Samba4 Linux user has two uid's

[Thomas Simmons]

On Mon, Mar 25, 2013 at 2:30 PM, Rowland Penny <repenny at f2s.com> wrote:

> On 21/03/13 20:01, Rowland Penny wrote:
>
>> HI,
>> If You join a S3 client to a S4 domain you get a different uid on the
>> client and server i.e.
>>
>> Info from the client
>> $ id user
>> uid=21105(user) gid=20513(domain_users) groups=20513(domain_users),**
>> 1101(BUILTIN\users)
>>
>>
>> Info from the server
>> # id user
>> uid=3000016(DOMAIN\user) gid=100(users) groups=100(users)
>>
>> Now if you mount a share onto the client from the server via pam_script:
>>
>> mount -t cifs //server/dropbox /home/dropbox -o
>> username=user,cruid=userid,**sec=krb5i,multiuser,nobrl,**
>> mapchars,mfsymlinks,**noserverino
>>
>> If a file is now created in the share by the user, the user immediately
>> looses all rights to it from the client.
>>
>> Is this a CIFS problem or a Samba4 problem?
>>
>>
> OK, I am now coming round to think that there is something wrong with
> Samba 3.6.X after 3.6.3.
> Reasons?
> I cannot get it show domain users or groups on Samba 3.6.6 running on Mint
> 14, the smb.conf is identical to the one I used on 3.6.3 running on Ubuntu
> 12.04 which works.
>
> I then spent some time downloading and compiling various versions, all
> which failed in the same way.
>
> As I wasn't sure if it was the way that I was compiling samba or not, I
> have installed Opensuse 12.3 and again set up samba with the same smb.conf.
> Opensuse uses version 3.6.12. It fails in exactly the same way i.e. getent
> will not return domain users, only local users.
>
> So, unless anybody is prepared to come forward and announce that they are
> using a version later than 3.6.3, I must suggest that something in samba is
> broken.
>
> Hello Rowland,

I don't know if you missed my reply above, but I stated (link below) that I
had this working on 3.6.10, compiled from source, in the thread I linked
to. Apart from --with-ads and --with-shared-modules=idmap_ad, I don't know
what other options I used. I spent the better part of a weekend trying to
figure out my original problem (specific to the domain controller itself)
which turned out to be a bug. I'll set up a test VM later today and try to
duplicate what I did then. I can't imagine such critical functionality
would have been broken since 3.6.3 and not have been noticed before now.
Have you increased logging verbosity and checked your logs for anything?
That's how I discovered the idmap_ad problem.

https://lists.samba.org/archive/samba/2012-December/170552.html


> Rowland
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>