Klaus Jaensch
2019-Dec-10 13:29 UTC
[Samba] unix_primary_group=yes together with vfs objects=acl_xattr not working
Hi Rowland, Am 10.12.19 um 13:05 schrieb Rowland penny via samba:> On 10/12/2019 11:41, Klaus Jaensch via samba wrote: >> Hello all, >> >> we want to change the configuration of our Samba domain member file >> servers to use >> >> unix_primary_group=yes >> >> After some experiments I was able to get it to work, but only with >> >> vfs objects = acl_xattr >> >> commented out. >> >> With acl_xattr enabled the primary group is still displayed correctly >> in the output of smbstatus, but new files are not created with with >> this primary group. The created files have the default group 'users' >> instead. >> >> >> Is it a? bug in the acl_xattr module? >> >> >> I used the latest Ubuntu server version for testing: >> >> Samba version 4.10.7-Ubuntu >> >> >> Klaus >> >> >> > I think you need to post your smb.conf, the default user group is > Domain Users, not 'users', that is the default local Unix group. >Here is my test smb.conf [global] ? security = ads ? realm = SAMDOM ? workgroup = IPS ? idmap config *:backend =tdb ? idmap config *:range = 5000000-6000000 ? idmap config IPS:backend = ad ? idmap config IPS:schema_mode = rfc2307 ? idmap config IPS:range = 100-999999 ? idmap config IPS:unix_nss_info = yes ? idmap config IPS:default = yes ? idmap config IPS:unix_primary_group = yes ? # Use settings from AD for login shell and home directory ? winbind nss info = rfc2307 ? winbind enum users = yes ? winbind enum groups = yes ? winbind cache time = 10 ? winbind use default domain = yes ? winbind rpc only = yes ? kerberos method = secrets and keytab ? client use spnego = yes ? client ntlmv2 auth = yes ? ntlm auth = no ? encrypt passwords = yes ? restrict anonymous = 2 ? domain master = no ? local master = no ? preferred master = no ? os level = 0 ? server min protocol = SMB2 ? vfs objects = acl_xattr ? map acl inherit = yes ? store dos attributes = yes ? access based share enum = yes ? server signing = mandatory ? smb encrypt = desired [test_share] ?????? path= /data/test_share ?????? read only = No ?????? create mask = 0660 ?????? directory mask = 0770 ?????? valid users =test_user I use the Windows Server AD as backend and set the GID in the ActiveDirectory UNIX-Attributes of the user. On the Linux Samba server I have a group with this GID. The name of this group shows up in the smbstatus output. New files are created with this GID, but only if vfs objects = acl_xattr is commented out. We access the file servers from Windows clients via SMB and from Linux clients via NFS. I want to use private user groups on Ubuntu to change the umask to 002 on login automatically on Ubuntu (Explained in /etc/login.defs). Therefore every user requires its own primary group with the same name of the user. I know that it is not possible to have groups with the same name in AD, so I want to use the GID (number) UNIX attribute and resolve it to the existing (private user) group on the Linux server. Everything works as expected but only without the vfs objects = acl_xattr line in smb.conf. Klaus> Rowland > > >-- ------------------------------------------ Klaus Jaensch Muenchen Germany Institut fuer Phonetik und Sprachverarbeitung Schellingstr.3/II Room 223 VG 80799 M?nchen Phone (Work): +49-(0)89-2180-2806 Fax: +49-(0)89-2180-5790 EMail: klausj at phonetik.uni-muenchen.de
Rowland penny
2019-Dec-10 14:08 UTC
[Samba] unix_primary_group=yes together with vfs objects=acl_xattr not working
On 10/12/2019 13:29, Klaus Jaensch via samba wrote:> Hi Rowland, > >>> I used the latest Ubuntu server version for testing: >>> >>> Samba version 4.10.7-Ubuntu >>> >> Here is my test smb.conf > > [global] > ? security = ads > ? realm = SAMDOM > ? workgroup = IPS > ? idmap config *:backend =tdb > ? idmap config *:range = 5000000-6000000 > ? idmap config IPS:backend = ad > ? idmap config IPS:schema_mode = rfc2307 > ? idmap config IPS:range = 100-999999Why are you using '100' for the range start number ? It looks like it is picking up the local Unix group 'users' which has the GID 100> idmap config IPS:unix_nss_info = yes > ? idmap config IPS:default = yesI don't know where you got that line from, it doesn't exist> idmap config IPS:unix_primary_group = yes > ? # Use settings from AD for login shell and home directory > ? winbind nss info = rfc2307That line is only used if you are using Samba < 4.8.0> winbind enum users = yes > ? winbind enum groups = yesYou should turn the two lines above off, they are not needed and can slow things down.> winbind cache time = 10 > ? winbind use default domain = yes > ? winbind rpc only = yesNOOOOOOOOOO, do not set the line above> kerberos method = secrets and keytab > ? client use spnego = yes > ? client ntlmv2 auth = yes > ? ntlm auth = no > ? encrypt passwords = yesThe four lines above are defaults and as such are not required.