samba - Jun 2017 - 4.4.14 on solaris, using ads, can't read/write as user

On Thu, Jun 29, 2017 at 3:48 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
>
>
> Well, no it isn't actually on that page, you need to follow an
> hyperlink to this page:
>
> https://wiki.samba.org/index.php/Idmap_config_rid
>
>
It is really confusing.  rid or tdb.  I don't know what it wants because
the second link has both.

Here is the current config.  It will allow a connection to homes or tmp,
but as usual I can't operate on 700 files or upload new files to the share
on Solaris.  It can upload new files to the /tmp, as I've seen work before
as well.

[global]
        realm = AD.MYDOM.CA
        workgroup = MYDOM
        log file = /var/log/samba/%m.log
        max log size = 50
        disable spoolss = Yes
        load printers = No
        printcap name = /dev/null
        unix extensions = No
        security = ADS
        template homedir = /export/home/%U
        template shell = /usr/bin/bash
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind use default domain = Yes
        dns proxy = No
        idmap config mydom: backend = rid
        idmap config mydom: range = 100001-200000
        nt acl support = No


[homes]
        comment = Home Directories
        path = %H
        browseable = No
        wide links = Yes
        create mask = 0750
        directory mask = 0750
        read only = No
        valid users = %U


[tmp]
        path = /tmp
        browseable = No
        read only = No


Also tried this:

        idmap config * : range = 80001-100000
        idmap config mydom: backend = rid
        idmap config mydom: range = 100001-200000
        idmap config * : backend = tdb

No difference seen.

What is the Abracadabra?

Isn't it easier to compose the solution than send me more
links with "If no back end for local BUILTIN accounts and
groups on the domain member is configured", which means very little to me?

On Thu, 29 Jun 2017 16:28:38 -0300
francis picabia via samba <samba at lists.samba.org> wrote:
> On Thu, Jun 29, 2017 at 3:48 PM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
> >
> >
> > Well, no it isn't actually on that page, you need to follow an
> > hyperlink to this page:
> >
> > https://wiki.samba.org/index.php/Idmap_config_rid
> >
> >
> It is really confusing.  rid or tdb.  I don't know what it wants
> because the second link has both.
No, it isn't confusing, you need both.

You need to have something like this in smb.conf:

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 10000-999999

The '*' range is for the 'BUILTIN' domain i.e. the Well Known
SIDs
The 'MYDOM' range is for YOUR domain

On Thu, Jun 29, 2017 at 4:46 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 29 Jun 2017 16:28:38 -0300
> francis picabia via samba <samba at lists.samba.org> wrote:
>
> > On Thu, Jun 29, 2017 at 3:48 PM, Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> >
> > >
> > >
> > > Well, no it isn't actually on that page, you need to follow
an
> > > hyperlink to this page:
> > >
> > > https://wiki.samba.org/index.php/Idmap_config_rid
> > >
> > >
> > It is really confusing.  rid or tdb.  I don't know what it wants
> > because the second link has both.
>
> No, it isn't confusing, you need both.
>
> You need to have something like this in smb.conf:
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config MYDOM : backend = rid
> idmap config MYDOM : range = 10000-999999
>
> The '*' range is for the 'BUILTIN' domain i.e. the Well
Known SIDs
> The 'MYDOM' range is for YOUR domain
>
>
I'm using this config above currently and there is no change to the
ownership
or permissions issue.

I have in nsswitch.conf:

passwd:     files winbind
group:      files winbind

(shadow wasn't in nsswitch.conf on Solaris)

winbind and samba services are being restarted on every config change like
this:

svcadm disable winbind ; sleep 2; svcadm enable winbind ; svcadm disable
samba ; sleep 2; svcadm enable samba

krb5.conf is the config suggested in the samba doc you linked.

[libdefaults]
        default_realm = AD.MYDOM.CA
        dns_lookup_realm = false
        dns_lookup_kdc = true

Here is the tmp share currently:

[tmp]
        path = /tmp
        browseable = No
        read only = No

If I upload a new file to the tmp share, the ownership shows
the expected mapped user.

-rwxr--r--   1 fpicabia    domain users    1112 Jun 30 08:10 2017.csr

If I touch a file in /tmp using root shell, and chown it to the same user,
it cannot be overwritten or deleted.

ls in smbclient shows this for a file uploaded over samba:

2017.csr                            A     1112  Fri Jun 30 08:21:05 2017

A file chowned to the same fpicabia user on the system by root shows like
this:

doo.txt                             N        0  Fri Jun 30 08:21:29 2017

Here is the error on attempting to delete it:

smb: \> rm doo.txt
NT_STATUS_ACCESS_DENIED deleting remote file \doo.txt
NT_STATUS_ACCESS_DENIED listing \doo.txt

Here is what it looks like from root console:

# ls -l doo.txt 2017.csr
-rwxr--r--   1 fpicabia    domain users    1112 Jun 30 08:21 2017.csr
-rw-r--r--   1 fpicabia    root           0 Jun 30 08:21 doo.txt

On the outside chance the owner 'x' bit mattered I did a chown u+x on
doo.txt
and it made no difference to the rm command within smbclient.

Is there something I'm missing about why this isn't the same user or
allowable file permissions for writing?

When I do a wbinfo -u | grep fpicabia

Do you expect it should return:

fpicabia
or
MYDOM\fpicabia

I wish smbclient had a 'whoami' command, versus 'who am i', so
we could see
the mapping.
smbstatus shows Username without the domain and for smbclient Protocol has
NT1.