Russell R Poyner
2018-Feb-19 23:11 UTC
[Samba] UID GID mapping with sssd no longer supported on samba 4.7.4?
I'm struggling with a permission problem on a samba server that is
configured to resolve unix uids and gids via nss using sssd. This mostly
works. The windows side sees files as being owned by SID=S-1-22-<unix
uid of user> and the group is SID=S-1-22-<unix gid of group>
This all works fine for files owned by the windows user, or files that
are world readable, but fails for files owned by root, but belonging to
a the user's primary group.
On the linux side:
-rw-rw---- 1 poyner pvt-poyner 0 Feb 19 17:32 poynerFile
drwxrws--- 2 root pvt-poyner 2 Feb 19 19:30 rootPoynerDir
On the windows side using powershell get-acl
get-acl .\poynerDir\
Path Owner Access
---- ----- ------
poynerDir O:S-1-22-1-17907 S-1-22-1-17907 Allow FullControl...
and
get-acl .\rootPoynerDir\
get-acl : Attempted to perform an unauthorized operation.
This is very similar to bug 12719 which was closed with advice to use
winbindd.
https://bugzilla.samba.org/show_bug.cgi?id=12719
So is winbindd now the only option for resolving UID and GID?
Is idmap_nss deprecated? Or only supported for unix users in the local
password file?
My config
smb4.conf:
[global]
workgroup = ENGR
server string = cbeserv
security = ADS
load printers = no
realm = AD.SCHOOL.EDU
min protocol = SMB2
dns proxy = no
unix extensions = no
nmbd bind explicit broadcast = no
oplocks = yes
level2 oplocks = yes
kernel oplocks = no
nsswitch.conf:
passwd: files sss
shadow: files
group: files sss
Thanks
Russ Poyner
Rowland Penny
2018-Feb-20 08:06 UTC
[Samba] UID GID mapping with sssd no longer supported on samba 4.7.4?
On Mon, 19 Feb 2018 17:11:37 -0600 Russell R Poyner via samba <samba at lists.samba.org> wrote:> I'm struggling with a permission problem on a samba server that is > configured to resolve unix uids and gids via nss using sssd. > > Is idmap_nss deprecated? Or only supported for unix users in the > local password file? >Not as far as I am aware, but then you are not using it, you are using sssd and this has nothing to do with Samba. Can I suggest you ask about this on the sssd-users mailing list Rowland
Harry Jede
2018-Feb-20 09:06 UTC
[Samba] UID GID mapping with sssd no longer supported on samba 4.7.4?
Am Montag, 19. Februar 2018, 17:11:37 CET schrieb Russell R Poyner via samba:> I'm struggling with a permission problem on a samba server that is > configured to resolve unix uids and gids via nss using sssd. This > mostly works. The windows side sees files as being owned by > SID=S-1-22-<unix uid of user> and the group is SID=S-1-22-<unix gid > of group> > > This all works fine for files owned by the windows user, or files that > are world readable, but fails for files owned by root, but belonging > to a the user's primary group. > > On the linux side: > -rw-rw---- 1 poyner pvt-poyner 0 Feb 19 17:32 poynerFile > drwxrws--- 2 root pvt-poyner 2 Feb 19 19:30 rootPoynerDir > > On the windows side using powershell get-acl > > get-acl .\poynerDir\ > Path Owner Access > ---- ----- ------ > poynerDir O:S-1-22-1-17907 S-1-22-1-17907 Allow FullControl... > > and > > get-acl .\rootPoynerDir\ > get-acl : Attempted to perform an unauthorized operation. > > This is very similar to bug 12719 which was closed with advice to use > winbindd. > > https://bugzilla.samba.org/show_bug.cgi?id=12719 > > So is winbindd now the only option for resolving UID and GID? > > Is idmap_nss deprecated? Or only supported for unix users in the local > password file?May be a group owner problem? According to "man smb.conf": Default: acl group control = no> > My config > > > smb4.conf: > [global] > workgroup = ENGR > server string = cbeserv > security = ADS > load printers = no > realm = AD.SCHOOL.EDU > > min protocol = SMB2 > > dns proxy = no > unix extensions = no > nmbd bind explicit broadcast = no > oplocks = yes > level2 oplocks = yes > kernel oplocks = no > > nsswitch.conf: > passwd: files sss > shadow: files > group: files sss > > > Thanks > Russ Poyner-- Gruss Harry Jede