[Samba] ACL's and SSSD

Charles Gomes cgomes at clearpoolgroup.com
Thu Aug 28 13:39:50 MDT 2014


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
Sent: Thursday, August 28, 2014 10:29 AM
To: samba at lists.samba.org
Subject: Re: [Samba] ACL's and SSSD

On 28/08/14 15:15, Charles Gomes wrote:
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org 
>> [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
>> Sent: Thursday, August 14, 2014 4:41 AM
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] ACL's and SSSD
>>
>> On Wed, 2014-08-13 at 21:49 +0000, Charles Gomes wrote:
>>> I'm trying to have shares that maintain same ACL's on NFS and SAMBA.
>> Hi
>> We can't help without:
>> sssd.conf, smb.conf and /etc/exports
>> If you are not allowed to post them, just change the domain and workgroup names to something neutral.
>> Steve
>>
>>
>
>
> Hi guys, sorry for the delay, I've been trying to fix this by my own but have no success. So far I can get ACL's to show but when I set the ACL on the windows side it gives me:
> Aug 28 10:03:04 ny4lpdatastore1 smbd[5628]: [2014/08/28 10:03:04.829321,  0] smbd/posix_acls.c:1756(create_canon_ace_lists)
> Aug 28 10:03:04 ny4lpdatastore1 smbd[5628]:   create_canon_ace_lists: unable to map SID S-1-5-21-1928475432-1850496769-242525581-9257 to uid or gid.
>
> I've SAMBA running with Winbindd disabled as I want Samba to use SSSD for user identification.
> If I could have winbind and SSSD UID's to match I could use winbind for identification.
> However look at this example:
> id charles
> uid=1403409259(charles) gid=1403400513(domain users)
>
> id MYGROUP\\charles
> uid=1686643755(MYGROUP\charles)
>
> The UID's don't match, that's why I need to use SSSD as we have been using it already for more than one year and have several thousand files with UID's matching it already.
>
> Here is my latest config:
> ----------------------------- >  SMB.CONF 
> <-------------------------------------------
> [global]
>      workgroup = MYGROUP
>          security = ads
>          realm = mygroup.corp
>          #use kerberos keytab = true
>          password server = dc.mygroup.corp
>          log level = 9
>          client signing = yes
>          client use spnego = yes
>          kerberos method = secrets and keytab
>
>          #test, didn't work
>          #idmap domains = MYGROUP TRUSTEDDOMAINS
>          #idmap config MYGROUP:backend = nss
>          #idmap config TRUSTEDDOMAINS:default = yes
Bit lost here, how many domains have you got? also, where did you find 'idmap domains' ? I don't recognise it and cannot find it in 'man smb.conf'

Rowland
>
>          #test also didn't work
>          #idmap config * : backend = hash
>          #idmap config * : range = 1000-4000000000
>          #winbind nss info = hash
>
> [acl]
>          comment = Clearpool Shared Files
>          path    = /fusion/acl
>          read only = no
>          nt acl support = yes
>          inherit permissions = yes
>          #inherit acls = yes
>          #admin users = "enterprise admins"
>
>
>
>   ----------------------------- > SSD.CONF 
> <-------------------------------------------
> [sssd]
> config_file_version = 2
> domains = mygroup.corp
> services = nss, pam
> #debug_level = 8
>
> [nss]
>
> [pam]
>
> [domain/mygroup.corp]
> id_provider = ad
> auth_provider = ad
> chpass_provider = ad
> access_provider = ad
>
> # defines user/group schema type
> ldap_schema = ad
>
> # for SID-UID mapping
> ldap_id_mapping = True
>
> # caching credentials
> cache_credentials = true
> enumerate = false
>
> # access controls
> ldap_access_order = expire
> ldap_account_expire_policy = ad
> ldap_force_upper_case_realm = true
>
> # performance
> ldap_disable_referrals = true
>
> #Fix Homedir
> #override_homedir = /home/%u
> #override_shell   = /bin/bash
> #Set a default shell for users who don't have one set
> default_shell   = /bin/bash
>
> #Application home directory is local
> fallback_homedir = /home/%u
> ldap_user_home_directory = unixHomeDirectory ldap_tls_reqcert = never
>
> ----------------------------- > /etc/krb5.conf 
> <-------------------------------------------
> [logging]
>   default = FILE:/var/log/krb5libs.log
>
> [libdefaults]
>   default_realm = MYGROUP.CORP
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   ticket_lifetime = 24h
>   renew_lifetime = 7d
>   rdns = false
>   forwardable = yes
>
>
>
> ----------------------------- > klist -k 
> <-------------------------------------------
> klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>     4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
>     4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
>     4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
>     4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
>     4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
>     4 host/ny4lpdatastore1 at MYGROUP.CORP
>     4 host/ny4lpdatastore1 at MYGROUP.CORP
>     4 host/ny4lpdatastore1 at MYGROUP.CORP
>     4 host/ny4lpdatastore1 at MYGROUP.CORP
>     4 host/ny4lpdatastore1 at MYGROUP.CORP
>     4 NY4LPDATASTORE1$@MYGROUP.CORP
>     4 NY4LPDATASTORE1$@MYGROUP.CORP
>     4 NY4LPDATASTORE1$@MYGROUP.CORP
>     4 NY4LPDATASTORE1$@MYGROUP.CORP

--


Rowland, those lines were commented. It was on the man page: http://www.nbi.dk/cgi-bin/man2html?8+idmap_nss



More information about the samba mailing list