Greetings, Hoping someone can shed some light on this. I've been searching for over a week and cannot find information on how Samba generates SID's from Unix UID's and GID's. I keep running into situations where after adding a new user to my CentOS server all other users are suddenly prevented from accessing shares that have a group ACL assigned. I finally figured out that it is because Samba will assign an SID to the new user that is identical to an existing group SID. For example I have a group named management with an SID of S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1026 (X's are my server's ID) Then I add a user and Samba generates the exact same SID for the new user. Now when I check the folder properties from Windows I can see that instead of the group name showing in the security tab like it used to it now shows the name of the new user. I do not have a Windows domain, just a simple workgroup. I am hoping there is a config file somewhere that I can use to tell Samba to use different SID ranges for user and groups so there will never be duplicates? -- Sanders Home Services Dan Stevenson Network Administrator Sanders Home Services <http://www.sandershomeservices.com> *PLUMBING ? HEATING ? COOLING ? ELECTRICAL* Desk: 856-433-6068 | Email: dan.stevenson at prsanders.com Main: 856-429-3086 | Fax: 856-429-0551 www.SandersHomeServices.com */Invest in Quality, Live in Comfort/* Facebook <https://www.facebook.com/sandershomeservices> Twitter <https://twitter.com/sandersservices/> Linkedin <https://www.linkedin.com/company/sanders-home-services> Google + <https://plus.google.com/+SandersHomeServicesVoorheesTownship/posts> *Sanders Home Services* 100 Park Drive ? Voorhees, NJ ? 08043 Home Improvement Contractor Reg. #13VH00471800 NJMP Peter R. Sanders Plumbing Lic #6726 PR Sanders Electric James J. Grasso Electrical Lic #4701B Peter R. Sanders Master HVACR Contractor Lic #19HC00334800
On 27/03/2020 13:57, Dan Stevenson via samba wrote:> Greetings, > > Hoping someone can shed some light on this. I've been searching for > over a week and cannot find information on how Samba generates SID's > from Unix UID's and GID's. > > I keep running into situations where after adding a new user to my > CentOS server all other users are suddenly prevented from accessing > shares that have a group ACL assigned. > > I finally figured out that it is because Samba will assign an SID to > the new user that is identical to an existing group SID. > > For example I have a group named management with an SID of > S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1026 (X's are my server's ID) > > Then I add a user and Samba generates the exact same SID for the new > user. Now when I check the folder properties from Windows I can see > that instead of the group name showing in the security tab like it > used to it now shows the name of the new user. > > I do not have a Windows domain, just a simple workgroup. > > I am hoping there is a config file somewhere that I can use to tell > Samba to use different SID ranges for user and groups so there will > never be duplicates? > >How exactly are you running Samba ? I think it might help if you post your smb.conf file. Rowland
On 27/03/2020 19:16, Dan Stevenson wrote:> Rowland, > > Here is my smb.conf. I have a very basic setup. Just one main shared > folder "/Apps" with some ACL's applied to a few sub-folders to > restrict access by all except certain groups.Sorry to be so long in replying, just a couple of comments about your smb.conf. You are running Samba as a standalone server and I do not think you need any more than this in '[global]': [global] ??? workgroup = peers ??? netbios name = SHS1 ??? security = user ??? unix password sync = yes ??? cups options = raw ??? printcap name = cups ??? printing = cups You also probably do not need '[homes]' & '[users]', they do virtually the same thing. Coming back to your original problem about SIDs, How are you creating the users and groups ? and where ? Are you using anything else with Samba (sssd for instance, I cannot see why you would, but stranger things have happened) The thing is, you usually do not care about SIDs on a 'standalone server', you connect as a user with password and that's it. Rowland
On 31/03/2020 14:29, Dan Stevenson wrote:> > Rowland, > > No problem, thanks for replying. > > > > I use a shell script to add users and set permissions. The actual > adding of new users to the shell and setting Samba passwords is just > done by the standard useradd and pdbedit commands. I do not use sssd. >Ah, light dawns, if you use pdbedit, then you are adding things to the SAM on a standalone server that you only need on a PDC.> > > Here is example of what happens when I add a user and Samba creates an > SID for that user which is an exact duplicate of an existing group SID. > > Before adding the new user I can check to verify the SID for my > "management" group like so: > >> sudo net groupmap list >> management (*S-1-5-21-979328919-1982131190-3311040992-1026*) -> >> management > > If I check the properties of the /Apps/managers folder from a Windows > workstation that has a drive mapped to the /Apps share and look at the > security tab I can see that the "management" group is listed and has > full permission as it should be. I would provide a screenshot but I > don't believe that is supported in the mailing list? > > I would like to know how Samba determines what SID to assign to a new > user and if there is a way I can limit the generated user SID's to a > range that will never overlap with my group SID's?That is what I was saying, you have a standalone server, so you don't need to bother with the SID, perhaps reading this might help: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server Basically it boils down to creating a user with the unix tools: useradd You then make them Samba users: smbpasswd -a username It sounds like you are either trying too hard, or not hard enough ;-) By that I mean, you seem to want to run a domain, but don't want to actually set one up. Rowland