samba - Nov 2016 - Clients can't write to group-writable files - plea for help

On Wed, 16 Nov 2016 15:12:06 -0500
Josh Malone via samba <samba at lists.samba.org> wrote:
> On 11/16/16 2:32 PM, Jeremy Allison via samba wrote:
> >>
> >> But the file is not root:root - it's owned by uid 12477 and
group
> >> 9006. Why is Samba getting the wrong owner/group for this file?
> >
> > That is the core of your problem. What does the full debug level 10
> > log say around this message ?
> >
> 
> Nothing that I can see.
> 
> In any case, I've resolved my issue. By setting a user map script that
> just returns $1, the problem goes away. It's as if samba wasn't
> processing the trivial case of unix = windows without this help. I
> couldn't even use an empty usermap or find any other usermap setup
> that worked. Not sure why.
> 
> And I only had to resort to this on my RHEL6 servers. Ubuntu server
> handles it just fine without maps or scripts.
> 
> 
> On 11/16/16 11:21 AM, Rowland Penny via samba wrote:
> >
> > If you are connecting to an Unix domain member, you don't use a
> > username map, you give your windows users a uidNumber attribute and
> > they become Unix users as well, provided the Unix domain member is
> > setup correctly.
> >
> > Don't remember seeing the smb.conf files you are using, this may
> > help with your problem.
> >
> > Rowland
> 
> My AD account objects all have uidNumber and gidNumber set (we use
> that for the Mac systems bound to AD). And the AD usernames match the
> NIS usernames. (the uid/gids match too).
This is probably why it works on Ubuntu, but not on Centos, sssd is
probably running on the Centos machine, but isn't setup
correctly.
> 
> Is there documentation that focuses on the simple "Member server"
> case for just serving files to users who exist on both unix and AD?
> Seems like most of the docs assume you're using Samba as a DC or
> something more magical than a simple file server.
There isn't really a 'simple member server', the word
'member' means it
is a Domain member and you can read here about them:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

You can leverage that to create a fileserver that authenticates to AD.

Rowland

>> My AD account objects all have uidNumber and gidNumber set (we use
>> that for the Mac systems bound to AD). And the AD usernames match the
>> NIS usernames. (the uid/gids match too).
> This is probably why it works on Ubuntu, but not on Centos, sssd is
> probably running on the Centos machine, but isn't setup correctly.
>
sssd I don't think runs by default on Centos 6 or 7 (in my case it
doesn't).

OP: have you tried using winbind in nsswitch.conf on the member servers
with rfc2307 enabled in the smb.conf?

It works for us in both Centos 6 and 7, no issues with UID/GID mapping.

Cheers

Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608
5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

On Thu, 17 Nov 2016 19:06:02 +0000
Alex Crow via samba <samba at lists.samba.org> wrote:
> 
> >> My AD account objects all have uidNumber and gidNumber set (we use
> >> that for the Mac systems bound to AD). And the AD usernames match
> >> the NIS usernames. (the uid/gids match too).
> > This is probably why it works on Ubuntu, but not on Centos, sssd is
> > probably running on the Centos machine, but isn't setup correctly.
> >
> 
> sssd I don't think runs by default on Centos 6 or 7 (in my case it
> doesn't).
OK, but this could still be where the problem lies, well sort of ;-)

If winbind is running on Ubuntu, but not on the DC, then this could
well be the problem. 

Rowland

On 11/17/16 2:06 PM, Alex Crow via samba wrote:
>
>>> My AD account objects all have uidNumber and gidNumber set (we use
>>> that for the Mac systems bound to AD). And the AD usernames match
the
>>> NIS usernames. (the uid/gids match too).
>> This is probably why it works on Ubuntu, but not on Centos, sssd is
>> probably running on the Centos machine, but isn't setup correctly.
>>
>
> sssd I don't think runs by default on Centos 6 or 7 (in my case it
doesn't).
No - sssd is not on in my system.
>
> OP: have you tried using winbind in nsswitch.conf on the member servers
> with rfc2307 enabled in the smb.conf?
>
> It works for us in both Centos 6 and 7, no issues with UID/GID mapping.
No, I haven't. I'll have to try that. As I stated earlier, I resolved 
the issue my implementing a trivial username map script (return $1) but 
have never understood why I had the problem in the first place or how 
this fixes it.

I'll give winbind a bit more of a look.
>
> Cheers
>
> Alex

-- 
--------------------------------------------------------
        Joshua Malone       Systems Administrator
      (jmalone at nrao.edu)    NRAO Charlottesville
         434-296-0263           www.nrao.edu
	434-249-5699 (mobile)
--------------------------------------------------------