[Samba] samba 4 and nfs permissions

steve steve at steve-ss.com
Sat Dec 24 06:58:10 MST 2011

On 12/24/2011 01:19 PM, Gémes Géza wrote:
> 2011-12-23 14:22 keltezéssel, steve írta:
>> Hi
>> We have AD users created with either samba-tool user add steve2 or
>> using the windows AD frontend from a windows box.
>> Users are created with home directories under /home/CACTUS
>> On a win 7 client all works fine. Users can authenticate against the
>> CACTUS domain and files are created with the correct uid:gid
>> We joined an Ubuntu client to the domain using likewise. /home from
>> the server is mounted on the client via nfs. On the ubuntu box, users
>> can authenticate, but cannot enter their /home folder. Making the
>> folder recursively 0777 allows them access but any new file created
>> has the wrong uid:gid
>> On the server: wbinfo -i steve2 gives /home/CACTUS/steve2 3000006:100
>> and I can use smbclient to create folders that show 3000006:100
>> On the ubuntu client however, any new files created have uid:gid of
>> 1481114100:1481114113
>> Can I eliminate Samba 4 from debugging this problem? If so, then can
>> anyone narrow down which of likewise or nfs is the culprit and if
>> neither then any other alternatives. . .
>> Thanks
>> Steve.
> The problem you have noted is a result of the fact, that you are using
> two softwares with incompatible uid/gid<->sid mapping methods. Likewise
> has its own (I'm nut sure just from memories: algorithmic mapping) while
> Samba4 uses the "first seen sid first free xid (uid or gid) associated"
> method. Both have their shortcomings of their own. IMHO the best
> existing approach  is represented by Samba3 winbind with the idmap_ad
> backend, where it uses the attributes stored in AD (rfc2307 schema).
> This way all the AD client linux system will have the same uid, gid,
> shell and homedir sets. However this leaves out the Samba4 server, which
> is going to have its own (unrelated) mappings. My suggestion would be to
> do the minimum possible of file operations on the Samba4 server itself,
> doing all from clients.
> Regards
> Geza
Thanks for the explanation

OK. I got rid of likewise and joined the domain instead using the 
openSUSE 'Windows Domain Membership' module under Yast. That uses Samba 
3. I joined the Samba 4 domain OK and can authenticate fine, but again, 
the uid:gid was wrong.

Geza, would this be possible:

Can I turn off Samba 4 winbind on the server and use Samba 3 winbind on 
the Linux clients whilst still using Samba 4 authentication?


Is there

More information about the samba mailing list