On Wed, Jan 25, 2017 at 10:54:17PM -0000,
smfrench(a)gmail.com
wrote:
It is sufficient in install sssd-libwbclient and make sure it is used
instead of Samba's libwbclient, use the alternatives command to check
this.
I applied this hint on Arch Linux running smbd version 4.5.2 and and sssd 1.14.2. Users
are now correctly displayed (user@domain). The real drawback as for many other
distributions is, that each time libwbclient is updated, we have to manually fix the
library links.
But there is an even worse issue, when using sssd instead of winbind on a Samba domain
server. Samba (smbd) stores ACLs of its shares in a database (share_info.tdb). In the
example below you see the content of a test share 'fixedtest' (fixed as we applied
Sumit's hint).
REVISION:1
CONTROL:SR|DI|DP
OWNER:Unix User\root
GROUP:Unix Group\root
ACL:Unix Group\domain admins@samdom.com:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:Unix User\root:ALLOWED/I/FULL
ACL:Creator Owner:ALLOWED/OI|CI|IO|I/FULL
ACL:Unix Group\root:ALLOWED/I/FULL
ACL:Creator Group:ALLOWED/OI|CI|IO|I/FULL
On a Windows 7 client, the permissions look like this:
Path : Microsoft.PowerShell.Core\FileSystem::\\server01\adminshare\fixedtest
Owner : O:S-1-22-1-0
Group : G:S-1-22-2-0
Access : S-1-22-2-512 Allow FullControl
Everyone Allow ReadAndExecute, Synchronize
S-1-22-1-0 Allow FullControl
CREATOR OWNER Allow FullControl
S-1-22-2-0 Allow FullControl
CREATOR GROUP Allow FullControl
The GUI displays the SIDs as domain admins(a)samdom.com (Unix Group\domain
admins(a)samdom.com) and root (Unix User\root). The domain administrator, who created the
folder is mapped to root by a smbd user map.
With these ACLs other users, that belong to group 'Domain Admins' have full access
to this folder.
However, when we replace from a Windows 7 client the above ACL by the following one:
Path : Microsoft.PowerShell.Core\FileSystem::\\server01\adminshare\fixedtest
Owner : O:S-1-22-1-0
Group : G:S-1-22-2-0
Access : SAMDOM\Domain Admins Allow FullControl
SAMDOM\Domain Users Allow ReadAndExecute, Synchronize
SAMDOM\Department Allow Modify, Synchronize
only the domain administrator has still access. All other users, that belong to the Domain
Admins group get access denied.
The resulting Samba share database has following ACL:
REVISION:1
CONTROL:SR|PD|SI|DI|DP
OWNER:Unix User\root
GROUP:Unix Group\root
ACL:S-1-5-21-1961322486-2366424275-2351687912-512:ALLOWED/OI|CI/FULL
ACL:S-1-5-21-1961322486-2366424275-2351687912-513:ALLOWED/OI|CI/READ
ACL:S-1-5-21-1961322486-2366424275-2351687912-1116:ALLOWED/OI|CI/CHANGE
and getfacl on server01 shows:
# file: fixedtest
# owner: root
# group: root
user::rwx
user:root:rwx
group::rwx
group:root:rwx
group:domain\040admins@samdom.com:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:group::rwx
default:group:root:rwx
default:group:domain\040admins@samdom.com:rwx
default:mask::rwx
default:other::r-x
For us it looks like that if smbd uses libwbclient provided by sssd the domain is ow
correctly added, but smbd is not able to correctly map SIDs to domain groups or users to
store in its share ACL DB.
What's still wrong here?
Btw. getent group domain\ admins correctly prints domain
admins@samdom.com:*:512:administrator@samdom.com,admin2@samdom.com