On Mon, Apr 30, 2018 at 8:35 AM, Zdravko Zdravkov <[email protected]> wrote:
> HI all. > > I've got working samba AD server. It is playing nicely with Windows > 10 and also successfully authenticating Linux machines with SSSD. > On the Windows machines I have our EMC storage smb mounted via group > policy. Managing permissions for users and groups there, as you > know, happens with right click, security etc.. > > As you may have already guessed the troubles come when my Linux > machines, that access the storage via nfs mount NFSv3, or NFSv4? > need to work with folders and files created from the Windows > PCs. Linux doesn't "see" the actual user/group that owns given > folder. It interprets it into ID numbers starting from 1000. I'm > quite sure that this is common and known issue, but I don't know > what is the right way to deal with it, so any wisdom will be > helpful. > > Here's smb.conf from server > > [global] > > > > netbios name = AD > > realm = XXXXXX > > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > > winbindd, ntp_signd, kcc, dnsupdate > > workgroup = XXXX > > idmap config XXXX:unix_nss_info = yes Your "idmap config" setting implies that you are setting full RFC2307 attributes (uidNumber, gidNumber, homeDirectory, loginShell, et. al.) in LDAP. If that is correct, then your sssd.conf ldap_id_mapping setting: > > log file = /var/log/samba/samba.log > > log level = 3 > > [netlogon] > > path = /usr/local/samba/var/locks/sysvol/XXXXXX/scripts > > read only = No > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > also, sssd.conf from client > > > [sssd] > > > > domains = xxxx > > config_file_version = 2 > > services = nss, pam > > > > [domain/xxxx] > > > > ad_domain = xxxx > > krb5_realm = XXXX > > realmd_tags = manages-system joined-with-samba > > cache_credentials = True > > id_provider = ad > > krb5_store_password_if_offline = True > > default_shell = /bin/bash > > ldap_id_mapping = True …is wrong. This must be False, so that sssd uses the RFC2307 attributes, instead of auto-generating uid/gid values based on the SID/RID attributes. See the "ID MAPPING" section of sssd-ldap(5). > > use_fully_qualified_names = False > > fallback_homedir = /home/%u > > access_provider = ad > > and nsswitch.conf > > > passwd: files sss > > shadow: files sss > > group: files sss > > Will appreciate any wisdom. You need to be consistent about how uid/gid information is derived from LDAP. Either set full RFC2307 attributes and use them, or configure ID mapping. But whichever path you choose, you must implement it consistently. (You can have sssd mimic winbind's idmap_autorid algorithm if necessary; see the ldap_idmap_autorid_compat setting.) Also note that once you go down either path, you're pretty much stuck with that decision, because changing the mechanism would invalidate all existing uids/gids. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
