[Samba] 4.4.14 on solaris, using ads, can't read/write as user

Thu Jun 29 16:14:58 UTC 2017

On production, we have Samba share on Solaris and ADS config
working already using 3.6.25

On a dev box used to test patches, I've spent a day and
some time on a Oracle support ticket trying to get
this working again under 4.4.14

The same problem happens whether I'm testing with homes or a share with
/tmp.

The user isn't matching expectations, so it won't allow copying a 700 file
in /tmp
or [homes] to Windows.  It's like my samba connected user has rights as
"other".

I thought it could be useful to copy a file from Windows to the /tmp share
and see who owns it.

ls -l shows it is the user configured as under "valid users".  So everything
seems to be working as designed, except the UID isn't really the same, or
something like that.

Within ls -l /tmp :
-rwxr--r--   1 fpicabia    domain users     242 Apr  2  2015 debug.log

# getfacl /tmp/debug.log

# file: /tmp/debug.log
# owner: fpicabia
# group: domain users
user::rwx
group::r--              #effective:r--
mask:rwx
other:r--

I'm wondering if there is any way to see how I'm connected when I test with
smbclient.

smbstatus shows the user connected as expected.  Nothing I can find shows
an error or difference.

Here is a snippet showing how /tmp was set up last

[tmp]
        path = /tmp
        browseable = No
        force user = %U
        read only = No
        valid users = fpicabia

One significant difference from 3.6.25 was winbind was added to
nsswitch.conf for passwd and group before we could get authentication
working for 4.4.14.

Another bit that might help understand the workings: ssh allows
authentication with the AD password under the current 4.4.14 set up.

So it is just file ownership matching the UID of the connected user that is
the problem.