[Samba] Windows file ownership changed from SID to Unix User

Gregory Giguashvili gregory.giguashvili at gmail.com
Sun Nov 22 12:50:29 UTC 2020


After upgrading Samba server from 4.9 to 4.10 version running on RHEL 7.7
OS, something changed in how Windows clients see the file ownership on the
exported shares. Instead of SID owners, it now shows "Unix User\username"
and "Unix group\groupname" users. This works fine in all the cases except
when Samba share is used for storing Windows user profiles. The workaround
mentioned in
https://serverfault.com/questions/515968/house-roaming-profiles-on-realm-trusted-samba-server/517616#517616
works, but it is to be avoided due to possible security issues.

I should mention that I'm NOT using winbind service. My Samba servers are
joined to the domain using SSSD. This worked fine with Samba 4.8 and 4.9,
but stopped working from 4.10 version.

I'm attaching my smb.conf file. Any recommendations on how to follow-up on
this issue are greatly appreciated

[global]
        security = ADS
        workgroup = MYDOM
        realm = MYDOM.local

        log level = 3

        dfree command = /bin/samba-dfree
        dfree cache time = 60

        # See https://wiki.samba.org/index.php/Idmap_config_ad
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config MYDOM:backend = ad
        idmap config MYDOM:schema_mode = rfc2307
        idmap config MYDOM:range = 10000-999999
        idmap config MYDOM:unix_nss_info = no

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

        # Template settings for login shell and home directory
        template shell = /bin/bash
        template homedir = /home/shared/%U

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

[profiles]
        # See https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
        comment = Users profiles
        path = /roaming/profiles
        browseable = No
        read only = No
        force create mode = 0600
        force directory mode = 0700
        csc policy = disable
        level2 oplocks = No
        oplocks = No


More information about the samba mailing list