[Samba] UID GID mapping with sssd no longer supported on samba 4.7.4?
Harry Jede
walk2sun at arcor.de
Tue Feb 20 09:06:19 UTC 2018
Am Montag, 19. Februar 2018, 17:11:37 CET schrieb Russell R Poyner via
samba:
> I'm struggling with a permission problem on a samba server that is
> configured to resolve unix uids and gids via nss using sssd. This
> mostly works. The windows side sees files as being owned by
> SID=S-1-22-<unix uid of user> and the group is SID=S-1-22-<unix gid
> of group>
>
> This all works fine for files owned by the windows user, or files that
> are world readable, but fails for files owned by root, but belonging
> to a the user's primary group.
>
> On the linux side:
> -rw-rw---- 1 poyner pvt-poyner 0 Feb 19 17:32 poynerFile
> drwxrws--- 2 root pvt-poyner 2 Feb 19 19:30 rootPoynerDir
>
> On the windows side using powershell get-acl
>
> get-acl .\poynerDir\
> Path Owner Access
> ---- ----- ------
> poynerDir O:S-1-22-1-17907 S-1-22-1-17907 Allow FullControl...
>
> and
>
> get-acl .\rootPoynerDir\
> get-acl : Attempted to perform an unauthorized operation.
>
> This is very similar to bug 12719 which was closed with advice to use
> winbindd.
>
> https://bugzilla.samba.org/show_bug.cgi?id=12719
>
> So is winbindd now the only option for resolving UID and GID?
>
> Is idmap_nss deprecated? Or only supported for unix users in the local
> password file?
May be a group owner problem? According to "man smb.conf":
Default: acl group control = no
>
> My config
>
>
> smb4.conf:
> [global]
> workgroup = ENGR
> server string = cbeserv
> security = ADS
> load printers = no
> realm = AD.SCHOOL.EDU
>
> min protocol = SMB2
>
> dns proxy = no
> unix extensions = no
> nmbd bind explicit broadcast = no
> oplocks = yes
> level2 oplocks = yes
> kernel oplocks = no
>
> nsswitch.conf:
> passwd: files sss
> shadow: files
> group: files sss
>
>
> Thanks
> Russ Poyner
--
Gruss
Harry Jede
More information about the samba
mailing list