Andrea Cucciarrè
2018-Jun-20 07:15 UTC
[Samba] Samba 4.5: trying to setup an omnios system as a DC member
Hello Rowland, thanks, configuring the uidNumber and gidNumber on the AD fixed the issue, now getent passwd works. I just have one remaining issue, it seems the ACL doesn't work. As an example when I set ACL with full permission for user andrea: # /usr/bin/ls -ldV /cache/testsamba/ d---------+ 3 root root 5 Jun 19 19:40 /cache/testsamba/ user:andrea:rwxpdDaARWcCos:fd-----:allow the user andrea can't mount the share. I have added the following entry in smb.conf for ACL: vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes and the directory is shared as follow: [testsamba] available = yes browsable = yes path = /cache/testsamba read only = no am I missing something? Thanks in advance Andrea Il 6/19/2018 5:52 PM, Rowland Penny via samba ha scritto:> On Tue, 19 Jun 2018 16:10:33 +0200 > Andrea Cucciarrè via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> I'm trying to setup an omnios system as a Samba DC member, and I need >> AD backend for consistent IDs on all Samba clients. >> The AD join is successful, the wbinfo shows the AD users >> >> # /opt/samba/bin/wbinfo -n andrea >> S-1-5-21-2680195940-2267646359-3814218302-1109 SID_USER (1) >> >> however, " getent passwd ..." returns nothing for the user (all the >> AD user) >> >> I have enabled debugging and I can see the following relevant error: >> >> [2018/06/19 15:53:54.302030, 5, pid=638, effective(0, 0), real(0, >> 0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal) >> Search for (uid=andrea) in <dc=HYPERFILE,dc=NET> gave 0 replies >> [2018/06/19 15:53:54.302082, 5, pid=638, effective(0, 0), real(0, >> 0), class=winbind] >> ../source3/winbindd/winbindd_cache.c:1276(resolve_alias_to_username) >> resolve_alias_to_username: backend query returned >> NT_STATUS_OBJECT_NAME_NOT_FOUND >> ... >> [2018/06/19 15:53:54.309621, 5, pid=638, effective(0, 0), real(0, >> 0), class=winbind] >> ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) >> Could not convert sid >> S-1-5-21-2680195940-2267646359-3814218302-1109: NT_STATUS_NONE_MAPPED >> >> Also the command wbinfo fails to convert the SID to UID >> >> # /opt/samba/bin/wbinfo -S >> S-1-5-21-2680195940-2267646359-3814218302-1109 failed to call >> wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid >> S-1-5-21-2680195940-2267646359-3814218302-1109 to uid >> >> This is the relevant smb.conf: >> >> ==============================>> [global] >> log file = /opt/samba/log/%m.log >> log level = 10 >> workgroup = HYPERFILE >> security = ADS >> realm = HYPERFILE.NET >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> server string = Data %h >> winbind enum users = yes >> winbind enum groups = yes >> winbind use default domain = yes >> winbind expand groups = 4 >> winbind nss info = rfc2307 >> winbind refresh tickets = Yes >> winbind normalize names = Yes >> >> idmap config * : backend = tdb >> idmap config * : range = 1000000-2000000 >> idmap config * : schema_mode = rfc2307 > Hmm, the range is slightly excessive. The '*' domain is for the 'Well > Known SIDs' (and there are less than 200 of these) and anything outside > the domain, do you really expect around '999,800' users & groups from > outside the domain to connect to the domain ? > You also do not use 'idmap config * : schema_mode = rfc2307' with the > '*' domain. > >> idmap config HYPERFILE:backend = ad >> idmap config HYPERFILE:schema_mode = rfc2307 >> idmap config HYPERFILE:range = 1000-9999 >> idmap config HYPERFILE:unix_primary_group = yes > Have you really only have 8,999 users ? > Do they have a uidNumber inside the '1000-9999' range > Does 'Domain Users' have a gidNumber inside the same range ? > Neither the uidNumber or gidNumber attributes are added automatically, > you must add them manually. > And on the subject of the '1000-9999' range, do you not have any Unix > users other than the system users ? > > Rowland > >-- Gestione problematica Andrea Cucciarrè Technical Support Engineer | EMEA acucciarre at cloudian.com
Rowland Penny
2018-Jun-20 07:38 UTC
[Samba] Samba 4.5: trying to setup an omnios system as a DC member
On Wed, 20 Jun 2018 09:15:19 +0200 Andrea Cucciarrè <acucciarre at cloudian.com> wrote:> Hello Rowland, > > thanks, configuring the uidNumber and gidNumber on the AD fixed the > issue, now getent passwd works. > I just have one remaining issue, it seems the ACL doesn't work. > As an example when I set ACL with full permission for user andrea: > > # /usr/bin/ls -ldV /cache/testsamba/ > d---------+ 3 root root 5 Jun 19 > 19:40 /cache/testsamba/ user:andrea:rwxpdDaARWcCos:fd-----:allowOmnios seems to have a different 'ls' to Linux, which doesn't have the 'V' switch. What is the filesystem ? ext4 ? and does it understand 'acls' & 'attrs' as in 'acl_xattr' ? If you look closely at the directory permissions, you will see a '+' sign, on Linux this would mean an extended acl is in use, so what does 'getfacl /cache/testsamba' show ?> > the user andrea can't mount the share. > I have added the following entry in smb.conf for ACL: > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > and the directory is shared as follow: > > [testsamba] > available = yes > browsable = yes > path = /cache/testsamba > read only = no > > am I missing something? >Well, only that the first two lines are default settings ;-) Also that this setup is for using Windows ACLs, reading this might help: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Or this if you want to use POSIX ACLs: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs Rowland
Ralph Böhme
2018-Jun-20 08:26 UTC
[Samba] Samba 4.5: trying to setup an omnios system as a DC member
On Wed, Jun 20, 2018 at 09:15:19AM +0200, Andrea Cucciarrè via samba wrote:> vfs objects = acl_xattrman vfs_zfsacl -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG Key Fingerprint: FAE2 C608 8A24 2520 51C5 59E4 AA1E 9B71 2639 9E46
Andrea Cucciarrè
2018-Jun-21 07:45 UTC
[Samba] Samba 4.5: trying to setup an omnios system as a DC member
Hello, Thanks a lot! After adding the vfs_zfsacl_init module and inserting the setting "vfs objects = zfsacl" in smb.conf, now the ACLs are working. I would have one last (hopefully) question, could you please point me to a link or doc about how to configure samba for multiple domains? As an example on my lab system I have domain DOM-A served by DC-A and subdomain DOM-B.DOM-A served by DC-B I can't set smb.conf so that getent passwd can recognize also users on DOM-B Regards Andrea Il 6/20/2018 10:26 AM, Ralph Böhme ha scritto:> On Wed, Jun 20, 2018 at 09:15:19AM +0200, Andrea Cucciarrè via samba wrote: >> vfs objects = acl_xattr > man vfs_zfsacl > > -slow >-- Gestione problematica Andrea Cucciarrè Technical Support Engineer | EMEA acucciarre at cloudian.com
Possibly Parallel Threads
- Operation Not Supported error for GETXATTR when VFS plugin "nfs4acl_xattr" is used
- Operation Not Supported error for GETXATTR when VFS plugin "nfs4acl_xattr" is used
- move from netatalk to samba + vfsfruit
- move from netatalk to samba + vfsfruit
- Operation Not Supported error for GETXATTR when VFS plugin "nfs4acl_xattr" is used