> restrict anonymous = 2 > ? domain master = no > ? local master = no > ? preferred master = no > ? os level = 0 > ? server min protocol = SMB2 > ? vfs objects = acl_xattr > ? map acl inherit = yes > ? store dos attributes = yes > ? access based share enum = yes > ? server signing = mandatory > ? smb encrypt = desired > > [test_share] > ?????? path= /data/test_share > ?????? read only = No > ?????? create mask = 0660 > ?????? directory mask = 0770 > ?????? valid users =test_user > > I use the Windows Server AD as backend and set the GID in the > ActiveDirectory UNIX-Attributes of the user. > > On the Linux Samba server I have a group with this GID.Yes, it is local Unix group: cat /etc/group | grep 100 users:x:100:> > The name of this group shows up in the smbstatus output. > > New files are created with this GID, but only if vfs objects = > acl_xattr is commented out. > > > We access the file servers from Windows clients via SMB and from Linux > clients via NFS. I want to use private user groups on Ubuntu to change > the umask to 002 on login automatically on Ubuntu (Explained in > /etc/login.defs).Just use SMB for everything. If you only had Linux clients, then you could use NFS and ignore Samba, but I wouldn't try to use the same files from NFS and Windows. Rowland
Klaus Jaensch
2019-Dec-10 15:56 UTC
[Samba] unix_primary_group=yes together with vfs objects=acl_xattr not working
Am 10.12.19 um 15:08 schrieb Rowland penny via samba:> On 10/12/2019 13:29, Klaus Jaensch via samba wrote: >> Hi Rowland, >> >>>> I used the latest Ubuntu server version for testing: >>>> >>>> Samba version 4.10.7-Ubuntu >>>> >>> Here is my test smb.conf >> >> [global] >> ? security = ads >> ? realm = SAMDOM >> ? workgroup = IPS >> ? idmap config *:backend =tdb >> ? idmap config *:range = 5000000-6000000 >> ? idmap config IPS:backend = ad >> ? idmap config IPS:schema_mode = rfc2307 >> ? idmap config IPS:range = 100-999999 > > Why are you using '100' for the range start number ? >I set the Unix attribute GID of the AD group 'Domain Users' to 100. The idea was to map the AD 'Domain Users' group to default UNIX group 'users' GID 100. I guess that was not a good idea?> It looks like it is picking up the local Unix group 'users' which has > the GID 100 >Thanks Rowland, that was the problem! Changed the range to 10000-999999 and it works now. But shouldn't the Primary Group GID entry of the user in AD have precedence over the 'Domain Users' membership?>> idmap config IPS:unix_nss_info = yes >> ? idmap config IPS:default = yes > I don't know where you got that line from, it doesn't exist >> idmap config IPS:unix_primary_group = yes >> ? # Use settings from AD for login shell and home directory >> ? winbind nss info = rfc2307 > That line is only used if you are using Samba < 4.8.0 >> winbind enum users = yes >> ? winbind enum groups = yes > You should turn the two lines above off, they are not needed and can > slow things down. >> winbind cache time = 10 >> ? winbind use default domain = yes >> ? winbind rpc only = yes > NOOOOOOOOOO, do not set the line aboveOK, the line was only in the test server config.>> kerberos method = secrets and keytab >> ? client use spnego = yes >> ? client ntlmv2 auth = yes >> ? ntlm auth = no >> ? encrypt passwords = yes > The four lines above are defaults and as such are not required. >> restrict anonymous = 2 >> ? domain master = no >> ? local master = no >> ? preferred master = no >> ? os level = 0 >> ? server min protocol = SMB2 >> ? vfs objects = acl_xattr >> ? map acl inherit = yes >> ? store dos attributes = yes >> ? access based share enum = yes >> ? server signing = mandatory >> ? smb encrypt = desired >> >> [test_share] >> ?????? path= /data/test_share >> ?????? read only = No >> ?????? create mask = 0660 >> ?????? directory mask = 0770 >> ?????? valid users =test_user >> >> I use the Windows Server AD as backend and set the GID in the >> ActiveDirectory UNIX-Attributes of the user. >> >> On the Linux Samba server I have a group with this GID. > > Yes, it is local Unix group: > > cat /etc/group | grep 100 > users:x:100: > >> >> The name of this group shows up in the smbstatus output. >> >> New files are created with this GID, but only if vfs objects = >> acl_xattr is commented out. >> >> >> We access the file servers from Windows clients via SMB and from >> Linux clients via NFS. I want to use private user groups on Ubuntu to >> change the umask to 002 on login automatically on Ubuntu (Explained >> in /etc/login.defs). > Just use SMB for everything. If you only had Linux clients, then you > could use NFS and ignore Samba, but I wouldn't try to use the same > files from NFS and Windows. >We already do that for years now and it works fine. We use NFS mounted Homes and Autofs. I don't know if that would be possible to replace with SMB. Thank you for your very good advice to cleanup my smb.conf. Klaus> Rowland > > >-- ------------------------------------------ Klaus Jaensch Muenchen Germany Institut fuer Phonetik und Sprachverarbeitung Schellingstr.3/II Room 223 VG 80799 M?nchen Phone (Work): +49-(0)89-2180-2806 Fax: +49-(0)89-2180-5790 EMail: klausj at phonetik.uni-muenchen.de
Reasonably Related Threads
- unix_primary_group=yes together with vfs objects=acl_xattr not working
- unix_primary_group=yes together with vfs objects=acl_xattr not working
- unix_primary_group=yes together with vfs objects=acl_xattr not working
- unix_primary_group = yes don t work
- unix_primary_group = yes don t work