What do you see if you run : id username And run : getfacl on the folder/files to see more.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba <samba-bounces at lists.samba.org> Namens Matthew > Richardson via samba > Verzonden: woensdag 17 augustus 2022 13:32 > Aan: samba at lists.samba.org > Onderwerp: [Samba] unix_primary_group not used when writing files > > I have a samba server (v4.13.17 - Ubuntu 20.04) set up joined to an AD > domain, with the following idmap config: > > [global] > workgroup = MYDOM > realm = MYDOM.EXAMPLE.COM > security = ads > idmap config * : backend = tdb > idmap config * : range = 3000 - 9999 > idmap config MYDOM : backend = ad > idmap config MYDOM : schema_mode = rfc2307 > idmap config MYDOM : range = 10000 - 9999999 > idmap config MYDOM : unix_primary_group = yes > idmap config MYDOM : unix_nss_info = yes > winbind use default domain = yes > > All users in the domain have the unix attributes set (gidNumber, loginShell > etc). There is also a group with the same gid as the user's gidNumber, and > that user is a member of that group. > > This shows up fine using the nss commands, e.g.: > > $ getent passwd alice > > alice:*:12345:12345:Alice Smith:/home/alice:/bin/bash > > $ getent group alice > > alice:x:12345: > > $ groups alice > > alice : alice domain users > > > However if I connect using smbclient and write files, they are always group > owned by 'domain users': > > $ smbclient -k -L //server.example.com/alice > > put test.txt > > $ ls -l /home/alice > > -rwxrwxr-x+ 1 alice domain users 38 Aug 16 20:29 test.txt > > Samba logging (debug level 4) during this file write correctly identifies the > primary group: > > UNIX token of user 12345 > Primary group is 12345 and contains 164 supplementary groups > > However it then uses domain users when writing (gid 273711): > > [2022/08/16 19:12:02.052968, 2] ../../source3/smbd/open.c:1524(open_file) > MYDOM\alice opened file test.txt read=Yes write=Yes (numopen=1) > [2022/08/16 19:12:02.060177, 3] > ../../source3/smbd/posix_acls.c:1205(unpack_nt_owners) > unpack_nt_owners: owner sid mapped to uid 12345 > [2022/08/16 19:12:02.060584, 3] > ../../source3/smbd/posix_acls.c:1226(unpack_nt_owners) > unpack_nt_owners: group sid mapped to gid 273711 > [2022/08/16 19:12:02.060994, 3] > ../../source3/smbd/posix_acls.c:3760(set_nt_acl) > set_nt_acl: chown test.txt. uid = 12345, gid = 273711. > > > Can anyone suggest what might be going on here? > > Thanks, > > Matthew > > > The University of Edinburgh is a charitable body, registered in Scotland, with > registration number SC005336. Is e buidheann carthannais a th? ann an > Oilthigh Dh?n ?ideann, cl?raichte an Alba, ?ireamh cl?raidh SC005336. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Matthew Richardson
2022-Aug-17 15:13 UTC
[Samba] unix_primary_group not used when writing files
Thanks both for your help!> What do you see if you run: id username > And run : getfacl on the folder/files to see more..$ id alice uid=12345(alice) gid=12345(g_alice) groups=12345(g_alice),273711(domain users) $ getfacl /home/alice/test.txt getfacl: Removing leading '/' from absolute path names # file: /home/alice/test.txt # owner: alice # group: domain\040users user::rwx user:alice:rwx group::rwx group:domain\040users:rwx mask::rwx other::r-x Also for some extra info: $ wbinfo -n alice S-1-5-21-861567501-1417001333-682003330-11132 smbclient -k -L //server.example.com/alice> showacls > ls test.txtdos_clean_name [\test.txt] unix_clean_name [\test.txt] FILENAME:test.txt MODE:A SIZE:280 MTIME:Wed Aug 17 12:16:10 2022 revision: 1 type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE DACL ACL Num ACEs: 3 revision: 2 --- ACE type: ACCESS ALLOWED (0) flags: 0x00 Specific bits: 0x1ff Permissions: 0x1f01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS SID: S-1-5-21-861567501-1417001333-682003330-11132 ACE type: ACCESS ALLOWED (0) flags: 0x00 Specific bits: 0x1ff Permissions: 0x1f01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS