[Samba] samba4 ad domain member server -- don't desire sid <-> uid mapping

Ben Cohen ncohen at ucsd.edu
Thu Feb 13 14:27:02 MST 2014

I've got a very simple need -- want to make a samba4 server a member of an active directory domain and use it as a file-server only.  All shares on the file server are explicitly designed with a 'uniform access model' -- eg the user's in privileged groups can do anything to all files in the share (and despite their best attempts) they can't accidentally edit permissions on files such that others within the same security lose the ability to view/edit files in the share.  This is by far the simplest way we've found to setup fileservers for heterogenous environments -- where you tend to have things like finder on osx doing permission modification operations after directory creation -- and a whole space of other insanity's that make it impossible for even sophisticated users to understand the behavior as file operations get translated through multiple incompatible permission models in really complicated ways.

We used to host an NT style domain for this purpose under samba3 -- we used settings like this to enforce the access modem for each share:

	comment = HR share
	path = /space/SambaShares/HR
	read only = no
	valid users = +HR
	write list = +HR
	create mask = 0664
	security mask = 0664
	force create mode = 0664
	force security mode = 0664
	directory mask = 02775
	directory security mask = 02775
	force directory mode = 02775
	force directory security mode = 02775
	force user = HR-user
	force group = HR
	browseable = Yes

With the above model, each user in group 'HR' could connect to the share from any odd client, do anything to the files there, and all permission modifications from the client were ignored.  With the above every file in the share is guaranteed to be editable by all other users regardless of how they connect to the share and regardless of what crazy things they or their applications might try to do to the file permissions.

That's worked well for us -- but now we need to deprecate the NT4 domain and move all the 'authentication' responsibilities into our enterprise ad.  We explicitly do NOT want to modify pam or /etc/nsswitch.conf as we want to keep the linux environment on the samba host separate and immune from the ad stack -- if ad is down or off, its acceptable that samba might stop working, but it would NOT be ok for such a downtimefailure to cause problems on the server itself (from the getent api's hanging unexpectedly for example, or any of the other bad things that can result when the behavior of the password database apis has a sudden behavior change)

There is a page on the samba wiki which suggests that I what I desire to do is possible -- https://wiki.samba.org/index.php/Adding_users_with_samba_tool -- it says specifically 'samba 4 does not require a local Unix user for each Samba user that is created'.  That's the holy grail for me, exactly what I want ...

Can anyone point me in the right direction to set things up that way?  I want to 

1. setup a samba4 server that is joined to an active directory domain
2. use the active directory domain to authenticate access to a fileshare
3. NOT require a unix user account for each samba user ...

I'm more than a little confused about how to achieve this from the documentations thats 'out there' on the web ...  It seems like I'm well into the 'simple case' so it ought not to be that hard ...?

So far I've succeeding in joining a samba4 instance to an active directory domain as a member server ( had to use `net ads join as samba-tool's join function didn't work ...)

- I found out the security mask and directory security mask options were removed from samba4 ... why?  How can we enforce that permission changes from clients will not be honored without this?
- after joining the domain and starting winbindd, wbinfo will correctly show the active directory users and group

samba config looks like this:

	workgroup = AD
	security = ADS
	server role = member server
	netbios name = TEST-SERVER
	log level = 5

	path = /usr/local/samba/var/locks/sysvol/somts-test.ucsd.edu/scripts
	read only = No

	path = /usr/local/samba/var/locks/sysvol
	read only = No

	comment = test share
	path = /space/testshare
	read only = no
	valid users = +AD\samba-testshare-group
	write list = +AD\samba-testshare-group
	create mask = 0664
	force create mode = 0664
	directory mask = 02775
	force directory mode = 02775
	force group = samba-testshare-group
	browseable = yes

I have been able to mount a share as any users which are members of the AD\samba-testshare-group yet ...  Can anybody out there interpret what I'm trying to do and give me pointers ..?

Huge thanks,

More information about the samba mailing list