[Samba] [SOLVED] Samba4 Does cifs need a keytab for the multiuser option?
steve at steve-ss.com
Fri Apr 12 05:48:54 MDT 2013
On 12/04/13 13:10, Rowland Penny wrote:
> On 12/04/13 08:32, steve wrote:
>> On 12/04/13 08:06, steve wrote:
>>> On 11/04/13 22:45, steve wrote:
>>>> On 11/04/13 22:05, Rowland Penny wrote:
>>>>> On 11/04/13 20:42, steve wrote:
>>>>>> On 11/04/13 20:39, Rowland Penny wrote:
>>>>>>> On 11/04/13 17:27, steve wrote:
>> Hi again
>> This is driving me crazy!
>> If I change the permissions on the cifs share to 0777, I can then
>> write to the cifs share as user steve2 BUT the uid:gid sent by cifs
>> are wrong:
>> -rw-r--r-- 1 3000032 20513 0 Apr 12 09:25 j2
>> -rwxrwxr-x+ 1 3000017 users 0 Apr 12 09:25 j3
>> The file j2 was created on the unmounted share with the correct
>> uid:gid, 3000032:20513
>> The file j3 was created on the cifs mounted share. The server has
>> sent 3000017:100 :(
>> Any ideas?
> OK Steve, after some investigation, either I am going mad ( possible
> :-) ) or cifs is broken if you do not use winbind.
> I can mount (via a script run at login) the users directory from the
> server provided I do not use 'multiuser' but any files are created on
> the server with the WRONG uid i.e. the user I login with is uid
> 3000017, if the permissions on the client are checked the file belongs
> to the user, but if checked on the server, the files do not belong to
> the user, they belong to a uid '3000000'.
> I do not know where this user comes from, getent passwd on the server
> does not show this user, but if I create a testdir on the server I can
> chown it to 3000000.
> If I try to mount the users directory using multiuser, the mount fails
> because it now requires roots/Administrators krb5_cc and I have not
> created it.
> I am now coming round to the idea that if the samba team want S4 to be
> used with unix clients then some work needs to be done to ensure it
> easily works as expected and in my opinion the first thing that needs
> to happen is the S3 winbind that exists at present needs to be thrown
> into the wastebin.
It WAS an idmap/winbind problem. On the one hand we can get our uid:gid
from idmap.ldb or we can get it from AD. But not a mix of the two. What
I had was the server using idmap and the client using AD. Disaster! The
idmap_ldb:use rfc2307 = Yes
needs to be added to smb.conf for uid:gid ALWAYS being pulled from AD.
Just to be sure, I also had a long ldbedit session on idmap.ldb to
remove the users that Samba added before I got the syntax right for the
smb.conf line above.
I agree that winbind is too complicated a way to go about adding Linux
clients to AD, especially when there are point and click methods around
(I believe you just found one: we use nss-ldapd). But what really seems
to confuse the issue is that we have TWO methods for ID mapping. idmap
or the AD ldap. I'd vote for going with just one method: AD. Having
choice in matters such as these can only add to the already confusing
winbind/AD setup, as I have just so painfully found out:(
I believe the devs think that as time goes by, Samba4 will get more
attention from companies wanting to deploy more and more windows boxes.
Where I come from, we're going the other way: even though we'll always
cater for a few microsoft programs, the windows boxes are slowly but
surely being replaced by Linux. Maybe in a year or so, none of this will
be relevant as we go cloud. Not sure. Having said all this, I still
think S4 is a remarkable achievement.
More information about the samba