[Samba] Samba 4.5: trying to setup an omnios system as a DC member

Andrea Cucciarrè acucciarre at cloudian.com
Wed Jun 20 07:15:19 UTC 2018 

Hello Rowland,

thanks, configuring the uidNumber and gidNumber on the AD fixed the 
issue, now getent passwd works.
I just have one remaining issue, it seems the ACL doesn't work.
As an example when I set ACL with full permission for user andrea:

# /usr/bin/ls -ldV /cache/testsamba/
d---------+  3 root     root           5 Jun 19 19:40 /cache/testsamba/
             user:andrea:rwxpdDaARWcCos:fd-----:allow

the user andrea can't mount the share.
I have added the following entry in smb.conf for ACL:

     vfs objects = acl_xattr
     map acl inherit = Yes
     store dos attributes = Yes

and the directory is shared as follow:

[testsamba]
available = yes
browsable = yes
path = /cache/testsamba
read only = no

am I missing something?

Thanks in advance
Andrea


Il 6/19/2018 5:52 PM, Rowland Penny via samba ha scritto:
> On Tue, 19 Jun 2018 16:10:33 +0200
> Andrea Cucciarrè via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> I'm trying to setup an omnios system as a Samba DC member, and I need
>> AD backend for consistent IDs on all Samba clients.
>> The AD join is successful, the wbinfo shows the AD users
>>
>> # /opt/samba/bin/wbinfo -n andrea
>> S-1-5-21-2680195940-2267646359-3814218302-1109 SID_USER (1)
>>
>> however, " getent passwd ..." returns nothing for the user (all the
>> AD user)
>>
>> I have enabled debugging and I can see the following relevant error:
>>
>> [2018/06/19 15:53:54.302030,  5, pid=638, effective(0, 0), real(0,
>> 0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal)
>>     Search for (uid=andrea) in <dc=HYPERFILE,dc=NET> gave 0 replies
>> [2018/06/19 15:53:54.302082,  5, pid=638, effective(0, 0), real(0,
>> 0), class=winbind]
>> ../source3/winbindd/winbindd_cache.c:1276(resolve_alias_to_username)
>>     resolve_alias_to_username: backend query returned
>> NT_STATUS_OBJECT_NAME_NOT_FOUND
>> ...
>> [2018/06/19 15:53:54.309621,  5, pid=638, effective(0, 0), real(0,
>> 0), class=winbind]
>> ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>>     Could not convert sid
>> S-1-5-21-2680195940-2267646359-3814218302-1109: NT_STATUS_NONE_MAPPED
>>
>> Also the command wbinfo fails to convert the SID to UID
>>
>> # /opt/samba/bin/wbinfo -S
>> S-1-5-21-2680195940-2267646359-3814218302-1109 failed to call
>> wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid
>> S-1-5-21-2680195940-2267646359-3814218302-1109 to uid
>>
>> This is the relevant smb.conf:
>>
>> ===============================
>> [global]
>>       log file = /opt/samba/log/%m.log
>>       log level = 10
>>       workgroup = HYPERFILE
>>       security = ADS
>>       realm = HYPERFILE.NET
>>       dedicated keytab file = /etc/krb5.keytab
>>       kerberos method = secrets and keytab
>>       server string = Data %h
>>       winbind enum users = yes
>>       winbind enum groups = yes
>>       winbind use default domain = yes
>>       winbind expand groups = 4
>>       winbind nss info = rfc2307
>>       winbind refresh tickets = Yes
>>       winbind normalize names = Yes
>>
>>       idmap config * : backend = tdb
>>       idmap config * : range = 1000000-2000000
>>       idmap config * : schema_mode = rfc2307
> Hmm, the range is slightly excessive. The '*' domain is for the 'Well
> Known SIDs' (and there are less than 200 of these) and anything outside
> the domain, do you really expect around '999,800' users & groups from
> outside the domain to connect to the domain ?
> You also do not use 'idmap config * : schema_mode = rfc2307' with the
> '*' domain.
>
>> idmap config HYPERFILE:backend = ad
>> idmap config HYPERFILE:schema_mode = rfc2307
>> idmap config HYPERFILE:range = 1000-9999
>> idmap config HYPERFILE:unix_primary_group = yes
> Have you really only have 8,999 users ?
> Do they have a uidNumber inside the '1000-9999' range
> Does 'Domain Users' have a gidNumber inside the same range ?
> Neither the uidNumber or gidNumber attributes are added automatically,
> you must add them manually.
> And on the subject of the '1000-9999' range, do you not have any Unix
> users other than the system users ?
>
> Rowland
>
>

-- 
Gestione problematica Andrea Cucciarrè
Technical Support Engineer | EMEA
acucciarre at cloudian.com

More information about the samba mailing list