[Samba] ACL's and SSSD

Charles Gomes cgomes at clearpoolgroup.com
Tue Sep 2 12:45:39 MDT 2014 

> -----Original Message-----
> From: Rowland Penny [mailto:rowlandpenny at googlemail.com]
> Sent: Thursday, August 28, 2014 4:36 PM
> To: Charles Gomes; samba at lists.samba.org
> Subject: Re: [Samba] ACL's and SSSD
> 
> On 28/08/14 20:39, Charles Gomes wrote:
> > -----Original Message-----
> > From: samba-bounces at lists.samba.org
> > [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
> > Sent: Thursday, August 28, 2014 10:29 AM
> > To: samba at lists.samba.org
> > Subject: Re: [Samba] ACL's and SSSD
> >
> > On 28/08/14 15:15, Charles Gomes wrote:
> >>> -----Original Message-----
> >>> From: samba-bounces at lists.samba.org
> >>> [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
> >>> Sent: Thursday, August 14, 2014 4:41 AM
> >>> To: samba at lists.samba.org
> >>> Subject: Re: [Samba] ACL's and SSSD
> >>>
> >>> On Wed, 2014-08-13 at 21:49 +0000, Charles Gomes wrote:
> >>>> I'm trying to have shares that maintain same ACL's on NFS and SAMBA.
> >>> Hi
> >>> We can't help without:
> >>> sssd.conf, smb.conf and /etc/exports If you are not allowed to post
> >>> them, just change the domain and workgroup names to something
> neutral.
> >>> Steve
> >>>
> >>>
> >>
> >> Hi guys, sorry for the delay, I've been trying to fix this by my own but have
> no success. So far I can get ACL's to show but when I set the ACL on the
> windows side it gives me:
> >> Aug 28 10:03:04 ny4lpdatastore1 smbd[5628]: [2014/08/28
> 10:03:04.829321,  0] smbd/posix_acls.c:1756(create_canon_ace_lists)
> >> Aug 28 10:03:04 ny4lpdatastore1 smbd[5628]:   create_canon_ace_lists:
> unable to map SID S-1-5-21-1928475432-1850496769-242525581-9257 to uid or
> gid.
> >>
> >> I've SAMBA running with Winbindd disabled as I want Samba to use SSSD
> for user identification.
> >> If I could have winbind and SSSD UID's to match I could use winbind for
> identification.
> >> However look at this example:
> >> id charles
> >> uid=1403409259(charles) gid=1403400513(domain users)
> >>
> >> id MYGROUP\\charles
> >> uid=1686643755(MYGROUP\charles)
> >>
> >> The UID's don't match, that's why I need to use SSSD as we have been
> using it already for more than one year and have several thousand files with
> UID's matching it already.
> >>
> >> Here is my latest config:
> >> ----------------------------- >  SMB.CONF
> >> <-------------------------------------------
> >> [global]
> >>       workgroup = MYGROUP
> >>           security = ads
> >>           realm = mygroup.corp
> >>           #use kerberos keytab = true
> >>           password server = dc.mygroup.corp
> >>           log level = 9
> >>           client signing = yes
> >>           client use spnego = yes
> >>           kerberos method = secrets and keytab
> >>
> >>           #test, didn't work
> >>           #idmap domains = MYGROUP TRUSTEDDOMAINS
> >>           #idmap config MYGROUP:backend = nss
> >>           #idmap config TRUSTEDDOMAINS:default = yes
> > Bit lost here, how many domains have you got? also, where did you find
> 'idmap domains' ? I don't recognise it and cannot find it in 'man smb.conf'
> >
> > Rowland
> >>           #test also didn't work
> >>           #idmap config * : backend = hash
> >>           #idmap config * : range = 1000-4000000000
> >>           #winbind nss info = hash
> >>
> >> [acl]
> >>           comment = Clearpool Shared Files
> >>           path    = /fusion/acl
> >>           read only = no
> >>           nt acl support = yes
> >>           inherit permissions = yes
> >>           #inherit acls = yes
> >>           #admin users = "enterprise admins"
> >>
> >>
> >>
> >>    ----------------------------- > SSD.CONF
> >> <-------------------------------------------
> >> [sssd]
> >> config_file_version = 2
> >> domains = mygroup.corp
> >> services = nss, pam
> >> #debug_level = 8
> >>
> >> [nss]
> >>
> >> [pam]
> >>
> >> [domain/mygroup.corp]
> >> id_provider = ad
> >> auth_provider = ad
> >> chpass_provider = ad
> >> access_provider = ad
> >>
> >> # defines user/group schema type
> >> ldap_schema = ad
> >>
> >> # for SID-UID mapping
> >> ldap_id_mapping = True
> >>
> >> # caching credentials
> >> cache_credentials = true
> >> enumerate = false
> >>
> >> # access controls
> >> ldap_access_order = expire
> >> ldap_account_expire_policy = ad
> >> ldap_force_upper_case_realm = true
> >>
> >> # performance
> >> ldap_disable_referrals = true
> >>
> >> #Fix Homedir
> >> #override_homedir = /home/%u
> >> #override_shell   = /bin/bash
> >> #Set a default shell for users who don't have one set
> >> default_shell   = /bin/bash
> >>
> >> #Application home directory is local
> >> fallback_homedir = /home/%u
> >> ldap_user_home_directory = unixHomeDirectory ldap_tls_reqcert =
> never
> >>
> >> ----------------------------- > /etc/krb5.conf
> >> <-------------------------------------------
> >> [logging]
> >>    default = FILE:/var/log/krb5libs.log
> >>
> >> [libdefaults]
> >>    default_realm = MYGROUP.CORP
> >>    dns_lookup_realm = true
> >>    dns_lookup_kdc = true
> >>    ticket_lifetime = 24h
> >>    renew_lifetime = 7d
> >>    rdns = false
> >>    forwardable = yes
> >>
> >>
> >>
> >> ----------------------------- > klist -k
> >> <-------------------------------------------
> >> klist -k
> >> Keytab name: FILE:/etc/krb5.keytab
> >> KVNO Principal
> >> ---- --------------------------------------------------------------------------
> >>      4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
> >>      4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
> >>      4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
> >>      4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
> >>      4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
> >>      4 host/ny4lpdatastore1 at MYGROUP.CORP
> >>      4 host/ny4lpdatastore1 at MYGROUP.CORP
> >>      4 host/ny4lpdatastore1 at MYGROUP.CORP
> >>      4 host/ny4lpdatastore1 at MYGROUP.CORP
> >>      4 host/ny4lpdatastore1 at MYGROUP.CORP
> >>      4 NY4LPDATASTORE1$@MYGROUP.CORP
> >>      4 NY4LPDATASTORE1$@MYGROUP.CORP
> >>      4 NY4LPDATASTORE1$@MYGROUP.CORP
> >>      4 NY4LPDATASTORE1$@MYGROUP.CORP
> > --
> >
> >
> > Rowland, those lines were commented. It was on the man page:
> > http://www.nbi.dk/cgi-bin/man2html?8+idmap_nss
> >
> OK, I think that you need to add unix attributes to your users & groups in AD.
> If you want them to be the same as what you have now, obtain them from
> wherever you are sure they are correct. You now need to set smb.conf to
> use the 'ad' backend' , this will ensure that you will get the same ID numbers
> everywhere.
> 
> Rowland


Rowland, could I force Samba to  use the UID's provided by SSSD. I'm already able to identify the users on the system.

More information about the samba mailing list