Russell R Poyner
2018-Feb-19 23:11 UTC
[Samba] UID GID mapping with sssd no longer supported on samba 4.7.4?
I'm struggling with a permission problem on a samba server that is configured to resolve unix uids and gids via nss using sssd. This mostly works. The windows side sees files as being owned by SID=S-1-22-<unix uid of user> and the group is SID=S-1-22-<unix gid of group> This all works fine for files owned by the windows user, or files that are world readable, but fails for files owned by root, but belonging to a the user's primary group. On the linux side: -rw-rw---- 1 poyner pvt-poyner 0 Feb 19 17:32 poynerFile drwxrws--- 2 root pvt-poyner 2 Feb 19 19:30 rootPoynerDir On the windows side using powershell get-acl get-acl .\poynerDir\ Path Owner Access ---- ----- ------ poynerDir O:S-1-22-1-17907 S-1-22-1-17907 Allow FullControl... and get-acl .\rootPoynerDir\ get-acl : Attempted to perform an unauthorized operation. This is very similar to bug 12719 which was closed with advice to use winbindd. https://bugzilla.samba.org/show_bug.cgi?id=12719 So is winbindd now the only option for resolving UID and GID? Is idmap_nss deprecated? Or only supported for unix users in the local password file? My config smb4.conf: [global] workgroup = ENGR server string = cbeserv security = ADS load printers = no realm = AD.SCHOOL.EDU min protocol = SMB2 dns proxy = no unix extensions = no nmbd bind explicit broadcast = no oplocks = yes level2 oplocks = yes kernel oplocks = no nsswitch.conf: passwd: files sss shadow: files group: files sss Thanks Russ Poyner
Rowland Penny
2018-Feb-20 08:06 UTC
[Samba] UID GID mapping with sssd no longer supported on samba 4.7.4?
On Mon, 19 Feb 2018 17:11:37 -0600 Russell R Poyner via samba <samba at lists.samba.org> wrote:> I'm struggling with a permission problem on a samba server that is > configured to resolve unix uids and gids via nss using sssd. > > Is idmap_nss deprecated? Or only supported for unix users in the > local password file? >Not as far as I am aware, but then you are not using it, you are using sssd and this has nothing to do with Samba. Can I suggest you ask about this on the sssd-users mailing list Rowland
Harry Jede
2018-Feb-20 09:06 UTC
[Samba] UID GID mapping with sssd no longer supported on samba 4.7.4?
Am Montag, 19. Februar 2018, 17:11:37 CET schrieb Russell R Poyner via samba:> I'm struggling with a permission problem on a samba server that is > configured to resolve unix uids and gids via nss using sssd. This > mostly works. The windows side sees files as being owned by > SID=S-1-22-<unix uid of user> and the group is SID=S-1-22-<unix gid > of group> > > This all works fine for files owned by the windows user, or files that > are world readable, but fails for files owned by root, but belonging > to a the user's primary group. > > On the linux side: > -rw-rw---- 1 poyner pvt-poyner 0 Feb 19 17:32 poynerFile > drwxrws--- 2 root pvt-poyner 2 Feb 19 19:30 rootPoynerDir > > On the windows side using powershell get-acl > > get-acl .\poynerDir\ > Path Owner Access > ---- ----- ------ > poynerDir O:S-1-22-1-17907 S-1-22-1-17907 Allow FullControl... > > and > > get-acl .\rootPoynerDir\ > get-acl : Attempted to perform an unauthorized operation. > > This is very similar to bug 12719 which was closed with advice to use > winbindd. > > https://bugzilla.samba.org/show_bug.cgi?id=12719 > > So is winbindd now the only option for resolving UID and GID? > > Is idmap_nss deprecated? Or only supported for unix users in the local > password file?May be a group owner problem? According to "man smb.conf": Default: acl group control = no> > My config > > > smb4.conf: > [global] > workgroup = ENGR > server string = cbeserv > security = ADS > load printers = no > realm = AD.SCHOOL.EDU > > min protocol = SMB2 > > dns proxy = no > unix extensions = no > nmbd bind explicit broadcast = no > oplocks = yes > level2 oplocks = yes > kernel oplocks = no > > nsswitch.conf: > passwd: files sss > shadow: files > group: files sss > > > Thanks > Russ Poyner-- Gruss Harry Jede