[Samba] AD groups mapped to wrong GIDs

Sascha Frey sf at TechFak.NET
Fri Apr 12 08:40:33 MDT 2013 

Hi list,

I need some help getting group mapping to work:

We've got a fileserver serving Linux clients via NFS.
NSS source for users and groups is LDAP (sssd).

nsswitch.conf:
[...]
passwd:         compat sss
group:          compat sss
shadow:         compat sss
[...]

So far, this works quite well since years.

Now I tried to have our content served via Samba for our Windows
clients.
We've got an AD domain syncronized with all the users and groups
from our LDAP. AD and LDAP should coexist: LDAP for our
Linux clients and AD for Windows clients.

Using Windows, I can access files and directories that I own or which
are world readable, but I cannot access files and directories with
750 permissions:

[2013/04/12 16:01:22.852669,  3] smbd/service.c:190(set_current_service)
  chdir (/vol/dep) failed, reason: Permission denied

$ ls -ld /vol/dep
drwxr-s--- 54 someuser dep 4096 Apr 12 14:48 /vol/dep

$ id asmithee
uid=24717(asmithee) gid=12000(stud) groups=12000(stud),6600(deptut),33300(dep)

In AD, user asmithee is also member of these groups:
$ net -U asmithee ads user info asmithee
Enter asmithee's password:
Domain Users
deptut
dep
stud

It seems as if group mapping from AD to NSS does not work:

[2013/04/12 16:01:21.224811,  5]
auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 24717
  Primary group is 12000 and contains 4 supplementary groups
  Group[  0]: 1000000
  Group[  1]: 1000001
  Group[  2]: 1000003
  Group[  3]: 1001


I appreciate any hint ;)


My smb.conf:
-------------
#======================= Global Settings =======================

[global]
    workgroup = MYORG
    server string = Samba Server Version %v
    dns proxy = no
    kernel oplocks = no
    lock spin time = 2000

#### Debugging/Accounting ####
    log file = /var/log/samba/log.%m
    #log level = 1
    log level = 9
    max log size = 20480
    syslog = 0
    panic action = /usr/share/samba/panic-action %d

####### Authentication #######
    security = ads
    realm = AD.MY-ORG.NET
    netbios name = samba
    password server = dc1.AD.MY-ORG.NET
    domain master = no
    local master = no
    preferred master = no
    winbind separator = +
    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yes
    winbind nested groups = yes
    winbind refresh tickets = yes
    idmap config *: backend = tdb
    idmap config *: range = 1000000-9999999
    idmap config MYORG: backend = ad
    idmap config MYORG: range = 1000-99999
    client use spnego = yes
    client ntlmv2 auth = yes
    encrypt passwords = yes
    restrict anonymous = 2
    map to guest = Bad User
    guest account = nobody

#======================= Share Definitions =======================

[...]
[dep]
    comment = Foobar Comment
    path = /vol/dep
    read only = no
    valid users = @"MYORG+dep"
    directory mode = 0770
    create mode = 0660
    acl group control = yes
    inherit acls = yes
    # Hide share from users who don't have access
    access based share enum = yes
    # Hide files/directories if user doesn't have read access
    hide unreadable = yes
[...]

More information about the samba mailing list