[Samba] samba 4 and nfs permissions

Wed Dec 28 04:37:42 MST 2011

On 12/28/2011 09:10 AM, Gémes Géza wrote:
> 2011-12-27 22:20 keltezéssel, Bernd Markgraf írta:
>>> I have created the home directories with the uid number given by wbinfo.
>>> So user steve2 has a home directory of /home/DOMAIN/steve2 300006:100
>>>
>>> These uid:gid are respected when I export /home using nfs. I can see
>>> 300006:users on the client too. Even so, as you say these numbers are
>>> not respected outside of the samba 4 - windows relationship.
>> Of course you see the same uid/gid numbers on the clients. what the
>> clients are missing is the associated username. on your client uidnumber
>> 300006 could very well be jennifer and not steve2. the fact that you see
>> the uidnumber and not a username means that your nfs clients don't have
>> the users in the nameservice in use. to make things work properly you
>> need to make the users you have in samba known to your nfs client's OS.
>>
>>    bernd
>>
> I would suggest the following:
>
> Implement rfc2307 schema on samba4, modify your user accounts according
> to it. Then create your home directories with the uid/gid setted in the
> AD (this way on the samba4 box the uids, gids will look wrong, but on
> the client *nix boxes they will be right)
>
> Regards
>
> Geza
OK
I have read this as you suggested before:

http://phaedrus77.blogspot.com/2010/04/samba4-ad-domain-controller-to-serve.html

I created a user steve4 using

samba-tool user add steve2

wbinfo -i gives me uid:gid 3000019:100

I create the home directory accordingly.

I then rfc2307'ify:

ldapmodify -h localhost -W -D Adminsitrator at HH3.SITE -f steve4.txt

Where steve4.txt contains:

dn: cn=steve4,cn=users,dc=hh3,dc=site
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: objectclass
objectclass: shadowaccount
-
add: uidnumber
uidnumber: 3000019
-
add: gidnumber
gidnumber: 100
-
add:unixhomedirectory
unixhomedirectory: /home/CACTUS/steve4
-
add: loginshell
loginshell: /bin/bash

I join an openSUSE client to the domain. From the client, steve4 can get 
a kerberos ticket and wbinfo now shows he also has a real shell, 
/bin/bash rather than /bin/false

Still no login is possible. I think that the article in the link above 
is about using ldap in Samba 4 and authenticating against that rather 
than using a domain logon. He then goes on to talks about using 
ldapclient and modifying /etc/pam.conf. On Linux, that's where it starts 
to get different. So I've had to give up for now.

Geza, do you think that the distros will implement this when Samba 4 is 
released? Do you think the Samba 4 devs know of the need for it? I ask 
because I think it is something which has been overlooked.
Thanks again
Steve.