[Samba] Non-default Domain group RID and NAS problem....
jimh at u.washington.edu
Tue Oct 9 15:31:13 GMT 2007
Many moons ago I set up Samba 3.x with LDAP (Fedora Directory Server)
back end. Frankly, I forget what example configurations I worked off
of, but the GIDs and SambaSIDs for well-known "Domain" groups (Admins,
Computers, Guests, Users) start around 2512.
Fast forward 6 months and we have a commercial NAS (EMC) in the domain.
It has worked fine for basic home directories, but as we expand the
number of shared group directories we have started to see flakiness of
CIFS group privileges/access, and the NAS' logs show a set of errors like:
Secmap: Cannnot resolve sid S-1-5-15-yadda-yadda-202
LGDB: Cannot get info for S-1-5-15-yadda-yadda-202
Secmap: Cannnot resolve sid S-1-5-15-yadda-yadda-201
LGDB: Cannot get info for S-1-5-15-yadda-yadda-201
Then we see a series of not-very-informative/verbose "permission denied"
errors in the EMC logs and find that access to some directories (that
work correctly under Linux/NFS) is denied to CIFS clients using same uid.
EMC has a tech note about this that says: "Call us." :)
The tech note also says that the NAS is trying to resolve CIFS SIDs (for
Domain Guests and Users) that don't exist and after a lot of these
errors CIFS starts to misbehave..
Since they (EMC) don't support Samba, I figured I would try to come up
with a strategy. It is pretty hokey, but to make CIFS work on the NAS,
we have a script that creates a passwd and group file from LDAP and
copies same onto the NAS every hour. So right now it is copying Domain
XXX" groups into that group file with 25xx GIDs.
I am guessing the original intent of using 25xx GIDs was to get them out
of any range that would conflict with other Unix groups, but now I am
wondering about the wisdom of trying to move them back to the 20x GID
and RID that CIFS on the EMC expects. Or do we try to fix the EMC so
that it knows that those groups are 25xx?
If anyone has encountered this before with one of the commercial
appliances, I'd be interested to hear your thoughts.
Nota Bene: We have implemented a commodity NAS as a backup server using
OpenFiler. So far, so good. Less mysterious than the EMC in many
respects. So, I expect when it comes time to refresh our NAS capability
we'll be taking a hard look at doing it all with OF.
More information about the samba