On 12/24/2011 01:19 PM, Gémes Géza wrote:
2011-12-23 14:22 keltezéssel, steve írta:
Hi

We have AD users created with either samba-tool user add steve2 or
using the windows AD frontend from a windows box.

Users are created with home directories under /home/CACTUS

On a win 7 client all works fine. Users can authenticate against the
CACTUS domain and files are created with the correct uid:gid

We joined an Ubuntu client to the domain using likewise. /home from
the server is mounted on the client via nfs. On the ubuntu box, users
can authenticate, but cannot enter their /home folder. Making the
folder recursively 0777 allows them access but any new file created
has the wrong uid:gid

On the server: wbinfo -i steve2 gives /home/CACTUS/steve2 3000006:100
and I can use smbclient to create folders that show 3000006:100

On the ubuntu client however, any new files created have uid:gid of
1481114100:1481114113

Can I eliminate Samba 4 from debugging this problem? If so, then can
anyone narrow down which of likewise or nfs is the culprit and if
neither then any other alternatives. . .

Thanks
Steve.
The problem you have noted is a result of the fact, that you are using
two softwares with incompatible uid/gid<->sid mapping methods. Likewise
has its own (I'm nut sure just from memories: algorithmic mapping) while
Samba4 uses the "first seen sid first free xid (uid or gid) associated"
method. Both have their shortcomings of their own. IMHO the best
existing approach  is represented by Samba3 winbind with the idmap_ad
backend, where it uses the attributes stored in AD (rfc2307 schema).
This way all the AD client linux system will have the same uid, gid,
shell and homedir sets. However this leaves out the Samba4 server, which
is going to have its own (unrelated) mappings. My suggestion would be to
do the minimum possible of file operations on the Samba4 server itself,
doing all from clients.

Regards

Geza
Thanks for the explanation

OK. I got rid of likewise and joined the domain instead using the openSUSE 'Windows Domain Membership' module under Yast. That uses Samba 3. I joined the Samba 4 domain OK and can authenticate fine, but again, the uid:gid was wrong.

Geza, would this be possible:

Can I turn off Samba 4 winbind on the server and use Samba 3 winbind on the Linux clients whilst still using Samba 4 authentication?

Thanks
Steve

Is there
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to