[Samba] ACL's and SSSD

Rowland Penny rowlandpenny at googlemail.com
Tue Sep 2 13:32:56 MDT 2014 

On 02/09/14 19:45, Charles Gomes wrote:
>> -----Original Message-----
>> From: Rowland Penny [mailto:rowlandpenny at googlemail.com]
>> Sent: Thursday, August 28, 2014 4:36 PM
>> To: Charles Gomes; samba at lists.samba.org
>> Subject: Re: [Samba] ACL's and SSSD
>>
>> On 28/08/14 20:39, Charles Gomes wrote:
>>> -----Original Message-----
>>> From: samba-bounces at lists.samba.org
>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>>> Sent: Thursday, August 28, 2014 10:29 AM
>>> To: samba at lists.samba.org
>>> Subject: Re: [Samba] ACL's and SSSD
>>>
>>> On 28/08/14 15:15, Charles Gomes wrote:
>>>>> -----Original Message-----
>>>>> From: samba-bounces at lists.samba.org
>>>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
>>>>> Sent: Thursday, August 14, 2014 4:41 AM
>>>>> To: samba at lists.samba.org
>>>>> Subject: Re: [Samba] ACL's and SSSD
>>>>>
>>>>> On Wed, 2014-08-13 at 21:49 +0000, Charles Gomes wrote:
>>>>>> I'm trying to have shares that maintain same ACL's on NFS and SAMBA.
>>>>> Hi
>>>>> We can't help without:
>>>>> sssd.conf, smb.conf and /etc/exports If you are not allowed to post
>>>>> them, just change the domain and workgroup names to something
>> neutral.
>>>>> Steve
>>>>>
>>>>>
>>>> Hi guys, sorry for the delay, I've been trying to fix this by my own but have
>> no success. So far I can get ACL's to show but when I set the ACL on the
>> windows side it gives me:
>>>> Aug 28 10:03:04 ny4lpdatastore1 smbd[5628]: [2014/08/28
>> 10:03:04.829321,  0] smbd/posix_acls.c:1756(create_canon_ace_lists)
>>>> Aug 28 10:03:04 ny4lpdatastore1 smbd[5628]:   create_canon_ace_lists:
>> unable to map SID S-1-5-21-1928475432-1850496769-242525581-9257 to uid or
>> gid.
>>>> I've SAMBA running with Winbindd disabled as I want Samba to use SSSD
>> for user identification.
>>>> If I could have winbind and SSSD UID's to match I could use winbind for
>> identification.
>>>> However look at this example:
>>>> id charles
>>>> uid=1403409259(charles) gid=1403400513(domain users)
>>>>
>>>> id MYGROUP\\charles
>>>> uid=1686643755(MYGROUP\charles)
>>>>
>>>> The UID's don't match, that's why I need to use SSSD as we have been
>> using it already for more than one year and have several thousand files with
>> UID's matching it already.
>>>> Here is my latest config:
>>>> ----------------------------- >  SMB.CONF
>>>> <-------------------------------------------
>>>> [global]
>>>>        workgroup = MYGROUP
>>>>            security = ads
>>>>            realm = mygroup.corp
>>>>            #use kerberos keytab = true
>>>>            password server = dc.mygroup.corp
>>>>            log level = 9
>>>>            client signing = yes
>>>>            client use spnego = yes
>>>>            kerberos method = secrets and keytab
>>>>
>>>>            #test, didn't work
>>>>            #idmap domains = MYGROUP TRUSTEDDOMAINS
>>>>            #idmap config MYGROUP:backend = nss
>>>>            #idmap config TRUSTEDDOMAINS:default = yes
>>> Bit lost here, how many domains have you got? also, where did you find
>> 'idmap domains' ? I don't recognise it and cannot find it in 'man smb.conf'
>>> Rowland
>>>>            #test also didn't work
>>>>            #idmap config * : backend = hash
>>>>            #idmap config * : range = 1000-4000000000
>>>>            #winbind nss info = hash
>>>>
>>>> [acl]
>>>>            comment = Clearpool Shared Files
>>>>            path    = /fusion/acl
>>>>            read only = no
>>>>            nt acl support = yes
