[Samba] Is Samba unable to resolve secodary group membership?
Michael Schwarz
schwarz at uni-paderborn.de
Thu Oct 8 07:51:27 UTC 2020
Am 07.10.20 um 17:29 schrieb Rowland penny via samba:
> On 07/10/2020 16:00, Michael Schwarz via samba wrote:
>> Hello,
>>
>> I have a somewhat complicated problem and so far I have not been able
>> to find any hints that have brought me further towards a solution:
> This is a bit hard to follow, but certain things stand out, your
> smb.conf file is from a Unix domain member, yet you are trying to use
> local Unix groups. You also seem to be using very low numbers for the
> AD users and groups, numbers I wouldn't recommend, you also mention
> CTDB, but you do not have 'clustering = yes' in your smb.conf.
>
> You shouldn't be getting 'WBC_ERR_DOMAIN_NOT_FOUND'
>
> Can you explain your set up a bit better ?
>
>
Hi Rowland,
thanks for your reply. I have postet the output from "net conf list" as
the /etc/samba/smb.conf is rather short:
[root at lus-gw-1 ~]# cat /etc/samba/smb.conf
[global]
clustering = yes
include = registry
[root at lus-gw-1 ~]# net conf list
[global]
workgroup = AD
netbios name = lus-gw
security = ads
realm = AD.UNI-PADERBORN.DE
load printers = no
winbind use default domain = yes
winbind scan trusted domains = no
idmap config * : backend = tdb
idmap config * : range = 100-999
idmap config ad : range = 1000-99999999
idmap config ad : backend = ad
kerberos method = secrets and keytab
name resolve order = host bcast
winbind cache time = 5
winbind expand groups = 3
log level = 5
fileid:algorithm = fsname
vfs objects = fileid acl_xattr
[scratch]
path = /scratch
comment = Lustre re-export
read only = no
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
kernel oplocks = yes
valid users = @meta_pc2_acc_cr2018
The setup at our university is not quite trivial. I can understand that.
I'll try to explain it again in a different way:
The university computer centre runs a central identity service
consisting of an LDAP server and its own Kerberos REALM
(UNI-PADERBORN.DE). All Linux computers and web services etc. are
connected to this service. For the Windows computers there is a separate
Active Directory domain (AD.UNI-PADERBORN.DE) served by a windows domain
conroller. The users are created in both LDAP and ADS, but are not fully
synchronised. The only reliable key to assign a user in LDAP to a user
in AD is the user name. The AD knows neither the Unix UIDs nor a home
directory or the like. Otherwise, the LDAP doesn't know for example the
SID of an AD-User. The AD can therefore not be taken as the sole source
for user data on Linux systems. That's why we didn't configure winbind
as a source in /etc/nsswitch.conf. In order for users on Windows
computers (member of AD.UNI-PADERBORN.DE) to be able to log on to the
CIFS cluster by single signon, this cifs cluster is a member of the
domain. I have created a diagram on
http://homepages.uni-paderborn.de/mschwar2/LDAP-AD-UPB.jpg. The NFS
daemon and the CIFS daemon run on the same system.
The directory to be exported via CIFS is located on a Lustre file
system. This is natively mounted by many Linux computers in our
computing cluster and rights on this FS are correspondingly bound to the
Linux UIDs and GIDs.
Samba is obviously able to map an AD user correctly by name to a
corresponding LDAP user/Linux user. Otherwise I would not be able to
access data that belongs to my user himself. What does not work is to
access data belonging to another user and a group of which I am a member
but which is not my primary group.
I hope this helps a little bit, to understand the setup here.
Thanks,
Michael
More information about the samba
mailing list