Samba4 Linux user has two uid's

steve steve at steve-ss.com
Thu Mar 21 16:44:28 MDT 2013


On 21/03/13 23:10, Gémes Géza wrote:
> 2013-03-21 21:01 keltezéssel, Rowland Penny írta:
>> HI,
>> If You join a S3 client to a S4 domain you get a different uid on the 
>> client and server i.e.
>>
>> Info from the client
>> $ id user
>> uid=21105(user) gid=20513(domain_users) 
>> groups=20513(domain_users),1101(BUILTIN\users)
>>
>> Info from the server
>> # id user
>> uid=3000016(DOMAIN\user) gid=100(users) groups=100(users)
>>
>> Now if you mount a share onto the client from the server via pam_script:
>>
>> mount -t cifs //server/dropbox /home/dropbox -o 
>> username=user,cruid=userid,sec=krb5i,multiuser,nobrl,mapchars,mfsymlinks,noserverino 
>>
>>
>> If a file is now created in the share by the user, the user 
>> immediately looses all rights to it from the client.
>>
>> Is this a CIFS problem or a Samba4 problem?
>>
> Hi,
>
> Please check that you have the following:
>
> For samba4 use rfc2370 and specify the uids gids (using e.g. ADUC), 
> copy/symlink the libnss files and allow winbind in /etc/nsswitch.conf
> For samba3 use idmap_ad with a range that covers the assigned uids/gids.
>
> If that is configured and don't work as expected please post your 
> smb.conf (both from AD and client system) and an ldif for an user 
> obtained by ldbsearch.
>
> Regards
>
> Geza Gemes

Hi Rowland, Geza

1. the nss mappings.

Rowland, you don't say how you're pulling the uid but I have several s3 
boxes connected to a S4 DC. The DC is also the file server. I gave up on 
winbind in favour of nss-ldapd and using it to pull the whole of rfc2307 
on both the s3 clients and the s4 DC. The mappings are identical on both 
client and server. It seems much easier to setup than winbind.

2. the cifs mount on the clients

I think the mappings must be identical before the permissions and 
ownerships will work, but just keeping it simple; as any of several 
users can login onto any given client, we simply mount the equivalent of:

mount -t cifs //server/share /share -osec=krb5,multiuser

IOW, forget specifying a specific user. Get it working with multiuser 
first and then add the other stuff?

HTH. Cheers,
Steve



More information about the samba-technical mailing list