[Samba] Samba 3.0.0 -- ACLs are unusable due to UID/SID mapping weirdness :(

John H Terpstra jht at samba.org
Tue Oct 21 05:58:31 GMT 2003 

On Mon, 20 Oct 2003, Anton Solovyev wrote:

> John,
>
> John H Terpstra wrote:
>
> >Having read your posting, I believe I need your help to fix our
> >documentation. Are you willing to help me to do that?
> >
> >
>
> I could try.

Thanks.[B

>
> >>I am sure somebody asks this question about once a week. Since I have
> >>not found an answer I assume the worst -- it just does not work.
> >>
> >>
> >
> >Please do not assume that because something does not work the way you have
> >tried it that this means that Samba is broken. That is a bit like failing
> >a driving test and then claiming that the test vehicle must have been
> >defective!
> >
> >
>
> Absolutely. My fault.

No problem.

>
> >Have you read the Samba-HOWTO-Collection.pdf? Did you understand it all?
> >Did you red the chapter on Group Mapping? Did it help you any? What do we
> >need to add to the documentation to help someone else to understand the
> >issues and to help them to find a solution.
> >
> >
>
> Yes, I did notice that it was close to what I was looking for. I could
> not find anything about *user* mapping though. It is not going to help
> me with *users*, is it? :)

You do not need to configure local users on a Samba domain member server,
winbind is the best tool for such interoperability. Use of winbind will
ensure unified user and group identities for MS Windows users.

User name mapping can be done with the parameter (in [globals]):
	username map = /etc/samba/smbusers

Check the man page for smb.conf foe syntax etc.

>
> >I need your feedback to help improve our documentation. Perhaps it is all
> >wrong. It could be you know!
> >
> >
>
> The first (silly) suggestion -- make the link to
> Samba-HOWTO-Collection.html on the front page more visible. Took me a
> while to get to it.

I have made it more prominent on the Documentation page.

>
> >>So, here goes my problem. I am testing Samba 3.0.0. I have got UNIX and
> >>Windows domain users matching each other one-to-one.
> >>
> >>
> >
> >Here we go! What do you mean by: "users matching each other one-to-one"?
> >Please explain this fully. I do not want to jump to conclusions, but my
> >reading is that you have added users to the Samba server while it is a
> >domain member server. Is my interpretation correct?
> >
> >
> >
>
> There is a set of users common to the NT domain and the UNIX NIS
> environment. That is the usernames are the same in both. Yes, Samba is a
> domain member (security = domain), so the passwords for these users are
> verified against the NT domain.

My question was: Did you add local users on the Samba server into the
/etc/passwd database?

>
> >>The server is running with "security = domain". Everything works fine
> >>and all Windows users connecting to Samba get mapped into their
> >>respective UNIX user ids. Everything is nice, simple and consistent.
> >>
> >>
> >
> >So you have a Windows NT4 Domain, or Active Directory? I can't really tell
> >from your description. It does matter - it would certainly help me to help
> >you. I have to tell people time and again that my crystal ball is worn out
> >and my guessing is lousy! :)
> >
> >
> >
>
> There I am a little unfirm. As far as I know it is an AD domain that
> still supports NT style authentication.

If your Win2K domain is Active Directory based then you should configure
Samba-3 as an ADS member server. See chapter 7.4 of the
Samba-HOWTO-Collection.

>
> I tried to make the message as short as possible to make it more
> readable. Very gew people read messages that do not fit into single
> screen. Plus, I could not state the problem quite clearly. So, I was
> just hoping to get attention of a guru and give the details later.

Ok.

>
> >How did you "join the domain"? What precise steps did you take? Help me to
> >reproduce your problem!
> >
> >
>
> I installed Samba and executed something like:
>
> ===
> net join -Uanadmin%password -W domain -S windows-dc
> ===

Ok. But you will have better results following Chapter 7.4.

>
> >What information can you glean from the samba log files to confirm that
> >"everything is nice, simple and consistent"?
> >
> >
>
> Well, it just worked most of the time the way we expected.
>
> By "consistent and simple" I mean,  something like -- "you have a
> Windows user that needs to get to a Samba share? Create a UNIX account
> with the *same name* and you will get an smbd process with the UID and
> hence the permissions of that user accessing the files on the server (ok
> not always). The authentication will be done on the NT side though".

