[Samba] My samba can't see its own groups! (4.0.9 as solo AD DC)
Rowland Penny
rowlandpenny at googlemail.com
Sat Nov 9 01:41:27 MST 2013
On 09/11/13 01:16, Trent W. Buck wrote:
> My samba thinks its own groups don't exist.
>
>
> Background: I had a samba3 server operating as a NAS with some desktops
> joined to the domain. I'm migrating it to samba 4.0.9 as an AD domain.
Some desktops? Linux?
>
> Users can log in and browse their home share -- but the other shares
> aren't working. They're per-project shares set up to allow that
> project's group access, and to forcibly make all files uploaded
> accessible to that group:
>
> [fnord]
> comment = Project Fnord
> path = /srv/share/fnord
> create mask = 0664
> force create mode = 0664
> directory mask = 0775
> force directory mode = 0775
> read only = no
> force group = fnord
> valid users = @fnord
>
> With those settings, and "cyber" in the fnord group,
>
> $ smbclient -U cyber //gumbo/fnord
> tree connect failed: NT_STATUS_ACCESS_DENIED
>
> If I comment out the last two lines, it works.
>
> If I comment out the last line, I get
>
> tree connect failed: NT_STATUS_NO_SUCH_GROUP
>
> If I comment out the "force group" line, and change the last line to
> "valid users = cyber", it also works.
>
> I'm using nss_winbind to make users and groups visible to gumbo's
> unix-land, but it seems that samba-talking-to-unix-talking-to-samba
> doesn't see the groups, though unix-talking-to-samba does.
>
> # getent group fnord
> PI\fnord:*:3000021:
>
> # getent passwd cyber
> PI\cyber:*:3000177:100:Cybersource tech:/home/PI/cyber:/bin/false
>
> # id cyber
> uid=3000177(PI\cyber) gid=100(users) groups=100(users),3000008(PI\Domain Admins),3000021(PI\fnord),[...]
>
>
> What should I do about this?
>
> Should I be using those fancy NT recursive ACLs instead of doing this
> in the share config?
>
> Are those options simply not supported under samba4?
>
> Plan B, which I really hate, is to simply remove "valid users" and
> "force group" and write an hourly cron job that will run chgrp -R and
> chmod -R across each project share.
>
If your clients are linux running samba3, I think that you are running
into the 'samba3 winbind != samba4 winbind' problem, you need to use
RFC2307 attributes to get your users to have the same uid & gid on the
server as on the client.
Rowland
More information about the samba
mailing list