[Samba] sssd on DC for fileserver

Roel van Meer roel at 1afa.com
Thu Jun 4 08:58:30 MDT 2015 

Hi Jonathan,

I think the reason might be this:
- You are using "idmap_ldb:use rfc2307" in your Samba config, which means  
that Samba will use the ID's specified in the unix attributes in your AD  
(uidNumber, gidNumber).
- You are using "ldap_id_mapping = True" in sssd.conf, which means that sssd  
will map uid and gid from the objectSID attribute.

I think if you set "ldap_id_mapping = False" in sssd.conf you'll get the  
same uid on both (that's how I use it anyway).

See the manpage of sssd-ad for more information on the ldap_id_mapping param.

I hope this helps,

Regards, Roel


Jonathan Hunter writes:

> Thanks Rowland.
>
> 'getent passwd mydomainuser' does return the correct (new, sssd) UID
> e.g. 1514701182
>
> In my /etc/nsswitch.conf I have:
> passwd:     files sss
> group:      files sss
>
> The problem is that when I create a file from a client machine into a
> samba share on this server, e.g. creating the file
> \\servername\sharename\newfile.txt, this new file is not owned by UID
> 1514701182, but rather 3000007.
>
> Before I ran 'net cache flush', a simple "ls -l" showed the file as
> being owned by the right user 'mydomainuser' - the wrong UID only
> showed up via "ls -nl", which tells ls to display UIDs rather than
> usernames. Now, however, when I run "ls -l", I just see the UID - ls
> is unable to resolve this UID to a name (which I'd expect would be the
> case, as nsswitch.conf does not have winbind listed)
>
> So, a file created using Samba's file server functionality, by user
> mydomainuser, gets created as UID 3000007 (also seen via 'net cache
> list', but not 'getent'); a file created using anything else on the
> machine uses the 'getent' UID of 1514701182 for mydomainuser.
>
> It is entirely possible that there is some process I haven't restarted
> on the machine, of course, that is causing this - but if so, I don't
> know what that would be. I have made sure (ps axuw|grep mb; also grep
> samba, grep bind) that there are no samba processes still running when
> I shut down samba, before restarting it.
>
> I'm reluctant to restart the whole machine but will do so if that's
> likely to help things along. (I'm reminded of the old joke that 90% of
> problems on Windows machines are fixed by restarting the computer, but
> 90% of problems on Unix machines are *triggered* by restarting the
> computer! :))
>
> On 3 June 2015 at 19:06, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> > On 03/06/15 00:37, Jonathan Hunter wrote:
> >>
> >> Hi,
> >>
> >> Some advice, if I may..
> >>
> >> I have two Samba4 domain controllers, that I recently switched to
> >> using sssd (against these same DCs) for UNIX user authentication -
> >> this part works perfectly.
> >>
> >> However, I am using one of these as a Samba file server also. When I
> >> create a file via a SMB share, the UNIX UID the file is owned by is
> >> the old 'winbind' UID (e.g. 3000007) rather than the new 'sssd' UID
> >> (e.g. 1514701182)
> >
> >
> > The UID you refer to, has nothing to do with winbind, it is coming from
> > idmap.ldb and if by running 'getent passwd adomainuser' you are getting
> > something like this:
> >
> > DOMAIN\adomainuser:*:3000007:100:Adomain  
> User:/home/DOMAIN/rowland:/bin/bash
> >
> > Then you must have a line like this in /etc/nsswitch.conf:
> >
> > passwd compat winbind
> >
> > As you have now installed sssd, replace 'winbind' with 'sss' and you should
> > get the number you are after.
> >
> > Rowland
> >
> >>
> >> I have /etc/nsswitch.conf set to use 'files sss' for passwd and group.
> >> 'id <username>' works fine and returns the correct (new) UID.
> >>
> >> 'getent -s sss passwd <username>' returns the new UID (that I want to
> >> use).
> >> 'getent -s winbind passwd <username>' returns the old UID (that I don't
> >> want).
> >>
> >> I've restarted samba, I've run 'net cache flush', I've tried adding
> >> "-winbind" to the 'server services' line in smb.conf.
> >>
> >> Presumably I've got something fundamentally wrong.. but I'm not sure
> >> what. Can this even be done? I want files created/accessed via Samba
> >> for my AD users to have the same UID as when the same user logs in via
> >> ssh or similar (and gets the UID via sssd)...
> >>
> >> Cheers,
> >>
> >> Jonathan
> >>
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> "If we knew what it was we were doing, it would not be called
> research, would it?"
>       - Albert Einstein
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list