[Samba] sssd on DC for fileserver

buhorojo buhorojo.lcb at gmail.com
Thu Jun 4 10:25:49 MDT 2015 

On 04/06/15 16:58, Roel van Meer wrote:
> Hi Jonathan,
>
> I think the reason might be this:
> - You are using "idmap_ldb:use rfc2307" in your Samba config, which 
> means that Samba will use the ID's specified in the unix attributes in 
> your AD (uidNumber, gidNumber).
> - You are using "ldap_id_mapping = True" in sssd.conf, which means 
> that sssd will map uid and gid from the objectSID attribute.
>
> I think if you set "ldap_id_mapping = False" in sssd.conf you'll get 
> the same uid on both (that's how I use it anyway).
>
No, we don't think so because the user does not have the rfc2307 
attributes in the directory and doesn't want to put them there. Maybe on 
the contrary, comment the idmap_ldb:use rfc2307.

> See the manpage of sssd-ad for more information on the ldap_id_mapping 
> param.
>
> I hope this helps,
>
> Regards, Roel
>
>
> Jonathan Hunter writes:
>
>> Thanks Rowland.
>>
>> 'getent passwd mydomainuser' does return the correct (new, sssd) UID
>> e.g. 1514701182
>>
>> In my /etc/nsswitch.conf I have:
>> passwd:     files sss
>> group:      files sss
>>
>> The problem is that when I create a file from a client machine into a
>> samba share on this server, e.g. creating the file
>> \\servername\sharename\newfile.txt, this new file is not owned by UID
>> 1514701182, but rather 3000007.
>>
>> Before I ran 'net cache flush', a simple "ls -l" showed the file as
>> being owned by the right user 'mydomainuser' - the wrong UID only
>> showed up via "ls -nl", which tells ls to display UIDs rather than
>> usernames. Now, however, when I run "ls -l", I just see the UID - ls
>> is unable to resolve this UID to a name (which I'd expect would be the
>> case, as nsswitch.conf does not have winbind listed)
>>
>> So, a file created using Samba's file server functionality, by user
>> mydomainuser, gets created as UID 3000007 (also seen via 'net cache
>> list', but not 'getent'); a file created using anything else on the
>> machine uses the 'getent' UID of 1514701182 for mydomainuser.
>>
>> It is entirely possible that there is some process I haven't restarted
>> on the machine, of course, that is causing this - but if so, I don't
>> know what that would be. I have made sure (ps axuw|grep mb; also grep
>> samba, grep bind) that there are no samba processes still running when
>> I shut down samba, before restarting it.
>>
>> I'm reluctant to restart the whole machine but will do so if that's
>> likely to help things along. (I'm reminded of the old joke that 90% of
>> problems on Windows machines are fixed by restarting the computer, but
>> 90% of problems on Unix machines are *triggered* by restarting the
>> computer! :))
>>
>> On 3 June 2015 at 19:06, Rowland Penny <rowlandpenny at googlemail.com> 
>> wrote:
>> > On 03/06/15 00:37, Jonathan Hunter wrote:
>> >>
>> >> Hi,
>> >>
>> >> Some advice, if I may..
>> >>
>> >> I have two Samba4 domain controllers, that I recently switched to
>> >> using sssd (against these same DCs) for UNIX user authentication -
>> >> this part works perfectly.
>> >>
>> >> However, I am using one of these as a Samba file server also. When I
>> >> create a file via a SMB share, the UNIX UID the file is owned by is
>> >> the old 'winbind' UID (e.g. 3000007) rather than the new 'sssd' UID
>> >> (e.g. 1514701182)
>> >
>> >
>> > The UID you refer to, has nothing to do with winbind, it is coming 
>> from
>> > idmap.ldb and if by running 'getent passwd adomainuser' you are 
>> getting
>> > something like this:
>> >
>> > DOMAIN\adomainuser:*:3000007:100:Adomain 
>> User:/home/DOMAIN/rowland:/bin/bash
>> >
>> > Then you must have a line like this in /etc/nsswitch.conf:
>> >
>> > passwd compat winbind
>> >
>> > As you have now installed sssd, replace 'winbind' with 'sss' and 
>> you should
>> > get the number you are after.
>> >
>> > Rowland
>> >
>> >>
>> >> I have /etc/nsswitch.conf set to use 'files sss' for passwd and 
>> group.
>> >> 'id <username>' works fine and returns the correct (new) UID.
>> >>
>> >> 'getent -s sss passwd <username>' returns the new UID (that I want to
>> >> use).
>> >> 'getent -s winbind passwd <username>' returns the old UID (that I 
>> don't
>> >> want).
>> >>
>> >> I've restarted samba, I've run 'net cache flush', I've tried adding
>> >> "-winbind" to the 'server services' line in smb.conf.
>> >>
>> >> Presumably I've got something fundamentally wrong.. but I'm not sure
>> >> what. Can this even be done? I want files created/accessed via Samba
>> >> for my AD users to have the same UID as when the same user logs in 
>> via
>> >> ssh or similar (and gets the UID via sssd)...
>> >>
>> >> Cheers,
>> >>
>> >> Jonathan
>> >>
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>> -- 
>> "If we knew what it was we were doing, it would not be called
>> research, would it?"
>>       - Albert Einstein
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list