I installed a new Ubuntu 20.4 LTS system (smbd 4.11.6) . Initially I tried using the SSSD and 'realm' to join the domain. Everything worked similar to my Centos 7 install and I thought I was finished. The one thing not working is? cifs shares showing the proper id mapping. Based on some online posts, including from Rowland, I got rid of SSSD and configured samba/winbind only. Lots of posts saying 'winbind is not sssd'. Still doesn't work. In both cases, 1) The mounted share mount -t cifs //192.168.1.1/test /mnt/test -odomain=TESTDOM,sec=ntlmssp,cifsacl,credentials=xzy shows all files owned by root/root rather than the domain users. 2) If I run getcifsacl /mnt/test it shows the proper named windows ACL as expected 3) /usr/lib/x86_64-linux-gnu/cifs-utils/idmapwb.so is setup as the /etc/cifs-utils/idmap-plugin I've been messing with this for a long time and cannot figure out why this does not work. On Centos 7 (smbd 4.10.4) this worked fine using sssd. It is as if the 'ls -al /mnt/test' is not doing the mapping or using the plugin. I've got no idea what to try next. Everything else works - 'getent passwd', wbinfo, etc.
On 24/09/2020 04:51, Ken Bass via samba wrote:> I installed a new Ubuntu 20.4 LTS system (smbd 4.11.6) . Initially I > tried using the SSSD and 'realm' to join the domain. Everything worked > similar to my Centos 7 install and I thought I was finished. > > The one thing not working is? cifs shares showing the proper id > mapping. Based on some online posts, including from Rowland, I got rid > of SSSD and configured samba/winbind only. Lots of posts saying > 'winbind is not sssd'. Still doesn't work. > > In both cases, > 1) The mounted share > mount -t cifs //192.168.1.1/test /mnt/test > -odomain=TESTDOM,sec=ntlmssp,cifsacl,credentials=xzy > > shows all files owned by root/root rather than the domain users.'mount' is usually only runnable by root and you are not specifying 'username=', so this might be the reason for that.> > 2) If I run getcifsacl /mnt/test it shows the proper named windows ACL > as expected > > 3) /usr/lib/x86_64-linux-gnu/cifs-utils/idmapwb.so is setup as the > /etc/cifs-utils/idmap-plugin > > I've been messing with this for a long time and cannot figure out why > this does not work. On Centos 7 (smbd 4.10.4) this worked fine using > sssd. > > It is as if the 'ls -al /mnt/test' is not doing the mapping or using > the plugin. I've got no idea what to try next. Everything else works - > 'getent passwd', wbinfo, etc.The problem could be that mount.cifs appears to be using a different algorithm to calculate the ID's to the one that winbind uses. It might help if you post your smb.conf and explain just what you are trying to achieve. Rowland
Ken Bass via samba <samba at lists.samba.org> writes:> I installed a new Ubuntu 20.4 LTS system (smbd 4.11.6) . Initially I > tried using the SSSD and 'realm' to join the domain. Everything worked > similar to my Centos 7 install and I thought I was finished. > > The one thing not working is? cifs shares showing the proper id mapping. > Based on some online posts, including from Rowland, I got rid of SSSD > and configured samba/winbind only. Lots of posts saying 'winbind is not > sssd'. Still doesn't work.Do you have /etc/request-keys.conf setup to call cifs.idmap? Cheers, -- Aur?lien Aptel / SUSE Labs Samba Team GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 N?rnberg, DE GF: Felix Imend?rffer, Mary Higgins, Sri Rasiah HRB 247165 (AG M?nchen)
On 9/24/20 8:53 AM, Aur?lien Aptel wrote:> Ken Bass via samba <samba at lists.samba.org> writes: >> I installed a new Ubuntu 20.4 LTS system (smbd 4.11.6) . Initially I >> tried using the SSSD and 'realm' to join the domain. Everything worked >> similar to my Centos 7 install and I thought I was finished. >> >> The one thing not working is? cifs shares showing the proper id mapping. >> Based on some online posts, including from Rowland, I got rid of SSSD >> and configured samba/winbind only. Lots of posts saying 'winbind is not >> sssd'. Still doesn't work. > Do you have /etc/request-keys.conf setup to call cifs.idmap?Hi Aur?lien, I don't have a? /etc/request-keys.conf, but there is a /etc/request-key.d directory with a? cifs.idmap.conf file. It contains: create? cifs.idmap??? * * /usr/sbin/cifs.idmap %k However I don't know if it is being used. For example, I temporarily renamed the above cifs.idmap to cifs.idmap.DISABLED and saw no difference. (I restarted smbd, winbind, and ran net cache flush). Since mount.cifs man page says ' If either upcall to cifs.idmap is not setup correctly or winbind is not configured and running, ID mapping will? fail. ???????? In? that case uid and gid will default to either to those values of the share or to the values of uid and/or gid mount ???????? options if specified.' So I am not sure how much my troubleshooting step tells me. My smb.conf is: testparm -s Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER # Global parameters [global] ??? dedicated keytab file = /etc/krb5.keytab ??? disable spoolss = Yes ??? interfaces = lo 192.168.2.0/24 ??? kerberos method = secrets and keytab ??? load printers = No ??? log file = /var/log/samba/%m.log ??? printcap name = /dev/null ??? realm = MYDOM.XYZ.NET ??? security = ADS ??? server string = xyz ??? template homedir = /home/%U ??? template shell = /bin/bash ??? username map = /etc/samba/user.map ??? winbind enum groups = Yes ??? winbind enum users = Yes ??? winbind refresh tickets = Yes ??? winbind use default domain = Yes ??? workgroup = MYDOM ??? idmap config mydom : unix_primary_group = yes ??? idmap config mydom : range = 1000-29999 ??? idmap config mydom : schema_mode = rfc2307 ??? idmap config mydom : backend = ad ??? idmap config * : range = 30000-39999 ??? idmap config * : backend = tdb ??? cups options = raw ??? hosts allow = 127. 192.168.2. ??? map acl inherit = Yes ??? printing = bsd ??? vfs objects = acl_xattr
On 9/24/20 8:53 AM, Aur?lien Aptel wrote:> Ken Bass via samba <samba at lists.samba.org> writes: >> I installed a new Ubuntu 20.4 LTS system (smbd 4.11.6) . Initially I >> tried using the SSSD and 'realm' to join the domain. Everything worked >> similar to my Centos 7 install and I thought I was finished. >> >> The one thing not working is? cifs shares showing the proper id mapping. >> Based on some online posts, including from Rowland, I got rid of SSSD >> and configured samba/winbind only. Lots of posts saying 'winbind is not >> sssd'. Still doesn't work. > Do you have /etc/request-keys.conf setup to call cifs.idmap? > > Cheers,Even though I have a /etc/request-key.d directory with a cifs.idmap.conf , I do not have a /etc/request-keys.conf file. From this clue as well as Rowlands recollection, installing the keyutils package fixed this. For whatever reason keyutils was not installed. After installing keyutils, the system log started showing 'cifs.idmap' log entries and how mount.cifs is working. So the cifs-utils package installs /etc/request-key.d/cifs.idmap.conf /etc/request-key.d/cifs.spnego.conf However the package only has a 'suggestion' of the keyutils package. Without installing keyutils which creates the /etc/request-key.conf file AND installed the /sbin/request-key binary, the 'cifsacl' option doesn't work / perform the winbind mapping as it should. Thanks Aur?lien and Rowland for your help.