Nope. You should use winbind for that. Any other way will cause you
problems when you try to use ACLs.

> >>Now I want to enable ACLs and fortunately the host OS supports them
> >>fine. Here the trouble starts. It looks like ACLs refuse to work in the
> >>absense of winbindd.
> >>
> >>
> >
> >Precisely, which user identities (or group identities) do you want to
> >include in the ACLs? Accounts that are in /etc/passwd on the Samba server,
> >or Domain Accounts?
> >
> >
>
> I do not want to see on the UNIX side any UIDs that are not listed in
> /etc/passwd. I do not want to differentiate between NT domain users and
> matching users in /etc/passwd.

Why do you need user entries in /etc/passwd? Let NSS do that for you from
the Windows Active Directory - gives more controlable results.

> It would be too much to ask, if it did not work "automagically" before I
> looked at ACLs. If I do not want ACLs, I, the domain user
> "\DOMAIN\solovam", create all the files and have all the permissions of
> the UNIX user "solovam". Once I want ACLs all of sudden this simplicity
> breaks and I have to worry about mapping SIDs back to UIDs.

You need to understand how NT User SIDs (security IDs) are mapped to UNIX
uids/gids. See chapter 11 section 11.2. Using only one system for NT SID
<==> UNIX uid/gid mapping is the safest way.

> >If you have a johndoe account in the Samba /etc/passwd, and a johndoe
> >account on the Domain as well, then you need to realise that they are two
> >totally different users. One is machine local and tied to the SID of your
> >Samba server, the other is Domain Global, and is tied to the Domain SID.
> >Do you recognize that?
> >
> >
>
> Very good.  I was afraid I would not be able to explain the problem
> clearly enough and you got right to the point :)
>
> I do realize the difference. But here are my questions:
>
> 1. If UNIX accounts are local to the Samba server, why am I able to
> connect to it with my domain password?

Good question. The reason is that one a Domain member server the
authentication is passed through to the Domain Controllers by Samba. It is
not done on the local machine. What does happen though is that Samba
checks for the existence of the user using the getent system call. Since
in your /etc/nsswitch.conf file you have:

passwd: files winbind
shadow: files winbind
group: files winbind

or else:

passwd: compat winbind
group:  compay winbind


In either case above, getent will resolve UID/GID information first from
/etc/passwd and only then via winbind. That is where your problem is!
To correct this, simply put winbind before the system file. Even better
still, do not put users in the system /etc/passwd file!

> 2. If UNIX accounts generally are not related to domain accounts, why do
> I get "proper" mapping from my NT username to the same UNIX username
> (unless I want ACLs!) and more importantly to the right user id? I do
> not have to run winbindd for that!

Explained above.

>
> 3. Why, when I create files on NT servers, they are owned by the
> *domain* account, whereas on Samba server they are owned by the *local*
> account? They are supposed to be configured the same way, ask for the
> same password and genereally behave the same. That's what the
> description of the "security" option in smb.conf says.

Explained above.

>
> 4. If I have to maintain SID to UID mapping manually (which is a huge
> hassle!), I could not find a tool to do that. I am getting a feeling you
> are going to tell me to use "net groupmap" for that :) If so, that would
> be something to fix in the documentation. Pople do not read all text,
> people look for keywords.

No way! Let winbind do it for you!

When you fail your driving test do you explain to the police that people
do not read the rules of the road, we only look at keywords? Sorry, bad
excuse! :)

>
> 5. To put it simply -- I never noticed any difference between local and
> domain accounts on Samba servers. Why all of sudden all the trouble when
> I want ACLs?

Explained above.

>
> >Alternatively, could it possibly be that your understanding of how this
> >ought to work is "completely uninformed", or "completely unrealistic", or
> >maybe "just a little bit off".
> >
> >
> >
>
> Very possible. Samba has become an incredibly complex product.

Sure has! We agree!

>
> >What documentation did you look at? What documentation (specific pages
> >etc.) did you look at that allowed you to come to the conclusions you have
> >arrived at.
> >
> >
> >
>
> I have been looking at HTML howto collection for 3.0.

The Adobe PDF is a little easier to navigate. The book "The Official
Samba-3 HOWTO and REference Guide" has a useful subject index in the back
(7 pages!) that makes things much easier to find. It's available from
Amazon.


I hope this helps you, as well as the next person who wants to sort out
this type of problem.

- John T.
-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list