So, so.. Server and clients are CentOS7. Server was configured using samba-tool domain provision. *smb.conf* from server [global]> netbios name = AD > realm = XXXXXX > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > workgroup = XXXX > idmap config XXXX:unix_nss_info = yes > log file = /var/log/samba/samba.log > log level = 3 > [netlogon] > path = /usr/local/samba/var/locks/sysvol/XXXXXX/scripts > read only = No > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No*sssd.conf* from client [sssd]> domains = xxxx > config_file_version = 2 > services = nss, pam > [domain/xxxx] > ad_domain = xxxx > krb5_realm = XXXX > realmd_tags = manages-system joined-with-samba > cache_credentials = True > id_provider = ad > krb5_store_password_if_offline = True > default_shell = /bin/bash > ldap_id_mapping = True > use_fully_qualified_names = False > fallback_homedir = /home/%u > access_provider = ad*nsswitch.conf* on client (part of it) passwd: files sss> shadow: files sss > group: files sssgetent passwd pj (for example) provides this: pj:*:1115001179:1115000513:xxxxxx:/home/pj:/bin/bash Cheers On Sat, Apr 28, 2018 at 1:36 PM, Rowland Penny <rpenny at samba.org> wrote:> On Sat, 28 Apr 2018 13:10:14 +0100 > Zdravko Zdravkov via samba <samba at lists.samba.org> wrote: > > > Hi guys. > > > > I've got working samba AD server. It is playing nicely with Windows > > 10 and also successfully authenticating Linux machines with SSSD. > > If you want help with sssd, sorry, but this isn't the place. > > > On the Windows machines I have our EMC storage smb mounted via group > > policy. Managing permissions for users and groups there, as you know, > > happens with right click, security etc.. > > As you may have already guessed the troubles come when my Linux > > machines, that access the storage via nfs mount, need to work with > > folders and files created from the Windows PCs. Linux doesn't "see" > > the actual user/group that owns given folder. It interprets it into > > numbers, some kind of UID that comes from the Windows machines. > > For a Linux machine to know an AD user, then 'getent passwd username' > must produce output e.g. getent passwd rowland > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > To get this to work, you need to configure several things. The correct > packages need to be installed. > Pamm, smb.conf and /etc/nsswitch.conf need to be configured correctly. > Just how they need to be configured depends on what you are > configuring, a DC or a Unix domain member. > > > I'm quite sure that this is common and known issue, but I don't know > > what is the right way to deal with it. > > Yes it is and neither do I, well not until you give us more info ;-) > > smb.conf from the DC and any Unix domain members. > What OS you are using ? > How are the 'passwd' & 'group' lines set in /etc/nsswitch ? > > Rowland > >
On Sun, 29 Apr 2018 11:35:08 +0100 Zdravko Zdravkov <nirayah at gmail.com> wrote:> So, so.. > > Server and clients are CentOS7. > Server was configured using samba-tool domain provision. > > *smb.conf* from server > > [global] > > > netbios name = AD > > realm = XXXXXXI do hope that is actually 'realm = XXXXXX.XXX'> > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > > drepl, winbindd, ntp_signd, kcc, dnsupdate > > workgroup = XXXX > > idmap config XXXX:unix_nss_info = yesWrong line, it should be 'idmap_ldb:use rfc2307 = yes'> > log file = /var/log/samba/samba.log > > log level = 3 > > [netlogon] > > path = /usr/local/samba/var/locks/sysvol/XXXXXX/scripts > > read only = No > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > > > *sssd.conf* from clientAs I said, wrong place for sssd, but from what I can see(it has been quite some time since I used sssd), you are not doing anything really out of the ordinary and as such, you do not need sssd, There is very little that sssd can do that winbind cannot AND you only need to configure one conf file instead of two.> > *nsswitch.conf* on client (part of it) > > passwd: files sss > > shadow: files sss > > group: files sssEven allowing for 'sssd' this is wrong, 'sss' shouldn't be on the shadow line.> > > > getent passwd pj (for example) provides this: > > pj:*:1115001179:1115000513:xxxxxx:/home/pj:/bin/bash >Looks to me that you should be using the winbind 'rid' backend instead try reading this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland
