samba - Jan 2017 - Fwd: Can somebody explain the file ownership of a

Hi Rowland,

Thanx for the response. For certain configurations idmap would be suitable,
in our case we cannot use idmap, as the OS users are AD users, where UIDs
and GIDs are mapped through Unix Attributes from AD and Samba mix up the
GID permissions with idmap from the tdb backend end and map incorrect GIDs.

I do not think the problem we have is related to the IDMAP, in fact the
GIDs and UIDs are the same for Samba / AD and AIX since they'r the same.
Shares obey GID permisions and UID permissions, except that shares need to
be **world readable**, which is not ideal in our case. We're unable to
explain, why it's need to be world readable!!!

Ko


*Kosala*



On Tue, Jan 31, 2017 at 10:48 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 31 Jan 2017 10:22:35 +1300
> Kosala Atapattu via samba <samba at lists.samba.org> wrote:
>
> > Hi All,
> >
> > We're implementing a fully integrated Samba setup with the Active
> > directory on IBM AIX. From AIX level we have established the single
> > sign on against Windows AD 2012R2. Currently the following user
> > accounts and groups exists on the AD domain.
> >
> > # cat /etc/samba/smb.conf
> > [global]
> >         security = ADS
> >         workgroup = PAPERCLIP
> >         realm = PAPERCLIP.SC.NZ <http://paperclip.sc.nz/>
> >         netbios name = UNIX732
> >         log file = /var/log/samba/%m.log
> >         log level = 5
> >         kerberos method = secrets and keytab
> >
> > [Bio]
> >         comment = Bio
> >         path = /test/bio/
> >         valid users = @PAPERCLIP\bio2
> >         writable = yes
> >         read only = no
> >         force create mode = 0660
> >         create mask = 0777
> >         directory mask = 0777
> >         force directory mode = 0770
> >
>
> I have never used AIX, but I would still expect to see something like
> this in smb.conf:
>
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>
> And this:
>
>     idmap config PAPERCLIP : backend = ad
>     idmap config PAPERCLIP : schema_mode = rfc2307
>     idmap config PAPERCLIP : range = 10000-999999
>
> Or this:
>
>     idmap config PAPERCLIP : backend = rid
>     idmap config PAPERCLIP : range = 10000-999999
>
> I suggest you read this Samba wiki page:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> Then come back with any questions you may have.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Tue, 31 Jan 2017 15:39:48 +1300
Kosala Atapattu <kosala.atapattu at gmail.com> wrote:
> Hi Rowland,
> 
> Thanx for the response. For certain configurations idmap would be
> suitable, in our case we cannot use idmap, as the OS users are AD
> users, where UIDs and GIDs are mapped through Unix Attributes from AD
> and Samba mix up the GID permissions with idmap from the tdb backend
> end and map incorrect GIDs.
Have you got Unix users with the same name as AD users ?
If so, what you are trying to do will never work, you cannot have a
user in /etc/passwd and AD.
> 
> I do not think the problem we have is related to the IDMAP, in fact
> the GIDs and UIDs are the same for Samba / AD and AIX since they'r
> the same. Shares obey GID permisions and UID permissions, except that
> shares need to be **world readable**, which is not ideal in our case.
> We're unable to explain, why it's need to be world readable!!!
An AIX Unix user != an AD user with the same name.
i.e. the AIX user 'fred' is NOT the AD user 'fred'

Rowland

Hi Rowland / All,

Thanx for all the support, and we finally resolved the problem. Here is
what worked out:

1. As Rowland suspected, the problem was the idmap. We're using KRB5LDAP
authentication, which is a NIS/NSS configuration. Our AD users ARE the OS
users, and they're are not defined in /etc/passwd.... however all the idmap
backends we tried map the wrong SID to UID/GID, which was causing the
problem.

2. However "idmap_nss" was intended for the same use case, although
it's
poorly documentation, until we stumbled upon the option.
https://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html

Now configuration works as expected.

Cheers,
Ko


*Kosala*



On Tue, Jan 31, 2017 at 9:56 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 31 Jan 2017 15:39:48 +1300
> Kosala Atapattu <kosala.atapattu at gmail.com> wrote:
>
> > Hi Rowland,
> >
> > Thanx for the response. For certain configurations idmap would be
> > suitable, in our case we cannot use idmap, as the OS users are AD
> > users, where UIDs and GIDs are mapped through Unix Attributes from AD
> > and Samba mix up the GID permissions with idmap from the tdb backend
> > end and map incorrect GIDs.
>
> Have you got Unix users with the same name as AD users ?
> If so, what you are trying to do will never work, you cannot have a
> user in /etc/passwd and AD.
>
> >
> > I do not think the problem we have is related to the IDMAP, in fact
> > the GIDs and UIDs are the same for Samba / AD and AIX since they'r
> > the same. Shares obey GID permisions and UID permissions, except that
> > shares need to be **world readable**, which is not ideal in our case.
> > We're unable to explain, why it's need to be world readable!!!
>
> An AIX Unix user != an AD user with the same name.
> i.e. the AIX user 'fred' is NOT the AD user 'fred'
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>