[Samba] [SOLVED] Samba4 Does cifs need a keytab for the multiuser option?

Rowland Penny rpenny at f2s.com
Fri Apr 12 10:10:07 MDT 2013 

On 12/04/13 16:52, steve wrote:
> On 12/04/13 17:21, Rowland Penny wrote:
>> On 12/04/13 12:48, steve wrote:
>>>
>>> On 12/04/13 13:10, Rowland Penny wrote:
>>>> On 12/04/13 08:32, steve wrote:
>>>>> On 12/04/13 08:06, steve wrote:
>>>>>> On 11/04/13 22:45, steve wrote:
>>>>>>> On 11/04/13 22:05, Rowland Penny wrote:
>>>>>>>> On 11/04/13 20:42, steve wrote:
>>>>>>>>> On 11/04/13 20:39, Rowland Penny wrote:
>>>>>>>>>> On 11/04/13 17:27, steve wrote:
>>>>>>
>>>>> Hi again
>>>>> This is driving me crazy!
>>>>> If I change the permissions on the cifs share to 0777, I can then 
>>>>> write to the cifs share as user steve2 BUT the uid:gid sent by 
>>>>> cifs are wrong:
>>>>>
>>>>> -rw-r--r--  1 3000032 20513 0 Apr 12 09:25 j2
>>>>> -rwxrwxr-x+ 1 3000017 users 0 Apr 12 09:25 j3
>>>>>
>>>>> The file j2 was created on the unmounted share with the correct 
>>>>> uid:gid, 3000032:20513
>>>>> The file j3 was created on the cifs mounted share. The server has 
>>>>> sent 3000017:100 :(
>>>>>
>>>>> Any ideas?
>>>>> Cheers,
>>>>> Steve
>>>>>
>>>>
>>>> OK Steve, after some investigation, either I am going mad ( 
>>>> possible :-) ) or cifs is broken if you do not use winbind.
>>>>
>>>> I can mount (via a script run at login) the users directory from 
>>>> the server provided I do not use 'multiuser' but any files are 
>>>> created on the server with the WRONG uid i.e. the user I login with 
>>>> is uid 3000017, if the permissions on the client are checked the 
>>>> file belongs to the user, but if checked on the server, the files 
>>>> do not belong to the user, they belong to a uid '3000000'.
>>>> I do not know where this user comes from, getent passwd on the 
>>>> server does not show this user, but if I create a testdir on the 
>>>> server I can chown it to 3000000.
>>>>
>>>> If I try to mount the users directory using multiuser, the mount 
>>>> fails because it now requires roots/Administrators krb5_cc and I 
>>>> have not created it.
>>>>
>>>> I am now coming round to the idea that if the samba team want S4 to 
>>>> be used with unix clients then some work needs to be done to ensure 
>>>> it easily works as expected and in my opinion the first thing that 
>>>> needs to happen is the S3 winbind that exists at present needs to 
>>>> be thrown into the wastebin.
>>>>
>>>> Rowland
>>> Hi Rowland
>>> It WAS an idmap/winbind problem. On the one hand we can get our 
>>> uid:gid from idmap.ldb or we can get it from AD. But not a mix of 
>>> the two. What I had was the server using idmap and the client using 
>>> AD. Disaster! The line:
>>> idmap_ldb:use rfc2307 = Yes
>>> needs to be added to smb.conf for uid:gid ALWAYS being pulled from 
>>> AD. Just to be sure, I also had a long ldbedit session on idmap.ldb 
>>> to remove the users that Samba added before I got the syntax right 
>>> for the smb.conf line above.
>>>
>>> I agree that winbind is too complicated a way to go about adding 
>>> Linux clients to AD, especially when there are point and click 
>>> methods around (I believe you just found one: we use nss-ldapd). But 
>>> what really seems to confuse the issue is that we have TWO methods 
>>> for ID mapping. idmap or the AD ldap. I'd vote for going with just 
>>> one method: AD. Having choice in matters such as these can only add 
>>> to the already confusing winbind/AD setup, as I have just so 
>>> painfully found out:(
>>>
>>> I believe the devs think that as time goes by, Samba4 will get more 
>>> attention from companies wanting to deploy more and more windows 
>>> boxes. Where I come from, we're going the other way: even though 
>>> we'll always cater for a few microsoft programs, the windows boxes 
>>> are slowly but surely being replaced by Linux. Maybe in a year or 
>>> so, none of this will be relevant as we go cloud. Not sure. Having 
>>> said all this, I still think S4 is a remarkable achievement.
>>> Cheers,
>>> Steve
>>>
>> Hi Steve
>> That may have been your problem, but it wasn't mine :-(
>>
>> I had that line in smb.conf, but the users directory was mounted on 
>> the client and the files etc belonged the correct user whose 
>> uidNumber was 3000017 but all newly created files became the property 
>> of 3000000, both on the client & the server. I could not find the 
>> user 3000000 anywhere, so I went and read your postings over on the 
>> cifs mailing list to see if it gave me any ideas, it did :-) .
>>
>> I found the problem & user 3000000 in /usr/local/samba/private/idmap.ldb
>>
>> # record 24
>> dn: CN=S-1-5-32-544
>> cn: S-1-5-32-544
>> objectClass: sidMap
>> objectSid: S-1-5-32-544
>> type: ID_TYPE_BOTH
>> xidNumber: 3000000
>> distinguishedName: CN=S-1-5-32-544
>>
>> A bit more googling produced this:
>>
>> SID: S-1-5-32-544
>> Name: Administrators
>> Description: A built-in group. After the initial installation of the 
>> operating system, the only member of the group is the Administrator 
>> account. When a computer joins a domain, the Domain Admins group is 
>> added to the Administrators group. When a server becomes a domain 
>> controller, the Enterprise Admins group also is added to the 
>> Administrators group.
>>
>> I had added my user to the Domain Admins group, so, using samba-tool, 
>> I removed him again, chown all the users files etc on the server to 
>> the user and rebooted the client.
>>
>> YEAH it works!!!!
>>
>> OK, how did my users uidNumber become the same (but seemingly only 
>> when saving files on a cifs mount) as a group number by just joining 
>> the group via samba-tool?
>>
>> Rowland
>>
>>
> Hi Rowland
> Good to hear you got it going. Yeah, it's BUILTIN\Administrators here 
> too. I think it is everywhere, like the rid 500 for Domain Admin.
>
> wbinfo --uid-to-sid=3000000
> S-1-5-32-544
>
> wbinfo --sid-to-name=S-1-5-32-544
> BUILTIN\Administrators 4
>
> I still think you'll need the cifs multiuser option, otherwise all 
> files created in the mount will _always_ be owned by the user who made 
> the mount in the first place. You'd need pretty open permissions for 
> everyone to work and edit files within the share if only one user is 
> to own all the files. Maybe that's OK for you but we have to have 
> files editable only by their owner, and that owner can be any user who 
> has access to the share. In our case, the unix home folders. IOW, 
> where you are just after you log in.
>
> Cheers,
> Steve
>
Hi Steve, I see where you are coming from, but in this instance I am 
mounting the entire users homedirectory from the server, a bit like 
windows profiles but faster, so all the files need to be owned by the user.
What I cannot understand is, why did my users uidNumber get set to a 
gidNumber when saving any files on the cifs mount, all I did was add the 
user to the Domain Admins group with samba-tool, this should not affect 
the users uidNumber, surely if anything it should have affected the 
users group gidNumber.

Rowland


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba mailing list