SID: S-1-5-21-861567501-1417001333-682003330-513 ACE type: ACCESS ALLOWED (0) flags: 0x00 Specific bits: 0xa9 Permissions: 0x1200a9: SYNCHRONIZE_ACCESS READ_CONTROL_ACCESS SID: S-1-1-0 Owner SID: S-1-5-21-861567501-1417001333-682003330-11132 Group SID: S-1-5-21-861567501-1417001333-682003330-513> Did you add 'alice' to the group 'g_alice' ? If so, how ?I got our 'Windows person' to create the group and make alice a member. I can ask what steps they did if that's useful, but it'll most likely be whatever 'standard' steps you do in the AD to achieve that. I can also confirm that the outputs are as you have updated them - i.e no members in the first group, but members in the second. $ getent group g_alice g_alice:x:12345: $ groups alice alice : g_alice domain users This seems to be the same for all AD groups (local groups show members) e.g.: $ getent group "domain users" domain users:x:273711: Thanks, Matthew On 17/08/2022 13:53, L. van Belle via samba wrote:> This email was sent to you by someone outside the University. > You should only click on links or attachments if you are certain that the email is genuine and the content is safe. > > What do you see if you run : id username > And run : getfacl on the folder/files to see more.. > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: samba <samba-bounces at lists.samba.org> Namens Matthew >> Richardson via samba >> Verzonden: woensdag 17 augustus 2022 13:32 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] unix_primary_group not used when writing files >> >> I have a samba server (v4.13.17 - Ubuntu 20.04) set up joined to an AD >> domain, with the following idmap config: >> >> [global] >> workgroup = MYDOM >> realm = MYDOM.EXAMPLE.COM >> security = ads >> idmap config * : backend = tdb >> idmap config * : range = 3000 - 9999 >> idmap config MYDOM : backend = ad >> idmap config MYDOM : schema_mode = rfc2307 >> idmap config MYDOM : range = 10000 - 9999999 >> idmap config MYDOM : unix_primary_group = yes >> idmap config MYDOM : unix_nss_info = yes >> winbind use default domain = yes >> >> All users in the domain have the unix attributes set (gidNumber, loginShell >> etc). There is also a group with the same gid as the user's gidNumber, and >> that user is a member of that group. >> >> This shows up fine using the nss commands, e.g.: >> >> $ getent passwd alice >> >> alice:*:12345:12345:Alice Smith:/home/alice:/bin/bash >> >> $ getent group alice >> >> alice:x:12345: >> >> $ groups alice >> >> alice : alice domain users >> >> >> However if I connect using smbclient and write files, they are always group >> owned by 'domain users': >> >> $ smbclient -k -L //server.example.com/alice >>> put test.txt >> >> $ ls -l /home/alice >> >> -rwxrwxr-x+ 1 alice domain users 38 Aug 16 20:29 test.txt >> >> Samba logging (debug level 4) during this file write correctly identifies the >> primary group: >> >> UNIX token of user 12345 >> Primary group is 12345 and contains 164 supplementary groups >> >> However it then uses domain users when writing (gid 273711): >> >> [2022/08/16 19:12:02.052968, 2] ../../source3/smbd/open.c:1524(open_file) >> MYDOM\alice opened file test.txt read=Yes write=Yes (numopen=1) >> [2022/08/16 19:12:02.060177, 3] >> ../../source3/smbd/posix_acls.c:1205(unpack_nt_owners) >> unpack_nt_owners: owner sid mapped to uid 12345 >> [2022/08/16 19:12:02.060584, 3] >> ../../source3/smbd/posix_acls.c:1226(unpack_nt_owners) >> unpack_nt_owners: group sid mapped to gid 273711 >> [2022/08/16 19:12:02.060994, 3] >> ../../source3/smbd/posix_acls.c:3760(set_nt_acl) >> set_nt_acl: chown test.txt. uid = 12345, gid = 273711. >> >> >> Can anyone suggest what might be going on here? >> >> Thanks, >> >> Matthew >> >> >> The University of Edinburgh is a charitable body, registered in Scotland, with >> registration number SC005336. Is e buidheann carthannais a th? ann an >> Oilthigh Dh?n ?ideann, cl?raichte an Alba, ?ireamh cl?raidh SC005336. >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba