[Samba] Samba AD domain member with SSSD: ACL not work
Dario Lesca
d.lesca at solinos.it
Wed Feb 15 08:45:59 UTC 2017
Il giorno mer, 15/02/2017 alle 08.42 +0100, L.P.H. van Belle via samba
ha scritto:
> Have you seen :
>
> ( centos/redhat )
> https://outsideit.net/realmd-sssd-ad-authentication/
>
> ( debian/ubuntu )
> http://www.alandmoore.com/blog/2015/05/06/joining-debian-8-to-active-
> directory/
Thank Luis, Thank Rowland.
Yes, I have read this howto, and many others.
None show howro setup correctly ACLs with SSSD.
Nobody talk about ACLs + SSSD.
Then I came to the conclusion that samba + sssd + acls are not working
yet.
> but i must say, i havent tested/tried these, i dont use sssd.
> But i think these are usefull for you to read at least.
>
> If you use the debian variant, you may need to install also :
> One or more of these : libnss-sss libpam-sss libsss-idmap0 libsss-
> sudo
>
> But same as Rowland is saying, you get better support at the sssd
> list.
>
.... or use winbind, as I have always done with samba3
Then Yesterday in 5 minutes I installed, configured and activated
winbind and now all work fine.
IMHO: probably it would be useful write in some howto that "samba AD
Member based on sssd have some problem with ACLs (not work yet)", so
that others users like me do not waste time (2 days) attempt to make
them work.
Many thanks to all
Dario
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Dario
> > Lesca via
> > samba
> > Verzonden: dinsdag 14 februari 2017 18:08
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Samba AD domain member with SSSD: ACL not
> > work
> >
> > Il giorno mar, 14/02/2017 alle 16.13 +0000, Rowland Penny via samba
> > ha
> > scritto:
> > > Have you modified /etc/nsswitch.conf ?
> >
> > No:
> > > passwd: files sss
> > > shadow: files sss
> > > group: files sss
> >
> > for default nsswitch.conf is configure to use sssd
> >
> > > If you haven't, then you are not using winbind, you are using
> > > sssd.
> >
> > Yes. I use sssd, If this is not a problem for samba.
> >
> > > In which case you should remove the 'idmap config' lines from
> > > smb.conf.
> >
> > Ok, now I have remove this 4 lines, restart smb and test: ACLs
> > still
> > not work.
> >
> > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]: *****
> > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:
> > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]: Samba name
> > > server
> >
> > SAMBA-DATI is now a local master browser for workgroup SRL on
> > subnet
> > 192.168.1.5
> > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]:
> > > feb 14 17:45:24 samba-dati.srl.local nmbd[3338]: *****
> > > feb 14 17:45:44 samba-dati.srl.local smbd[3369]: [2017/02/14
> >
> > 17:45:44.973268, 0]
> > ../source3/smbd/posix_acls.c:2080(create_canon_ace_lists)
> > > feb 14 17:45:44 samba-dati.srl.local
> >
> > smbd[3369]: create_canon_ace_lists: unable to map SID S-1-5-21-
> > 347198863-3916504048-2821235790-1213 to uid or gid.
> >
> > The error still exist
> >
> > > You should also try asking on the sssd users mailing list for
> > > help,
> > > because if you are not using winbind for authentication, this is
> > > probably where your problem lies.
> >
> > Ok, but my question now is: it's possible to use samba in
> > conjunction
> > to sssd?
> >
> > or this kind of configuration is not allowed or not fully tested or
> > supported by samba team?
> >
> > > If you want use winbind instead of sssd, you will need to turn
> > > sssd
> > > off.
> >
> > Ok, this way it's another possible solution, if I am not able to
> > configure samba + sssd
> >
> >
> > Many Thanks
> >
> >
> > --
> > Dario Lesca
> > (inviato dal mio Linux Fedora 25 Workstation)
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
--
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)
More information about the samba
mailing list