Michael Schwarz
2020-Oct-08 07:51 UTC
[Samba] Is Samba unable to resolve secodary group membership?
Am 07.10.20 um 17:29 schrieb Rowland penny via samba:> On 07/10/2020 16:00, Michael Schwarz via samba wrote: >> Hello, >> >> I have a somewhat complicated problem and so far I have not been able >> to find any hints that have brought me further towards a solution: > This is a bit hard to follow, but certain things stand out, your > smb.conf file is from a Unix domain member, yet you are trying to use > local Unix groups. You also seem to be using very low numbers for the > AD users and groups, numbers I wouldn't recommend, you also mention > CTDB, but you do not have 'clustering = yes' in your smb.conf. > > You shouldn't be getting 'WBC_ERR_DOMAIN_NOT_FOUND' > > Can you explain your set up a bit better ? > >Hi Rowland, thanks for your reply. I have postet the output from "net conf list" as the /etc/samba/smb.conf is rather short: [root at lus-gw-1 ~]# cat /etc/samba/smb.conf [global] ? clustering = yes ? include = registry [root at lus-gw-1 ~]# net conf list [global] ??????? workgroup = AD ??????? netbios name = lus-gw ??????? security = ads ??????? realm = AD.UNI-PADERBORN.DE ??????? load printers = no ??????? winbind use default domain = yes ??????? winbind scan trusted domains = no ??????? idmap config * : backend = tdb ??????? idmap config * : range = 100-999 ??????? idmap config ad : range = 1000-99999999 ??????? idmap config ad : backend = ad ??????? kerberos method = secrets and keytab ??????? name resolve order = host bcast ??????? winbind cache time = 5 ??????? winbind expand groups = 3 ??????? log level = 5 ??????? fileid:algorithm = fsname ??????? vfs objects = fileid acl_xattr [scratch] ??????? path = /scratch ??????? comment = Lustre re-export ??????? read only = no ??????? inherit acls = yes ??????? inherit permissions = yes ??????? create mask = 700 ??????? directory mask = 700 ??????? kernel oplocks = yes ??????? valid users = @meta_pc2_acc_cr2018 The setup at our university is not quite trivial. I can understand that. I'll try to explain it again in a different way: The university computer centre runs a central identity service consisting of an LDAP server and its own Kerberos REALM (UNI-PADERBORN.DE). All Linux computers and web services etc. are connected to this service. For the Windows computers there is a separate Active Directory domain (AD.UNI-PADERBORN.DE) served by a windows domain conroller. The users are created in both LDAP and ADS, but are not fully synchronised. The only reliable key to assign a user in LDAP to a user in AD is the user name. The AD knows neither the Unix UIDs nor a home directory or the like. Otherwise, the LDAP doesn't know for example the SID of an AD-User. The AD can therefore not be taken as the sole source for user data on Linux systems. That's why we didn't configure winbind as a source in /etc/nsswitch.conf. In order for users on Windows computers (member of AD.UNI-PADERBORN.DE) to be able to log on to the CIFS cluster by single signon, this cifs cluster is a member of the domain. I have created a diagram on http://homepages.uni-paderborn.de/mschwar2/LDAP-AD-UPB.jpg. The NFS daemon and the CIFS daemon run on the same system. The directory to be exported via CIFS is located on a Lustre file system. This is natively mounted by many Linux computers in our computing cluster and rights on this FS are correspondingly bound to the Linux UIDs and GIDs. Samba is obviously able to map an AD user correctly by name to a corresponding LDAP user/Linux user. Otherwise I would not be able to access data that belongs to my user himself. What does not work is to access data belonging to another user and a group of which I am a member but which is not my primary group. I hope this helps a little bit, to understand the setup here. Thanks, Michael
Rowland penny
2020-Oct-08 08:41 UTC
[Samba] Is Samba unable to resolve secodary group membership?
On 08/10/2020 08:51, Michael Schwarz via samba wrote:> > > Hi Rowland, > > thanks for your reply. I have postet the output from "net conf list" > as the /etc/samba/smb.conf is rather short: > > [root at lus-gw-1 ~]# cat /etc/samba/smb.conf > [global] > ? clustering = yes > ? include = registryThat explains the lack 'clustering = yes'> The setup at our university is not quite trivial. I can understand > that. I'll try to explain it again in a different way:Lets see if I understand this, you have one kerberos domain for the Linux machines and another kerberos domain for the Windows machines, you have virtually the same users and groups in both. Why two domains, why not just use the AD for both ? This would make your setup trivial. I feel this is probably all down to department politics. Not that this has anything to do with myself (I am not a German tax payer), or probably your problem. Rowland
Michael Schwarz
2020-Oct-08 09:23 UTC
[Samba] Is Samba unable to resolve secodary group membership?
Am 08.10.20 um 10:41 schrieb Rowland penny via samba:> On 08/10/2020 08:51, Michael Schwarz via samba wrote: > >> The setup at our university is not quite trivial. I can understand >> that. I'll try to explain it again in a different way: > > Lets see if I understand this, you have one kerberos domain for the > Linux machines and another kerberos domain for the Windows machines, > you have virtually the same users and groups in both. Why two domains, > why not just use the AD for both ? This would make your setup trivial. > I feel this is probably all down to department politics. >Yes this is correct. I'm not sure why there are two domains. I'm not working at the central computer center, but i'm sure, they have their reasons why they are doing it this way. We are only using this infrastructure. The LDAP is storing much more information than only simple posixAccounts. It might be, that an AD is not so flexible if you want to store more than the standard attributes. But i don't now in detail as i am not so familiar with windows ad services. Regards, Michael
Seemingly Similar Threads
- Is Samba unable to resolve secodary group membership?
- Is Samba unable to resolve secodary group membership?
- Is Samba unable to resolve secodary group membership?
- Is Samba unable to resolve secodary group membership?
- Problems with groups, minimum gidnumber?