[Samba] samba 4 and nfs permissions
geza at kzsdabas.hu
Sun Dec 25 01:18:51 MST 2011
2011-12-24 14:58 keltezéssel, steve írta:
> On 12/24/2011 01:19 PM, Gémes Géza wrote:
>> 2011-12-23 14:22 keltezéssel, steve írta:
>>> We have AD users created with either samba-tool user add steve2 or
>>> using the windows AD frontend from a windows box.
>>> Users are created with home directories under /home/CACTUS
>>> On a win 7 client all works fine. Users can authenticate against the
>>> CACTUS domain and files are created with the correct uid:gid
>>> We joined an Ubuntu client to the domain using likewise. /home from
>>> the server is mounted on the client via nfs. On the ubuntu box, users
>>> can authenticate, but cannot enter their /home folder. Making the
>>> folder recursively 0777 allows them access but any new file created
>>> has the wrong uid:gid
>>> On the server: wbinfo -i steve2 gives /home/CACTUS/steve2 3000006:100
>>> and I can use smbclient to create folders that show 3000006:100
>>> On the ubuntu client however, any new files created have uid:gid of
>>> Can I eliminate Samba 4 from debugging this problem? If so, then can
>>> anyone narrow down which of likewise or nfs is the culprit and if
>>> neither then any other alternatives. . .
>> The problem you have noted is a result of the fact, that you are using
>> two softwares with incompatible uid/gid<->sid mapping methods. Likewise
>> has its own (I'm nut sure just from memories: algorithmic mapping) while
>> Samba4 uses the "first seen sid first free xid (uid or gid) associated"
>> method. Both have their shortcomings of their own. IMHO the best
>> existing approach is represented by Samba3 winbind with the idmap_ad
>> backend, where it uses the attributes stored in AD (rfc2307 schema).
>> This way all the AD client linux system will have the same uid, gid,
>> shell and homedir sets. However this leaves out the Samba4 server, which
>> is going to have its own (unrelated) mappings. My suggestion would be to
>> do the minimum possible of file operations on the Samba4 server itself,
>> doing all from clients.
> Thanks for the explanation
> OK. I got rid of likewise and joined the domain instead using the
> openSUSE 'Windows Domain Membership' module under Yast. That uses
> Samba 3. I joined the Samba 4 domain OK and can authenticate fine, but
> again, the uid:gid was wrong.
> Geza, would this be possible:
> Can I turn off Samba 4 winbind on the server and use Samba 3 winbind
> on the Linux clients whilst still using Samba 4 authentication?
> Is there
I don't think so. For now you will have to do all the file operations on
a joined machine with samba3 winbind configured.
More information about the samba