samba - Nov 2020 - Windows file ownership changed from SID to Unix User

After upgrading Samba server from 4.9 to 4.10 version running on RHEL 7.7
OS, something changed in how Windows clients see the file ownership on the
exported shares. Instead of SID owners, it now shows "Unix
User\username"
and "Unix group\groupname" users. This works fine in all the cases
except
when Samba share is used for storing Windows user profiles. The workaround
mentioned in
https://serverfault.com/questions/515968/house-roaming-profiles-on-realm-trusted-samba-server/517616#517616
works, but it is to be avoided due to possible security issues.

I should mention that I'm NOT using winbind service. My Samba servers are
joined to the domain using SSSD. This worked fine with Samba 4.8 and 4.9,
but stopped working from 4.10 version.

I'm attaching my smb.conf file. Any recommendations on how to follow-up on
this issue are greatly appreciated

[global]
        security = ADS
        workgroup = MYDOM
        realm = MYDOM.local

        log level = 3

        dfree command = /bin/samba-dfree
        dfree cache time = 60

        # See https://wiki.samba.org/index.php/Idmap_config_ad
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config MYDOM:backend = ad
        idmap config MYDOM:schema_mode = rfc2307
        idmap config MYDOM:range = 10000-999999
        idmap config MYDOM:unix_nss_info = no

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

        # Template settings for login shell and home directory
        template shell = /bin/bash
        template homedir = /home/shared/%U

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

[profiles]
        # See https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
        comment = Users profiles
        path = /roaming/profiles
        browseable = No
        read only = No
        force create mode = 0600
        force directory mode = 0700
        csc policy = disable
        level2 oplocks = No
        oplocks = No

On 22/11/2020 12:50, Gregory Giguashvili via samba
wrote:
> After upgrading Samba server from 4.9 to 4.10 version running on RHEL 7.7
> OS, something changed in how Windows clients see the file ownership on the
> exported shares. Instead of SID owners, it now shows "Unix
User\username"
> and "Unix group\groupname" users. This works fine in all the
cases except
> when Samba share is used for storing Windows user profiles. The workaround
> mentioned in
>
https://serverfault.com/questions/515968/house-roaming-profiles-on-realm-trusted-samba-server/517616#517616
> works, but it is to be avoided due to possible security issues.
>
> I should mention that I'm NOT using winbind service. My Samba servers
are
> joined to the domain using SSSD. This worked fine with Samba 4.8 and 4.9,
> but stopped working from 4.10 version.
>
No, you only thought it worked using sssd on 4.8.x & 4.9.x, but it 
didn't work correctly.

Before Samba 4.8.0, smbd was able to directly contact AD, but this 
changed when 4.8.0 was released, smbd must go through winbind and you 
cannot run winbind with sssd.

Samba never produced sssd, so little is known about it on this mailing 
list, but I suggest you stop using sssd and set up the profiles share 
using Windows ACLs.

Rowland

>
> No, you only thought it worked using sssd on 4.8.x & 4.9.x, but it
> didn't work correctly.
>
Maybe, but it "worked". Can we speculate what change in 4.10.x
prompted
Samba to export "Unix user\username" type of ownership to Windows
clients
instead of SID? Is there any option to revert to previous "wrong"
behavior
as a temporary workaround?
>Before Samba 4.8.0, smbd was able to directly contact AD, but this
> >changed when 4.8.0 was released, smbd must go through winbind and you
> >cannot run winbind with sssd.
>
I've been using version 4.8.x and 4.9.x with SSSD without noticing any
problems. I only encountered the issue with the 4.10.x upgrade of Samba.
>Samba never produced sssd, so little is known about it on this mailing
> >list, but I suggest you stop using sssd and set up the profiles share
> >using Windows ACLs.
>
I could not find a consistent document describing this setup. There're bits
and pieces of it. Can I really replace SSSD completely by winbind if I'm
also using it for autofs? Or, I'd be forced to set up two Samba servers:
for data/homes (SSSD) and profiles (winbind)?

[sssd]
domains = MYDOM.local
config_file_version = 2
services = nss, pam, autofs

[domain/mydom.local]
# debug_level = 4
ad_domain = ec-eps.local
krb5_realm = MYDOM.LOCAL
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/shared/%u
access_provider = ad
dns_resolver_timeout = 30
ad_maximum_machine_account_password_age = 0
autofs_provider = ad