[Samba] samba 4 and nfs permissions
geza at kzsdabas.hu
Sat Dec 24 05:19:19 MST 2011
2011-12-23 14:22 keltezéssel, steve írta:
> We have AD users created with either samba-tool user add steve2 or
> using the windows AD frontend from a windows box.
> Users are created with home directories under /home/CACTUS
> On a win 7 client all works fine. Users can authenticate against the
> CACTUS domain and files are created with the correct uid:gid
> We joined an Ubuntu client to the domain using likewise. /home from
> the server is mounted on the client via nfs. On the ubuntu box, users
> can authenticate, but cannot enter their /home folder. Making the
> folder recursively 0777 allows them access but any new file created
> has the wrong uid:gid
> On the server: wbinfo -i steve2 gives /home/CACTUS/steve2 3000006:100
> and I can use smbclient to create folders that show 3000006:100
> On the ubuntu client however, any new files created have uid:gid of
> Can I eliminate Samba 4 from debugging this problem? If so, then can
> anyone narrow down which of likewise or nfs is the culprit and if
> neither then any other alternatives. . .
The problem you have noted is a result of the fact, that you are using
two softwares with incompatible uid/gid<->sid mapping methods. Likewise
has its own (I'm nut sure just from memories: algorithmic mapping) while
Samba4 uses the "first seen sid first free xid (uid or gid) associated"
method. Both have their shortcomings of their own. IMHO the best
existing approach is represented by Samba3 winbind with the idmap_ad
backend, where it uses the attributes stored in AD (rfc2307 schema).
This way all the AD client linux system will have the same uid, gid,
shell and homedir sets. However this leaves out the Samba4 server, which
is going to have its own (unrelated) mappings. My suggestion would be to
do the minimum possible of file operations on the Samba4 server itself,
doing all from clients.
More information about the samba