On Mon, Apr 30, 2018 at 8:35 AM, Zdravko Zdravkov <nirayah@gmail.com> wrote:
> HI all.
>
> I've got working samba AD server. It is playing nicely with Windows
> 10 and also successfully authenticating Linux machines with SSSD.
> On the Windows machines I have our EMC storage smb mounted via group
> policy. Managing permissions for users and groups there, as you
> know, happens with right click, security etc..
>
> As you may have already guessed the troubles come when my Linux
> machines, that access the storage via nfs mount
NFSv3, or NFSv4?
> need to work with folders and files created from the Windows
> PCs. Linux doesn't "see" the actual user/group that owns given
> folder. It interprets it into ID numbers starting from 1000. I'm
> quite sure that this is common and known issue, but I don't know
> what is the right way to deal with it, so any wisdom will be
> helpful.
>
> Here's smb.conf from server
>
> [global]
> >
> > netbios name = AD
> > realm = XXXXXX
> > server role = active directory domain controller
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> > workgroup = XXXX
> > idmap config XXXX:unix_nss_info = yes
Your "idmap config" setting implies that you are setting full RFC2307
attributes (uidNumber, gidNumber, homeDirectory, loginShell, et. al.)
in LDAP.
If that is correct, then your sssd.conf ldap_id_mapping setting:
> > log file = /var/log/samba/samba.log
> > log level = 3
> > [netlogon]
> > path = /usr/local/samba/var/locks/sysvol/XXXXXX/scripts …is wrong. This must be False, so that sssd uses the RFC2307
> > read only = No
> > [sysvol]
> > path = /usr/local/samba/var/locks/sysvol
> > read only = No
>
> also, sssd.conf from client
>
> > [sssd]
> >
> > domains = xxxx
> > config_file_version = 2
> > services = nss, pam
> >
> > [domain/xxxx]
> >
> > ad_domain = xxxx
> > krb5_realm = XXXX
> > realmd_tags = manages-system joined-with-samba
> > cache_credentials = True
> > id_provider = ad
> > krb5_store_password_if_offline = True
> > default_shell = /bin/bash
> > ldap_id_mapping = True
attributes, instead of auto-generating uid/gid values based on the
SID/RID attributes. See the "ID MAPPING" section of sssd-ldap(5).
> > use_fully_qualified_names = False
> > fallback_homedir = /home/%u
> > access_provider = ad
>
> and nsswitch.conf
>
> > passwd: files sss
> > shadow: files sss
> > group: files sss
>
> Will appreciate any wisdom.
You need to be consistent about how uid/gid information is derived
from LDAP.
Either set full RFC2307 attributes and use them, or configure ID
mapping. But whichever path you choose, you must implement it
consistently. (You can have sssd mimic winbind's idmap_autorid
algorithm if necessary; see the ldap_idmap_autorid_compat setting.)
Also note that once you go down either path, you're pretty much stuck
with that decision, because changing the mechanism would invalidate
all existing uids/gids.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org