[Samba] samba 4 and nfs permissions

steve steve at steve-ss.com
Sun Dec 25 01:51:34 MST 2011

On 12/25/2011 09:18 AM, Gémes Géza wrote:
> 2011-12-24 14:58 keltezéssel, steve írta:
>> On 12/24/2011 01:19 PM, Gémes Géza wrote:
>>> 2011-12-23 14:22 keltezéssel, steve írta:
>>>> Hi
>>>> We have AD users created with either samba-tool user add steve2 or
>>>> using the windows AD frontend from a windows box.
>>>> Users are created with home directories under /home/CACTUS
>>>> On a win 7 client all works fine. Users can authenticate against the
>>>> CACTUS domain and files are created with the correct uid:gid
>>>> We joined an Ubuntu client to the domain using likewise. /home from
>>>> the server is mounted on the client via nfs. On the ubuntu box, users
>>>> can authenticate, but cannot enter their /home folder. Making the
>>>> folder recursively 0777 allows them access but any new file created
>>>> has the wrong uid:gid
>>>> On the server: wbinfo -i steve2 gives /home/CACTUS/steve2 3000006:100
>>>> and I can use smbclient to create folders that show 3000006:100
>>>> On the ubuntu client however, any new files created have uid:gid of
>>>> 1481114100:1481114113
>>>> Can I eliminate Samba 4 from debugging this problem? If so, then can
>>>> anyone narrow down which of likewise or nfs is the culprit and if
>>>> neither then any other alternatives. . .
>>>> Thanks
>>>> Steve.
>>> The problem you have noted is a result of the fact, that you are using
>>> two softwares with incompatible uid/gid<->sid mapping methods. Likewise
>>> has its own (I'm nut sure just from memories: algorithmic mapping) while
>>> Samba4 uses the "first seen sid first free xid (uid or gid) associated"
>>> method. Both have their shortcomings of their own. IMHO the best
>>> existing approach  is represented by Samba3 winbind with the idmap_ad
>>> backend, where it uses the attributes stored in AD (rfc2307 schema).
>>> This way all the AD client linux system will have the same uid, gid,
>>> shell and homedir sets. However this leaves out the Samba4 server, which
>>> is going to have its own (unrelated) mappings. My suggestion would be to
>>> do the minimum possible of file operations on the Samba4 server itself,
>>> doing all from clients.
>>> Regards
>>> Geza
>> Thanks for the explanation
>> OK. I got rid of likewise and joined the domain instead using the
>> openSUSE 'Windows Domain Membership' module under Yast. That uses
>> Samba 3. I joined the Samba 4 domain OK and can authenticate fine, but
>> again, the uid:gid was wrong.
>> Geza, would this be possible:
>> Can I turn off Samba 4 winbind on the server and use Samba 3 winbind
>> on the Linux clients whilst still using Samba 4 authentication?
>> Thanks
>> Steve
>> Is there
> I don't think so. For now you will have to do all the file operations on
> a joined machine with samba3 winbind configured.
> Regards
> Geza
I've joined a samba 3 machine to the samba 4 domain. The uid:gid home 
directory problem is still there.

Is there any indication as to whether this will be fixed before Samba 4 
is released?


More information about the samba mailing list