Gregory Giguashvili
2020-Nov-22 13:51 UTC
[Samba] Windows file ownership changed from SID to Unix User
> > No, you only thought it worked using sssd on 4.8.x & 4.9.x, but it > didn't work correctly. >Maybe, but it "worked". Can we speculate what change in 4.10.x prompted Samba to export "Unix user\username" type of ownership to Windows clients instead of SID? Is there any option to revert to previous "wrong" behavior as a temporary workaround?>Before Samba 4.8.0, smbd was able to directly contact AD, but this > >changed when 4.8.0 was released, smbd must go through winbind and you > >cannot run winbind with sssd. >I've been using version 4.8.x and 4.9.x with SSSD without noticing any problems. I only encountered the issue with the 4.10.x upgrade of Samba.>Samba never produced sssd, so little is known about it on this mailing > >list, but I suggest you stop using sssd and set up the profiles share > >using Windows ACLs. >I could not find a consistent document describing this setup. There're bits and pieces of it. Can I really replace SSSD completely by winbind if I'm also using it for autofs? Or, I'd be forced to set up two Samba servers: for data/homes (SSSD) and profiles (winbind)? [sssd] domains = MYDOM.local config_file_version = 2 services = nss, pam, autofs [domain/mydom.local] # debug_level = 4 ad_domain = ec-eps.local krb5_realm = MYDOM.LOCAL realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/shared/%u access_provider = ad dns_resolver_timeout = 30 ad_maximum_machine_account_password_age = 0 autofs_provider = ad
Rowland penny
2020-Nov-22 14:16 UTC
[Samba] Windows file ownership changed from SID to Unix User
On 22/11/2020 13:51, Gregory Giguashvili wrote:> > No, you only thought it worked using sssd on 4.8.x & 4.9.x, but it > didn't work correctly. > > Maybe, but it "worked". Can we speculate what change in 4.10.x > prompted Samba to export "Unix user\username" type of ownership to > Windows clients instead of SID? Is there any option to revert to > previous "wrong" behavior as a temporary workaround?I think it 'might' be this: https://bugzilla.samba.org/show_bug.cgi?id=13813 I cannot say for sure it is that, but it is a very good possibility.> > >Before Samba 4.8.0, smbd was able to directly contact AD, but this > >changed when 4.8.0 was released, smbd must go through winbind and > you > >cannot run winbind with sssd. > > I've been using version 4.8.x and 4.9.x with SSSD without noticing any > problems. I only encountered the issue with the 4.10.x upgrade of Samba.It might have seemed to work, but there were probably unseen problems under the hood.> > >Samba never produced sssd, so little is known about it on this > mailing > >list, but I suggest you stop using sssd and set up the profiles > share > >using Windows ACLs. > > I could not find a consistent document describing this setup. There're > bits and pieces of it. Can I really replace SSSD completely by winbind > if I'm also using it for autofs? Or, I'd be forced to set up two Samba > servers: for data/homes (SSSD) and profiles (winbind)?sssd never worked with NTLM or ACL's, it just basically did ldap, so you should be able to get Samba working with autofs. The information for getting Samba to work correctly as a Unix domain member is on the Samba wiki, for anything you do not understand, ask here. There is no one supporting the use of sssd with Samba, not even Red Hat. Rowland
Gregory Giguashvili
2020-Nov-22 14:58 UTC
[Samba] Windows file ownership changed from SID to Unix User
> > There is no one supporting the use of sssd with Samba, not even Red Hat. > > Now that I know what to look for (thank you, Roland!), I foundhttps://access.redhat.com/solutions/3802321 page explaining how to properly bridge between SSSD and winbind. In essence, the following configuration is in place (copy-pasting main parts of the document for the benefit of those who has no RHEL Customer Portal access) # yum install realmd oddjob oddjob-mkhomedir sssd adcli samba samba-winbind krb5-workstation # realm join testlab.redhat.com -U Administrator --client-software=sssd --membership-software=samba # systemctl stop sssd ; rm -f /var/lib/sss/db/* ; systemctl start sssd // This is the key! Need to replace winbind client RPM by SSSD-winbind-idmap RPM # yum remove sssd-libwbclient # yum install sssd-winbind-idmap /etc/samba/smb.conf - idmap configuration: idmap config * : backend = tdb idmap config * : range = 10000-199999 idmap config TESTLAB : backend = sss idmap config TESTLAB : range = 200000-2147483647 # systemctl enable smb winbind ; systemctl restart smb winbind