Hello, new to this list, but not lists generally speaking. Been around since '93 in IT so kinda thinking this shouldn't be stumping me, but it is. I have Samba 4.6.4-2 installed via IBM's Linux toolbox, on an AIX 7.1 server. Everything is working fairly well, except Kerberos, but it's not really needed for what I'm doing. The problem is that if a member has a primary group of "samprime" (for example) and there are files written to directories where that is the group that owns the files, and the file has "660" for permissions, the user cannot open the file. It's like Samba is ignoring the primary group of the user. If I change the owner to the user, or if I make the permissions 664, they can open it. The problem is that the process that writes the file cannot write it as the user, and apparently refuses to write it with 664 permissions. Has anyone else seen or dealt with this issue before? I've run dry on all my google searches on finding a good solution. See Ya' Howard Coles Jr. Sr. UNIX Systems Admin John 3:16!
On Tue, 15 Jan 2019 16:38:57 +0000 Howard Coles via samba <samba at lists.samba.org> wrote:> Hello, new to this list, but not lists generally speaking. Been > around since '93 in IT so kinda thinking this shouldn't be stumping > me, but it is. > > I have Samba 4.6.4-2 installed via IBM's Linux toolbox, on an AIX 7.1 > server. Everything is working fairly well, except Kerberos, but it's > not really needed for what I'm doing. > > The problem is that if a member has a primary group of > "samprime" (for example) and there are files written to directories > where that is the group that owns the files, and the file has "660" > for permissions, the user cannot open the file. It's like Samba is > ignoring the primary group of the user. If I change the owner to the > user, or if I make the permissions 664, they can open it. The > problem is that the process that writes the file cannot write it as > the user, and apparently refuses to write it with 664 permissions. > > Has anyone else seen or dealt with this issue before? I've run dry > on all my google searches on finding a good solution. > > > See Ya' > Howard Coles Jr. > Sr. UNIX Systems Admin > > John 3:16! >How are you running Samba, or to put it another way, what is in smb.conf ? Rowland
On Tue, 15 Jan 2019 17:09:00 +0000 Howard Coles <hcoles at dollargeneral.com> wrote:> Here is the smb.conf made generic to pass on. The share I’m > concerned with at the moment is the "appprt" share, it's simple > enough but it's not recognizing that primary local group.: > > # Samba config file created using SWAT > # Date: 2007/09/26 11:03:44 > > [global] > workgroup = OURDOMAIN > realm = realm.net > netbios name = SERVERNAME > server string = SERVERNAME Samba Server > security = ADS > encrypt passwords = Yes > syslog = 0 > max log size = 1000 > local master = No > wins server = 192.168.0.6 > read only = No > short preserve case = No > dos filetime resolution = Yes > kerberos method = secrets and keytab > winbind refresh tickets = yes > winbind use default domain = yes > passdb backend = tdbsam > protocol = SMB2There appears to be a large block missing i.e. the authentication block There should be something like this: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config OURDOMAIN : backend = rid idmap config OURDOMAIN : range = 10000-999999 But that wouldn't work for what you asking about, the only way to set the users Unix primary group is to add uidNumber & gidNumber attributes to AD, use Samba >= 4.6.0 and this: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config OURDOMAIN : backend = ad idmap config OURDOMAIN : schema_mode = rfc2307 idmap config OURDOMAIN : range = 10000-999999 idmap config OURDOMAIN : unix_nss_info = yes idmap config OURDOMAIN : unix_primary_group = yes> > [appprt] > path = /u/appdir/app/print/%u > read only = Yes > guest ok = YesYou cannot use 'guest ok = yes' in AD, all the users are authenticated. What is the AD DC ? Rowland
On Tue, 15 Jan 2019 17:51:28 +0000 Howard Coles <hcoles at dollargeneral.com> wrote:> I don't want to set the user's primary group from AD, I want samba to > recognize the users AIX local primary group. >If the computer is running Samba and is joined to the domain, then you cannot do what you want. This is because your domain users will be in AD and you need to extend them to be Unix users, the same goes for domain groups. The local Unix users and groups will only be used when logged locally into the Unix machine. This means you cannot have a user called 'fred' in /etc/passwd and in AD. Your smb.conf (what there is) is for a Unix domain member. Rowland