[Samba] samba 4 and nfs permissions

Gémes Géza geza at kzsdabas.hu
Wed Dec 28 12:38:51 MST 2011


2011-12-28 12:37 keltezéssel, steve írta:
> On 12/28/2011 09:10 AM, Gémes Géza wrote:
>> 2011-12-27 22:20 keltezéssel, Bernd Markgraf írta:
>>>> I have created the home directories with the uid number given by
>>>> wbinfo.
>>>> So user steve2 has a home directory of /home/DOMAIN/steve2 300006:100
>>>>
>>>> These uid:gid are respected when I export /home using nfs. I can see
>>>> 300006:users on the client too. Even so, as you say these numbers are
>>>> not respected outside of the samba 4 - windows relationship.
>>> Of course you see the same uid/gid numbers on the clients. what the
>>> clients are missing is the associated username. on your client
>>> uidnumber
>>> 300006 could very well be jennifer and not steve2. the fact that you
>>> see
>>> the uidnumber and not a username means that your nfs clients don't have
>>> the users in the nameservice in use. to make things work properly you
>>> need to make the users you have in samba known to your nfs client's OS.
>>>
>>>    bernd
>>>
>> I would suggest the following:
>>
>> Implement rfc2307 schema on samba4, modify your user accounts according
>> to it. Then create your home directories with the uid/gid setted in the
>> AD (this way on the samba4 box the uids, gids will look wrong, but on
>> the client *nix boxes they will be right)
>>
>> Regards
>>
>> Geza
> OK
> I have read this as you suggested before:
>
> http://phaedrus77.blogspot.com/2010/04/samba4-ad-domain-controller-to-serve.html
>
>
> I created a user steve4 using
>
> samba-tool user add steve2
>
> wbinfo -i gives me uid:gid 3000019:100
>
> I create the home directory accordingly.
>
> I then rfc2307'ify:
>
> ldapmodify -h localhost -W -D Adminsitrator at HH3.SITE -f steve4.txt
>
> Where steve4.txt contains:
>
> dn: cn=steve4,cn=users,dc=hh3,dc=site
> changetype: modify
> add: objectclass
> objectclass: posixaccount
> -
> add: objectclass
> objectclass: shadowaccount
> -
> add: uidnumber
> uidnumber: 3000019
> -
> add: gidnumber
> gidnumber: 100
> -
> add:unixhomedirectory
> unixhomedirectory: /home/CACTUS/steve4
> -
> add: loginshell
> loginshell: /bin/bash
>
> I join an openSUSE client to the domain. From the client, steve4 can
> get a kerberos ticket and wbinfo now shows he also has a real shell,
> /bin/bash rather than /bin/false
>
> Still no login is possible. I think that the article in the link above
> is about using ldap in Samba 4 and authenticating against that rather
> than using a domain logon. He then goes on to talks about using
> ldapclient and modifying /etc/pam.conf. On Linux, that's where it
> starts to get different. So I've had to give up for now.
>
> Geza, do you think that the distros will implement this when Samba 4
> is released? Do you think the Samba 4 devs know of the need for it? I
> ask because I think it is something which has been overlooked.
> Thanks again
> Steve.
>
First
You have two options for authentication:

1) Samba3  Winbind with idmap_ad both for PAM the files in /etc/pam.d
(its been a long time since I've had a *Suse system around) and NSS
/etc/nsswitch.conf

2) pam-krb5 or pam-heimdal for auth (PAM part) and nss-ldap for name
services (usernames uids gids etc.). (Look for a good howto how to
configure them for active directory (unfortunately I don't remember the
links I've used in past)) (The article I've linked is discussing this
approach)

Second
The problem of winbind in samba4 is an open one (along with the
integration of the samba3 fileserver smbd). There are to viewpoints
about this:
-Relese samba4 as soon as possible with the AD as the only fully (maybe
partly (no FRS yet)) working part, and add the rest at a latter update
(Samba 4.1 perhaps)
-Delay the release until all the components are at least at the feature
parity with Samba3 (Fileserver, Winbind)

The release will most probably be a compromise between this two extreme
options, but I'm really afraid that the fileserver part will go in,
there is real work going on on this, but the winbind part will not
(there are still completely contradictory ideas about what winbind in
Samba4 is expected to behave as).

As a suggestion (After you have made this work) subscribe to
samba-technical too and try to convince people of the importance of a
rfc2307 compliant winbind in Samba4 (I feel guilty about this as I won't
have time (until at least the Summer) to work on this).

Regards

Geza


More information about the samba mailing list