On a Centos 7 minimal fresh install and samba 4.4.4 I have follow this howto: http://www.hexblot.com/blog/centos-7-active-directory-and-samba and I have Joining to an Active Directory server and login to it with domain user without problem. My problem occur when I try from windows to modify some new rights (ACL's) to new folder on samba share. The folder is created correctly but if I add some groups or setup ACL's I get this error log and the new ACL's is not saved:> feb 14 12:07:42 samba-dati.srl.local smbd[1178]: [2017/02/14 12:07:42.149812, 0] ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists) > feb 14 12:07:42 samba-dati.srl.local smbd[1178]: create_canon_ace_lists: unable to map SID S-1-5-21-347198863-3916504048-2821235790-1213 to uid or gid.This is my testparm -s (smb.conf):> Server role: ROLE_DOMAIN_MEMBER > > [global] > realm = SRL.LOCAL > workgroup = SRL > log file = /var/log/samba/log.%m > max log size = 50 > load printers = No > printcap name = /dev/null > client signing = if_required > security = ADS > idmap config srl:range = 200000-399999 > idmap config srl:backend = nss > idmap config *:range = 70001-80000 > idmap config * : backend = tdb > cups options = raw > hosts allow = 127. 192.168.1. > > [dati] > comment = Cartella Dati x tutti > path = /u/samba/dati > create mask = 0664 > directory mask = 0775This is my sssd.conf> # > [sssd] > domains = srl.local > config_file_version = 2 > services = nss, pam > > [domain/srl.local] > ad_domain = srl.local > krb5_realm = SRL.LOCAL > realmd_tags = manages-system joined-with-samba > cache_credentials = True > id_provider = ad > krb5_store_password_if_offline = True > default_shell = /bin/bash > ldap_id_mapping = True > # use_fully_qualified_names = True > use_fully_qualified_names = False > fallback_homedir = /home/%u@%d > # fallback_homedir = /home/%u > access_provider = ad >I have try some modify to smb.conf without success an now the ACLs still not work. Any help will be appreciated Many Thanks -- Dario Lesca (inviato dal mio Linux Fedora 25 Workstation)
Rowland Penny
2017-Feb-14 16:13 UTC
[Samba] Samba AD domain member with SSSD: ACL not work
On Tue, 14 Feb 2017 16:57:24 +0100 Dario Lesca via samba <samba at lists.samba.org> wrote:> On a Centos 7 minimal fresh install and samba 4.4.4 I have follow this > howto: > > http://www.hexblot.com/blog/centos-7-active-directory-and-samba > > and I have Joining to an Active Directory server and login to it with > domain user without problem. > > My problem occur when I try from windows to modify some new rights > (ACL's) to new folder on samba share.Have you modified /etc/nsswitch.conf ? If you haven't, then you are not using winbind, you are using sssd. In which case you should remove the 'idmap config' lines from smb.conf. You should also try asking on the sssd users mailing list for help, because if you are not using winbind for authentication, this is probably where your problem lies. If you want use winbind instead of sssd, you will need to turn sssd off. Rowland
Il giorno mar, 14/02/2017 alle 16.13 +0000, Rowland Penny via samba ha scritto:> Have you modified /etc/nsswitch.conf ?No:> passwd: files sss > shadow: files sss > group: files sssfor default nsswitch.conf is configure to use sssd> If you haven't, then you are not using winbind, you are using sssd.Yes. I use sssd, If this is not a problem for samba.> In which case you should remove the 'idmap config' lines from > smb.conf.Ok, now I have remove this 4 lines, restart smb and test: ACLs still not work.> feb 14 17:45:24 samba-dati.srl.local nmbd[3338]: ***** > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]: > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]: Samba name server SAMBA-DATI is now a local master browser for workgroup SRL on subnet 192.168.1.5 > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]: > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]: ***** > feb 14 17:45:44 samba-dati.srl.local smbd[3369]: [2017/02/14 17:45:44.973268, 0] ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists) > feb 14 17:45:44 samba-dati.srl.local smbd[3369]: create_canon_ace_lists: unable to map SID S-1-5-21-347198863-3916504048-2821235790-1213 to uid or gid.The error still exist> You should also try asking on the sssd users mailing list for help, > because if you are not using winbind for authentication, this is > probably where your problem lies.Ok, but my question now is: it's possible to use samba in conjunction to sssd? or this kind of configuration is not allowed or not fully tested or supported by samba team?> If you want use winbind instead of sssd, you will need to turn sssd > off.Ok, this way it's another possible solution, if I am not able to configure samba + sssd Many Thanks -- Dario Lesca (inviato dal mio Linux Fedora 25 Workstation)
L.P.H. van Belle
2017-Feb-15 07:42 UTC
[Samba] Samba AD domain member with SSSD: ACL not work
Have you seen : ( centos/redhat ) https://outsideit.net/realmd-sssd-ad-authentication/ ( debian/ubuntu ) http://www.alandmoore.com/blog/2015/05/06/joining-debian-8-to-active-directory/ but i must say, i havent tested/tried these, i dont use sssd. But i think these are usefull for you to read at least. If you use the debian variant, you may need to install also : One or more of these : libnss-sss libpam-sss libsss-idmap0 libsss-sudo But same as Rowland is saying, you get better support at the sssd list. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dario Lesca via > samba > Verzonden: dinsdag 14 februari 2017 18:08 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba AD domain member with SSSD: ACL not work > > Il giorno mar, 14/02/2017 alle 16.13 +0000, Rowland Penny via samba ha > scritto: > > Have you modified /etc/nsswitch.conf ? > No: > > passwd: files sss > > shadow: files sss > > group: files sss > > for default nsswitch.conf is configure to use sssd > > > If you haven't, then you are not using winbind, you are using sssd. > Yes. I use sssd, If this is not a problem for samba. > > > In which case you should remove the 'idmap config' lines from > > smb.conf. > > Ok, now I have remove this 4 lines, restart smb and test: ACLs still > not work. > > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]: ***** > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]: > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]: Samba name server > SAMBA-DATI is now a local master browser for workgroup SRL on subnet > 192.168.1.5 > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]: > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]: ***** > > feb 14 17:45:44 samba-dati.srl.local smbd[3369]: [2017/02/14 > 17:45:44.973268, 0] > ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists) > > feb 14 17:45:44 samba-dati.srl.local > smbd[3369]: create_canon_ace_lists: unable to map SID S-1-5-21- > 347198863-3916504048-2821235790-1213 to uid or gid. > > The error still exist > > > You should also try asking on the sssd users mailing list for help, > > because if you are not using winbind for authentication, this is > > probably where your problem lies. > > Ok, but my question now is: it's possible to use samba in conjunction > to sssd? > > or this kind of configuration is not allowed or not fully tested or > supported by samba team? > > > If you want use winbind instead of sssd, you will need to turn sssd > > off. > > Ok, this way it's another possible solution, if I am not able to > configure samba + sssd > > > Many Thanks > > > -- > Dario Lesca > (inviato dal mio Linux Fedora 25 Workstation) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba