[Samba] UID GID mapping with sssd no longer supported on samba 4.7.4?

Russell R Poyner russell.poyner at wisc.edu
Mon Feb 19 23:11:37 UTC 2018


I'm struggling with a permission problem on a samba server that is 
configured to resolve unix uids and gids via nss using sssd. This mostly 
works. The windows side sees files as being owned by SID=S-1-22-<unix 
uid of user> and the group is SID=S-1-22-<unix gid of group>

This all works fine for files owned by the windows user, or files that 
are world readable, but fails for files owned by root, but belonging to 
a the user's primary group.

On the linux side:
-rw-rw----  1 poyner  pvt-poyner  0 Feb 19 17:32 poynerFile
drwxrws---  2 root    pvt-poyner  2 Feb 19 19:30 rootPoynerDir

On the windows side using powershell get-acl

get-acl .\poynerDir\
Path      Owner            Access
----      -----            ------
poynerDir O:S-1-22-1-17907 S-1-22-1-17907 Allow  FullControl...

and

get-acl .\rootPoynerDir\
get-acl : Attempted to perform an unauthorized operation.

This is very similar to bug 12719 which was closed with advice to use 
winbindd.

https://bugzilla.samba.org/show_bug.cgi?id=12719

So is winbindd now the only option for resolving UID and GID?

Is idmap_nss deprecated? Or only supported for unix users in the local 
password file?

My config


smb4.conf:
[global]
    workgroup = ENGR
    server string = cbeserv
    security = ADS
    load printers = no
    realm = AD.SCHOOL.EDU

    min protocol = SMB2

    dns proxy = no
    unix extensions = no
    nmbd bind explicit broadcast = no
    oplocks = yes
    level2 oplocks = yes
    kernel oplocks = no

nsswitch.conf:
passwd:     files sss
shadow:     files
group:      files sss


Thanks
Russ Poyner





More information about the samba mailing list