[Samba] sssd on DC for fileserver

Jonathan Hunter jmhunter1 at gmail.com
Wed Jun 3 18:17:00 MDT 2015 

Thanks Rowland.

'getent passwd mydomainuser' does return the correct (new, sssd) UID
e.g. 1514701182

In my /etc/nsswitch.conf I have:
passwd:     files sss
group:      files sss

The problem is that when I create a file from a client machine into a
samba share on this server, e.g. creating the file
\\servername\sharename\newfile.txt, this new file is not owned by UID
1514701182, but rather 3000007.

Before I ran 'net cache flush', a simple "ls -l" showed the file as
being owned by the right user 'mydomainuser' - the wrong UID only
showed up via "ls -nl", which tells ls to display UIDs rather than
usernames. Now, however, when I run "ls -l", I just see the UID - ls
is unable to resolve this UID to a name (which I'd expect would be the
case, as nsswitch.conf does not have winbind listed)

So, a file created using Samba's file server functionality, by user
mydomainuser, gets created as UID 3000007 (also seen via 'net cache
list', but not 'getent'); a file created using anything else on the
machine uses the 'getent' UID of 1514701182 for mydomainuser.

It is entirely possible that there is some process I haven't restarted
on the machine, of course, that is causing this - but if so, I don't
know what that would be. I have made sure (ps axuw|grep mb; also grep
samba, grep bind) that there are no samba processes still running when
I shut down samba, before restarting it.

I'm reluctant to restart the whole machine but will do so if that's
likely to help things along. (I'm reminded of the old joke that 90% of
problems on Windows machines are fixed by restarting the computer, but
90% of problems on Unix machines are *triggered* by restarting the
computer! :))

On 3 June 2015 at 19:06, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 03/06/15 00:37, Jonathan Hunter wrote:
>>
>> Hi,
>>
>> Some advice, if I may..
>>
>> I have two Samba4 domain controllers, that I recently switched to
>> using sssd (against these same DCs) for UNIX user authentication -
>> this part works perfectly.
>>
>> However, I am using one of these as a Samba file server also. When I
>> create a file via a SMB share, the UNIX UID the file is owned by is
>> the old 'winbind' UID (e.g. 3000007) rather than the new 'sssd' UID
>> (e.g. 1514701182)
>
>
> The UID you refer to, has nothing to do with winbind, it is coming from
> idmap.ldb and if by running 'getent passwd adomainuser' you are getting
> something like this:
>
> DOMAIN\adomainuser:*:3000007:100:Adomain User:/home/DOMAIN/rowland:/bin/bash
>
> Then you must have a line like this in /etc/nsswitch.conf:
>
> passwd compat winbind
>
> As you have now installed sssd, replace 'winbind' with 'sss' and you should
> get the number you are after.
>
> Rowland
>
>>
>> I have /etc/nsswitch.conf set to use 'files sss' for passwd and group.
>> 'id <username>' works fine and returns the correct (new) UID.
>>
>> 'getent -s sss passwd <username>' returns the new UID (that I want to
>> use).
>> 'getent -s winbind passwd <username>' returns the old UID (that I don't
>> want).
>>
>> I've restarted samba, I've run 'net cache flush', I've tried adding
>> "-winbind" to the 'server services' line in smb.conf.
>>
>> Presumably I've got something fundamentally wrong.. but I'm not sure
>> what. Can this even be done? I want files created/accessed via Samba
>> for my AD users to have the same UID as when the same user logs in via
>> ssh or similar (and gets the UID via sssd)...
>>
>> Cheers,
>>
>> Jonathan
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

More information about the samba mailing list