[Samba] samba 4 and nfs permissions

Bernd Markgraf bernd.markgraf at med.ovgu.de
Sun Dec 25 16:01:23 MST 2011 

On Sun, 2011-12-25 at 09:51 +0100, steve wrote:
> Ok
> I've joined a samba 3 machine to the samba 4 domain. The uid:gid home 
> directory problem is still there.
as I've also been asked off-list (via my blog) I'll answer here as it
may help others as well.
Mapping user ids seems to be a problem in various places. I run Samba4
as AD for a bunch of (virtual) Windows 7 machines and as Kerberos/LDAP
server for some Solaris and Linux boxes and Samba3 on the fileserver. I
extended the original LDAP schema on the S4 side to include the posix
UID/GID bits (rfc 2307 iirc) - not sure if this has made it into the
current tree yet. 
In my case I create new users with the Windows Management Console (give
the fellow admins an easy start). That sets up the Windows related
things. Second step ist to user ldapmodify to add the needed Unix bits
to that account. Wrapped in a litte script to fetch the next free
UIDNUMBER, add and create the user's home directory, chown and chmod as
required etc. The last bit which seems to be important to make things
work nicely is to add a hard UID:SID mapping on the fileserver running
the Samba fileserver:
/opt/samba/bin/wbinfo --set-uid-mapping=$UIDN,`/opt/samba/bin/wbinfo -n $UID`

UIDN being the UNIX UIDNUMBER and UID being the user's login name. That
makes the job for Samba3 easier as it doesn't need to figure out the
mapping by itself. One could argue that it would be nice if Samba
checked for the existence of the posix uid number and use that for a
mapping but there may be cases where someone would like to have a
different behaviour. For us it works very well though. 
Also I never really had the need to create unix accounts on the fly for
existing Samba/Windows users. Once those exist in LDAP I prefer them to
carry the appropriate UNIX attributes as well.

The Samba3 part runs on a Solaris10 box (the script to modify the
account and add the mapping runs on the same machine) but it should work
the same way on a Linux machine. 

Hope this helps a little. If you need more details, let me know.

  Bernd

More information about the samba mailing list