing the trivial case of unix = windows without this help. I
couldn't even use an empty usermap or find any other usermap setup that
worked. Not sure why.

And I only had to resort to this on my RHEL6 servers. Ubuntu server
handles it just fine without maps or scripts.


On 11/16/16 11:21 AM, Rowland Penny via samba wrote:
>
> If you are connecting to an Unix domain member, you don't use a
> username map, you give your windows users a uidNumber attribute and
> they become Unix users as well, provided the Unix domain member is
> setup correctly.
>
> Don't remember seeing the smb.conf files you are using, this may
> help with your problem.
>
> Rowland
My AD account objects all have uidNumber and gidNumber set (we use that 
for the Mac systems bound to AD). And the AD usernames match the NIS 
usernames. (the uid/gids match too).

Is there documentation that focuses on the simple "Member server" case
for just serving files to users who exist on both unix and AD? Seems 
like most of the docs assume you're using Samba as a DC or something 
more magical than a simple file server.

In any case, thanks to all who chimed in on my problem. Very much
appreciated.

-Josh

-- 
--------------------------------------------------------
        Joshua Malone       Systems Administrator
      (jmalone at nrao.edu)    NRAO Charlottesville
         434-296-0263           www.nrao.edu
	434-249-5699 (mobile)
--------------------------------------------------------

On Wed, Nov 16, 2016 at 03:12:06PM -0500, Josh Malone via samba
wrote:
> On 11/16/16 2:32 PM, Jeremy Allison via samba wrote:
> >>
> >>But the file is not root:root - it's owned by uid 12477 and
group
> >>9006. Why is Samba getting the wrong owner/group for this file?
> >
> >That is the core of your problem. What does the full debug level 10
> >log say around this message ?
> >
> 
> Nothing that I can see.
That is not a helpful response to a request for debug info.

Just sayin' :-) :-).

On Wed, 16 Nov 2016 15:12:06 -0500
Josh Malone via samba <samba at lists.samba.org> wrote:
> On 11/16/16 2:32 PM, Jeremy Allison via samba wrote:
> >>
> >> But the file is not root:root - it's owned by uid 12477 and
group
> >> 9006. Why is Samba getting the wrong owner/group for this file?
> >
> > That is the core of your problem. What does the full debug level 10
> > log say around this message ?
> >
> 
> Nothing that I can see.
> 
> In any case, I've resolved my issue. By setting a user map script that
> just returns $1, the problem goes away. It's as if samba wasn't
> processing the trivial case of unix = windows without this help. I
> couldn't even use an empty usermap or find any other usermap setup
> that worked. Not sure why.
> 
> And I only had to resort to this on my RHEL6 servers. Ubuntu server
> handles it just fine without maps or scripts.
> 
> 
> On 11/16/16 11:21 AM, Rowland Penny via samba wrote:
> >
> > If you are connecting to an Unix domain member, you don't use a
> > username map, you give your windows users a uidNumber attribute and
> > they become Unix users as well, provided the Unix domain member is
> > setup correctly.
> >
> > Don't remember seeing the smb.conf files you are using, this may
> > help with your problem.
> >
> > Rowland
> 
> My AD account objects all have uidNumber and gidNumber set (we use
> that for the Mac systems bound to AD). And the AD usernames match the
> NIS usernames. (the uid/gids match too).
This is probably why it works on Ubuntu, but not on Centos, sssd is
probably running on the Centos machine, but isn't setup
correctly.
> 
> Is there documentation that focuses on the simple "Member server"
> case for just serving files to users who exist on both unix and AD?
> Seems like most of the docs assume you're using Samba as a DC or
> something more magical than a simple file server.
There isn't really a 'simple member server', the word
'member' means it
is a Domain member and you can read here about them:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

You can leverage that to create a fileserver that authenticates to AD.

Rowland