[Samba] ACL's and SSSD
Rowland Penny
rowlandpenny at googlemail.com
Thu Aug 28 14:35:46 MDT 2014
On 28/08/14 20:39, Charles Gomes wrote:
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
> Sent: Thursday, August 28, 2014 10:29 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] ACL's and SSSD
>
> On 28/08/14 15:15, Charles Gomes wrote:
>>> -----Original Message-----
>>> From: samba-bounces at lists.samba.org
>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
>>> Sent: Thursday, August 14, 2014 4:41 AM
>>> To: samba at lists.samba.org
>>> Subject: Re: [Samba] ACL's and SSSD
>>>
>>> On Wed, 2014-08-13 at 21:49 +0000, Charles Gomes wrote:
>>>> I'm trying to have shares that maintain same ACL's on NFS and SAMBA.
>>> Hi
>>> We can't help without:
>>> sssd.conf, smb.conf and /etc/exports
>>> If you are not allowed to post them, just change the domain and workgroup names to something neutral.
>>> Steve
>>>
>>>
>>
>> Hi guys, sorry for the delay, I've been trying to fix this by my own but have no success. So far I can get ACL's to show but when I set the ACL on the windows side it gives me:
>> Aug 28 10:03:04 ny4lpdatastore1 smbd[5628]: [2014/08/28 10:03:04.829321, 0] smbd/posix_acls.c:1756(create_canon_ace_lists)
>> Aug 28 10:03:04 ny4lpdatastore1 smbd[5628]: create_canon_ace_lists: unable to map SID S-1-5-21-1928475432-1850496769-242525581-9257 to uid or gid.
>>
>> I've SAMBA running with Winbindd disabled as I want Samba to use SSSD for user identification.
>> If I could have winbind and SSSD UID's to match I could use winbind for identification.
>> However look at this example:
>> id charles
>> uid=1403409259(charles) gid=1403400513(domain users)
>>
>> id MYGROUP\\charles
>> uid=1686643755(MYGROUP\charles)
>>
>> The UID's don't match, that's why I need to use SSSD as we have been using it already for more than one year and have several thousand files with UID's matching it already.
>>
>> Here is my latest config:
>> ----------------------------- > SMB.CONF
>> <-------------------------------------------
>> [global]
>> workgroup = MYGROUP
>> security = ads
>> realm = mygroup.corp
>> #use kerberos keytab = true
>> password server = dc.mygroup.corp
>> log level = 9
>> client signing = yes
>> client use spnego = yes
>> kerberos method = secrets and keytab
>>
>> #test, didn't work
>> #idmap domains = MYGROUP TRUSTEDDOMAINS
>> #idmap config MYGROUP:backend = nss
>> #idmap config TRUSTEDDOMAINS:default = yes
> Bit lost here, how many domains have you got? also, where did you find 'idmap domains' ? I don't recognise it and cannot find it in 'man smb.conf'
>
> Rowland
>> #test also didn't work
>> #idmap config * : backend = hash
>> #idmap config * : range = 1000-4000000000
>> #winbind nss info = hash
>>
>> [acl]
>> comment = Clearpool Shared Files
>> path = /fusion/acl
>> read only = no
>> nt acl support = yes
>> inherit permissions = yes
>> #inherit acls = yes
>> #admin users = "enterprise admins"
>>
>>
>>
>> ----------------------------- > SSD.CONF
>> <-------------------------------------------
>> [sssd]
>> config_file_version = 2
>> domains = mygroup.corp
>> services = nss, pam
>> #debug_level = 8
>>
>> [nss]
>>
>> [pam]
>>
>> [domain/mygroup.corp]
>> id_provider = ad
>> auth_provider = ad
>> chpass_provider = ad
>> access_provider = ad
>>
>> # defines user/group schema type
>> ldap_schema = ad
>>
>> # for SID-UID mapping
>> ldap_id_mapping = True
>>
>> # caching credentials
>> cache_credentials = true
>> enumerate = false
>>
>> # access controls
>> ldap_access_order = expire
>> ldap_account_expire_policy = ad
>> ldap_force_upper_case_realm = true
>>
>> # performance
>> ldap_disable_referrals = true
>>
>> #Fix Homedir
>> #override_homedir = /home/%u
>> #override_shell = /bin/bash
>> #Set a default shell for users who don't have one set
>> default_shell = /bin/bash
>>
>> #Application home directory is local
>> fallback_homedir = /home/%u
>> ldap_user_home_directory = unixHomeDirectory ldap_tls_reqcert = never
>>
>> ----------------------------- > /etc/krb5.conf
>> <-------------------------------------------
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>>
>> [libdefaults]
>> default_realm = MYGROUP.CORP
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> rdns = false
>> forwardable = yes
>>
>>
>>
>> ----------------------------- > klist -k
>> <-------------------------------------------
>> klist -k
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>> ---- --------------------------------------------------------------------------
>> 4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
>> 4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
>> 4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
>> 4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
>> 4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
>> 4 host/ny4lpdatastore1 at MYGROUP.CORP
>> 4 host/ny4lpdatastore1 at MYGROUP.CORP
>> 4 host/ny4lpdatastore1 at MYGROUP.CORP
>> 4 host/ny4lpdatastore1 at MYGROUP.CORP
>> 4 host/ny4lpdatastore1 at MYGROUP.CORP
>> 4 NY4LPDATASTORE1$@MYGROUP.CORP
>> 4 NY4LPDATASTORE1$@MYGROUP.CORP
>> 4 NY4LPDATASTORE1$@MYGROUP.CORP
>> 4 NY4LPDATASTORE1$@MYGROUP.CORP
> --
>
>
> Rowland, those lines were commented. It was on the man page: http://www.nbi.dk/cgi-bin/man2html?8+idmap_nss
>
OK, I think that you need to add unix attributes to your users & groups
in AD. If you want them to be the same as what you have now, obtain them
from wherever you are sure they are correct. You now need to set
smb.conf to use the 'ad' backend' , this will ensure that you will get
the same ID numbers everywhere.
Rowland
More information about the samba
mailing list