[Samba] Is Samba unable to resolve secodary group membership?
Michael Schwarz
schwarz at uni-paderborn.de
Wed Oct 7 15:00:50 UTC 2020
Hello,
I have a somewhat complicated problem and so far I have not been able to
find any hints that have brought me further towards a solution:
I run a CIFS cluster with two nodes using ctdb and samba. This cluster
is connected to an Active Directory. The share contains directories
which belong to the user root and a certain group. The users who are to
use the CIFS gateway are given access to those directories on the Unix
group. If the directory belongs to the current user or the other rights
are set accordingly, the user also receives access via Samba. However,
if the user gets rights to this directory solely on the basis of his
group membership (secondary group), Samba will deny access. If I give
the directory to the user's primary group, access will also work.
The tested directory is named "pc2-mitarbeiter" (for a deeper look in
the attached logfile) and the accessing user is <USER2>.
drwxrws--- 24 root pc2-mitarbeiter 4096 2. Okt 13:21 pc2-mitarbeiter
<USER2> is member of the "pc2-mitarbeiter" group and has set a primary
group "users".
This leads me to the conclusion that the mapping AD-User -> Unix-User
and the primary group works. But Samba does not get the apparently group
membership in the secondary group resolved.
The environment:
There are two more or less separate worlds: One is the Windows world and
the other the Linux world. In the Linux world an OpenLDAP server and a
Kerberos service is used to authenticate users. For the Windows world a
conventional AD is available. These are two independent islands with
technically different users but matching user names and group names. The
only connection between the two worlds is the user name itself. So one
account in the Linux world and the corresponding account identified by
the username in the Windows world are the same person. The two servers
on which the Samba Cluster runs receive the system users from the LDAP.
In addition, the Samba server is a member of the AD domain. Winbind is
not configured for nss / pam. It's only intended to be used for the
authenticating against the samba server. The two servers also serve the
directory via nfs4 (not managed by ctdb) which works perfectly with
correct permissions.
Operating system is CentOS 7.8, Samba 4.10.4 (RPM version
samba-4.10.4-11.el7_8.x86_64)
A few debug outputs:
[root at lus-gw-1 samba]# net ads testjoin
Join is OK
[root at lus-gw-1 samba]# wbinfo -u | wc -l
32397
[root at lus-gw-1 samba]# wbinfo -g | wc -l
2864
[root at lus-gw-1 samba]# wbinfo -n <USER2>
S-1-5-21-3542048200-3079820972-537594794-55128 SID_USER (1)
[root at lus-gw-1 samba]# wbinfo -s
S-1-5-21-3542048200-3079820972-537594794-55128
AD\<USER2> 1
[root at lus-gw-1 samba]# wbinfo -i "AD\<USER2>"
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user AD\<USER2>
[root at lus-gw-1 samba]# wbinfo -S
S-1-5-21-3542048200-3079820972-537594794-55128
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-3542048200-3079820972-537594794-55128 to uid
The WBC_ERR_DOMAIN_NOT_FOUND is a little bit wired. The winbind logfile
reports "NO_SUCH_USER" in this case.
Samba configuration:
[root at lus-gw-1 samba]# net conf list
[global]
workgroup = AD
netbios name = lus-gw
security = ads
realm = AD.UNI-PADERBORN.DE
load printers = no
winbind use default domain = yes
winbind scan trusted domains = no
idmap config * : backend = tdb
idmap config * : range = 100-999
idmap config ad : range = 1000-99999999
idmap config ad : backend = ad
kerberos method = secrets and keytab
name resolve order = host bcast
winbind cache time = 5
winbind expand groups = 3
log level = 5
fileid:algorithm = fsname
vfs objects = fileid acl_xattr
[scratch]
path = /scratch
comment = Lustre re-export
read only = no
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
kernel oplocks = yes
valid users = @meta_pc2_acc_cr2018
DNS configuration:
The two nodes of the cluster are available under the same DNS-Name and
both ips get resolved to this name.
I have also set up a stand alone samba server (with the same user
configuration) on a Debian stretch system which shows the same behavior.
So this issue seems independent from the cluster mode and samba version
(4.5.16-Debian vs 4.10.4). I have attached some logfiles. Which further
information could be helpful?
Regards,
Michael Schwarz
More information about the samba
mailing list