Hi Rowland. I'll keep in mind that this is wrong place for SSSD. The only reason I'm using it is because its easier to automate joining the clients to the domain in kickstart install. I'm willing to drop it and go back to winbind, if that's the problem. For me, everything sorta works. getent passwd and id commands provide output as users and groups I've assigned to them from the windows AD users & groups tool, but then the troubles with permissions being. I'll check the link you provided, although I'm pretty sure I've read it already, Thanks! On Sun, Apr 29, 2018 at 12:17 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Sun, 29 Apr 2018 11:35:08 +0100 > Zdravko Zdravkov <nirayah at gmail.com> wrote: > > > So, so.. > > > > Server and clients are CentOS7. > > Server was configured using samba-tool domain provision. > > > > *smb.conf* from server > > > > [global] > > > > > netbios name = AD > > > realm = XXXXXX > > I do hope that is actually 'realm = XXXXXX.XXX' > > > > server role = active directory domain controller > > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > > > drepl, winbindd, ntp_signd, kcc, dnsupdate > > > workgroup = XXXX > > > idmap config XXXX:unix_nss_info = yes > > Wrong line, it should be 'idmap_ldb:use rfc2307 = yes' > > > > log file = /var/log/samba/samba.log > > > log level = 3 > > > [netlogon] > > > path = /usr/local/samba/var/locks/sysvol/XXXXXX/scripts > > > read only = No > > > [sysvol] > > > path = /usr/local/samba/var/locks/sysvol > > > read only = No > > > > > > > > *sssd.conf* from client > > As I said, wrong place for sssd, but from what I can see(it has been > quite some time since I used sssd), you are not doing anything really > out of the ordinary and as such, you do not need sssd, There is very > little that sssd can do that winbind cannot AND you only need to > configure one conf file instead of two. > > > > > *nsswitch.conf* on client (part of it) > > > > passwd: files sss > > > shadow: files sss > > > group: files sss > > > Even allowing for 'sssd' this is wrong, 'sss' shouldn't be on the > shadow line. > > > > > > > > > getent passwd pj (for example) provides this: > > > > pj:*:1115001179:1115000513:xxxxxx:/home/pj:/bin/bash > > > > Looks to me that you should be using the winbind 'rid' backend instead > > try reading this: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Am 29.04.2018 um 12:35 schrieb Zdravko Zdravkov via samba:> [sssd] >> domains = xxxx >> config_file_version = 2 >> services = nss, pam >> [domain/xxxx] >> ad_domain = xxxx >> krb5_realm = XXXX >> realmd_tags = manages-system joined-with-samba >> cache_credentials = True >> id_provider = ad >> krb5_store_password_if_offline = True >> default_shell = /bin/bash >> ldap_id_mapping = TrueThis I think is you problem.>From the man manpage :By default, the AD provider will map UID and GID values from the objectSID parameter in Active Directory. For details on this, see the "ID MAPPING" section below. If you want to disable ID mapping and instead rely on POSIX attributes defined in Active Directory, you should set ldap_id_mapping = False>> use_fully_qualified_names = False >> fallback_homedir = /home/%u >> access_provider = ad > > > > *nsswitch.conf* on client (part of it) > > passwd: files sss >> shadow: files sss >> group: files sss > > > > > getent passwd pj (for example) provides this: > > pj:*:1115001179:1115000513:xxxxxx:/home/pj:/bin/bashWhat are the numbers that you are seeing if a user creates a file on windows? What numbers if any have you configured in the AD for UID and GID? Regards Christian -- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel Aufsichtsratsvorsitzender: Dr. Ludger Mueller
On Mon, 30 Apr 2018 14:08:56 +0200 Christian Naumer via samba <samba at lists.samba.org> wrote:> Am 29.04.2018 um 12:35 schrieb Zdravko Zdravkov via samba: > > > [sssd] > >> ldap_id_mapping = True > > This I think is you problem. > > > From the man manpage : > > By default, the AD provider will map UID and GID values from the > objectSID parameter in Active Directory. For details on this, see the > "ID MAPPING" section below. If you want to disable ID mapping and > instead rely on POSIX attributes defined in Active Directory, you > should set > > ldap_id_mapping = False> > What are the numbers that you are seeing if a user creates a file on > windows? What numbers if any have you configured in the AD for UID > and GID? > > Regards > > > Christian >Please, if you want to discuss problems with sssd configuration, take it to the sssd-users mailing list. SSSD has nothing to do with Samba and isn't supported by Samba. Rowland