>>>>            inherit permissions = yes
>>>>            #inherit acls = yes
>>>>            #admin users = "enterprise admins"
>>>>
>>>>
>>>>
>>>>     ----------------------------- > SSD.CONF
>>>> <-------------------------------------------
>>>> [sssd]
>>>> config_file_version = 2
>>>> domains = mygroup.corp
>>>> services = nss, pam
>>>> #debug_level = 8
>>>>
>>>> [nss]
>>>>
>>>> [pam]
>>>>
>>>> [domain/mygroup.corp]
>>>> id_provider = ad
>>>> auth_provider = ad
>>>> chpass_provider = ad
>>>> access_provider = ad
>>>>
>>>> # defines user/group schema type
>>>> ldap_schema = ad
>>>>
>>>> # for SID-UID mapping
>>>> ldap_id_mapping = True
>>>>
>>>> # caching credentials
>>>> cache_credentials = true
>>>> enumerate = false
>>>>
>>>> # access controls
>>>> ldap_access_order = expire
>>>> ldap_account_expire_policy = ad
>>>> ldap_force_upper_case_realm = true
>>>>
>>>> # performance
>>>> ldap_disable_referrals = true
>>>>
>>>> #Fix Homedir
>>>> #override_homedir = /home/%u
>>>> #override_shell   = /bin/bash
>>>> #Set a default shell for users who don't have one set
>>>> default_shell   = /bin/bash
>>>>
>>>> #Application home directory is local
>>>> fallback_homedir = /home/%u
>>>> ldap_user_home_directory = unixHomeDirectory ldap_tls_reqcert =
>> never
>>>> ----------------------------- > /etc/krb5.conf
>>>> <-------------------------------------------
>>>> [logging]
>>>>     default = FILE:/var/log/krb5libs.log
>>>>
>>>> [libdefaults]
>>>>     default_realm = MYGROUP.CORP
>>>>     dns_lookup_realm = true
>>>>     dns_lookup_kdc = true
>>>>     ticket_lifetime = 24h
>>>>     renew_lifetime = 7d
>>>>     rdns = false
>>>>     forwardable = yes
>>>>
>>>>
>>>>
>>>> ----------------------------- > klist -k
>>>> <-------------------------------------------
>>>> klist -k
>>>> Keytab name: FILE:/etc/krb5.keytab
>>>> KVNO Principal
>>>> ---- --------------------------------------------------------------------------
>>>>       4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
>>>>       4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
>>>>       4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
>>>>       4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
>>>>       4 host/ny4lpdatastore1.fusionts.corp at MYGROUP.CORP
>>>>       4 host/ny4lpdatastore1 at MYGROUP.CORP
>>>>       4 host/ny4lpdatastore1 at MYGROUP.CORP
>>>>       4 host/ny4lpdatastore1 at MYGROUP.CORP
>>>>       4 host/ny4lpdatastore1 at MYGROUP.CORP
>>>>       4 host/ny4lpdatastore1 at MYGROUP.CORP
>>>>       4 NY4LPDATASTORE1$@MYGROUP.CORP
>>>>       4 NY4LPDATASTORE1$@MYGROUP.CORP
>>>>       4 NY4LPDATASTORE1$@MYGROUP.CORP
>>>>       4 NY4LPDATASTORE1$@MYGROUP.CORP
>>> --
>>>
>>>
>>> Rowland, those lines were commented. It was on the man page:
>>> http://www.nbi.dk/cgi-bin/man2html?8+idmap_nss
>>>
>> OK, I think that you need to add unix attributes to your users & groups in AD.
>> If you want them to be the same as what you have now, obtain them from
>> wherever you are sure they are correct. You now need to set smb.conf to
>> use the 'ad' backend' , this will ensure that you will get the same ID numbers
>> everywhere.
>>
>> Rowland
>
> Rowland, could I force Samba to  use the UID's provided by SSSD. I'm already able to identify the users on the system.
Could you be a bit more specific ? Samba doesn't actually use UID's, it 
either pulls them from RFC2307 attributes or calculates them from the 
users RID, Whichever you use, Samba passes them to the underlying Unix OS.

Rowland

More information about the samba mailing list