[Samba] UID GID mapping with sssd no longer supported on samba 4.7.4?
Russell R Poyner
russell.poyner at wisc.edu
Mon Feb 19 23:11:37 UTC 2018
I'm struggling with a permission problem on a samba server that is
configured to resolve unix uids and gids via nss using sssd. This mostly
works. The windows side sees files as being owned by SID=S-1-22-<unix
uid of user> and the group is SID=S-1-22-<unix gid of group>
This all works fine for files owned by the windows user, or files that
are world readable, but fails for files owned by root, but belonging to
a the user's primary group.
On the linux side:
-rw-rw---- 1 poyner pvt-poyner 0 Feb 19 17:32 poynerFile
drwxrws--- 2 root pvt-poyner 2 Feb 19 19:30 rootPoynerDir
On the windows side using powershell get-acl
get-acl .\poynerDir\
Path Owner Access
---- ----- ------
poynerDir O:S-1-22-1-17907 S-1-22-1-17907 Allow FullControl...
and
get-acl .\rootPoynerDir\
get-acl : Attempted to perform an unauthorized operation.
This is very similar to bug 12719 which was closed with advice to use
winbindd.
https://bugzilla.samba.org/show_bug.cgi?id=12719
So is winbindd now the only option for resolving UID and GID?
Is idmap_nss deprecated? Or only supported for unix users in the local
password file?
My config
smb4.conf:
[global]
workgroup = ENGR
server string = cbeserv
security = ADS
load printers = no
realm = AD.SCHOOL.EDU
min protocol = SMB2
dns proxy = no
unix extensions = no
nmbd bind explicit broadcast = no
oplocks = yes
level2 oplocks = yes
kernel oplocks = no
nsswitch.conf:
passwd: files sss
shadow: files
group: files sss
Thanks
Russ Poyner
More information about the samba
mailing list