[Samba] ACL's and SSSD

Charles Gomes cgomes at clearpoolgroup.com
Thu Aug 28 08:15:58 MDT 2014


> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
> Sent: Thursday, August 14, 2014 4:41 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] ACL's and SSSD
>
> On Wed, 2014-08-13 at 21:49 +0000, Charles Gomes wrote:
> > I'm trying to have shares that maintain same ACL's on NFS and SAMBA.
>
> Hi
> We can't help without:
> sssd.conf, smb.conf and /etc/exports
> If you are not allowed to post them, just change the domain and workgroup names to something neutral.
> Steve
>
>



Hi guys, sorry for the delay, I've been trying to fix this by my own but have no success. So far I can get ACL's to show but when I set the ACL on the windows side it gives me:
Aug 28 10:03:04 ny4lpdatastore1 smbd[5628]: [2014/08/28 10:03:04.829321,  0] smbd/posix_acls.c:1756(create_canon_ace_lists)
Aug 28 10:03:04 ny4lpdatastore1 smbd[5628]:   create_canon_ace_lists: unable to map SID S-1-5-21-1928475432-1850496769-242525581-9257 to uid or gid.

I've SAMBA running with Winbindd disabled as I want Samba to use SSSD for user identification.
If I could have winbind and SSSD UID's to match I could use winbind for identification.
However look at this example:
id charles
uid=1403409259(charles) gid=1403400513(domain users)

id MYGROUP\\charles
uid=1686643755(MYGROUP\charles)

The UID's don't match, that's why I need to use SSSD as we have been using it already for more than one year and have several thousand files with UID's matching it already.

Here is my latest config:
----------------------------- >  SMB.CONF <-------------------------------------------
[global]
    workgroup = MYGROUP
        security = ads
        realm = mygroup.corp
        #use kerberos keytab = true
        password server = dc.mygroup.corp
        log level = 9
        client signing = yes
        client use spnego = yes
        kerberos method = secrets and keytab

        #test, didn't work
        #idmap domains = MYGROUP TRUSTEDDOMAINS
        #idmap config MYGROUP:backend = nss
        #idmap config TRUSTEDDOMAINS:default = yes

        #test also didn't work
        #idmap config * : backend = hash
        #idmap config * : range = 1000-4000000000
        #winbind nss info = hash

[acl]
        comment = Clearpool Shared Files
        path    = /fusion/acl
        read only = no
        nt acl support = yes
        inherit permissions = yes
        #inherit acls = yes
        #admin users = "enterprise admins"



 ----------------------------- > SSD.CONF <-------------------------------------------
[sssd]
config_file_version = 2
domains = mygroup.corp
services = nss, pam
#debug_level = 8

[nss]

[pam]

[domain/mygroup.corp]
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad

# defines user/group schema type
ldap_schema = ad

# for SID-UID mapping
ldap_id_mapping = True

# caching credentials
cache_credentials = true
enumerate = false

# access controls
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

# performance
ldap_disable_referrals = true

#Fix Homedir
#override_homedir = /home/%u
#override_shell   = /bin/bash
#Set a default shell for users who don't have one set
default_shell   = /bin/bash

#Application home directory is local
fallback_homedir = /home/%u
ldap_user_home_directory = unixHomeDirectory
ldap_tls_reqcert = never

----------------------------- > /etc/krb5.conf <-------------------------------------------
[logging]
 default = FILE:/var/log/krb5libs.log

[libdefaults]
 default_realm = MYGROUP.CORP
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 rdns = false
 forwardable = yes



----------------------------- > klist -k <-------------------------------------------
klist -k 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
   4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
   4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
   4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
   4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
   4 host/ny4lpdatastore1 at MYGROUP.CORP
   4 host/ny4lpdatastore1 at MYGROUP.CORP
   4 host/ny4lpdatastore1 at MYGROUP.CORP
   4 host/ny4lpdatastore1 at MYGROUP.CORP
   4 host/ny4lpdatastore1 at MYGROUP.CORP
   4 NY4LPDATASTORE1$@MYGROUP.CORP
   4 NY4LPDATASTORE1$@MYGROUP.CORP
   4 NY4LPDATASTORE1$@MYGROUP.CORP
   4 NY4LPDATASTORE1$@MYGROUP.CORP


More information about the samba mailing list