[Samba] [SOLVED] Samba4 Does cifs need a keytab for the multiuser option?

steve steve at steve-ss.com
Fri Apr 12 05:48:54 MDT 2013

On 12/04/13 13:10, Rowland Penny wrote:
> On 12/04/13 08:32, steve wrote:
>> On 12/04/13 08:06, steve wrote:
>>> On 11/04/13 22:45, steve wrote:
>>>> On 11/04/13 22:05, Rowland Penny wrote:
>>>>> On 11/04/13 20:42, steve wrote:
>>>>>> On 11/04/13 20:39, Rowland Penny wrote:
>>>>>>> On 11/04/13 17:27, steve wrote:
>> Hi again
>> This is driving me crazy!
>> If I change the permissions on the cifs share to 0777, I can then 
>> write to the cifs share as user steve2 BUT the uid:gid sent by cifs 
>> are wrong:
>> -rw-r--r--  1 3000032 20513 0 Apr 12 09:25 j2
>> -rwxrwxr-x+ 1 3000017 users 0 Apr 12 09:25 j3
>> The file j2 was created on the unmounted share with the correct 
>> uid:gid, 3000032:20513
>> The file j3 was created on the cifs mounted share. The server has 
>> sent 3000017:100 :(
>> Any ideas?
>> Cheers,
>> Steve
> OK Steve, after some investigation, either I am going mad ( possible 
> :-) ) or cifs is broken if you do not use winbind.
> I can mount (via a script run at login) the users directory from the 
> server provided I do not use 'multiuser' but any files are created on 
> the server with the WRONG uid i.e. the user I login with is uid 
> 3000017, if the permissions on the client are checked the file belongs 
> to the user, but if checked on the server, the files do not belong to 
> the user, they belong to a uid '3000000'.
> I do not know where this user comes from, getent passwd on the server 
> does not show this user, but if I create a testdir on the server I can 
> chown it to 3000000.
> If I try to mount the users directory using multiuser, the mount fails 
> because it now requires roots/Administrators krb5_cc and I have not 
> created it.
> I am now coming round to the idea that if the samba team want S4 to be 
> used with unix clients then some work needs to be done to ensure it 
> easily works as expected and in my opinion the first thing that needs 
> to happen is the S3 winbind that exists at present needs to be thrown 
> into the wastebin.
> Rowland
Hi Rowland
It WAS an idmap/winbind problem. On the one hand we can get our uid:gid 
from idmap.ldb or we can get it from AD. But not a mix of the two. What 
I had was the server using idmap and the client using AD. Disaster! The 
idmap_ldb:use rfc2307 = Yes
needs to be added to smb.conf for uid:gid ALWAYS being pulled from AD. 
Just to be sure, I also had a long ldbedit session on idmap.ldb to 
remove the users that Samba added before I got the syntax right for the 
smb.conf line above.

I agree that winbind is too complicated a way to go about adding Linux 
clients to AD, especially when there are point and click methods around 
(I believe you just found one: we use nss-ldapd). But what really seems 
to confuse the issue is that we have TWO methods for ID mapping. idmap 
or the AD ldap. I'd vote for going with just one method: AD. Having 
choice in matters such as these can only add to the already confusing 
winbind/AD setup, as I have just so painfully found out:(

I believe the devs think that as time goes by, Samba4 will get more 
attention from companies wanting to deploy more and more windows boxes. 
Where I come from, we're going the other way: even though we'll always 
cater for a few microsoft programs, the windows boxes are slowly but 
surely being replaced by Linux. Maybe in a year or so, none of this will 
be relevant as we go cloud. Not sure. Having said all this, I still 
think S4 is a remarkable achievement.

More information about the samba mailing list