You are absolutely right and that's why I want to fix all of this while I only have very few users. The OneFS Isilon storage has both NFS3 and NFS4 enabled, but I'm using v3.
The samba AD smb.conf file was generated through the samba provisioning tool so I guess that some manual tweaking will be needed. Obviously I'm very new to SSSD, so I'm not sure which way is better - sticking to RFC2307 or there is better option for my particular needs? I guess that is what you mean with " ldap_idmap_autorid_compat"? Adding manually uidNumber, gidNumber etc. is something I'd like to avoid if possible. On Tue, May 1, 2018 at 10:24 PM, James Ralston <[email protected]> wrote: > On Mon, Apr 30, 2018 at 8:35 AM, Zdravko Zdravkov <[email protected]> > wrote: > > > HI all. > > > > I've got working samba AD server. It is playing nicely with Windows > > 10 and also successfully authenticating Linux machines with SSSD. > > On the Windows machines I have our EMC storage smb mounted via group > > policy. Managing permissions for users and groups there, as you > > know, happens with right click, security etc.. > > > > As you may have already guessed the troubles come when my Linux > > machines, that access the storage via nfs mount > > NFSv3, or NFSv4? > > > need to work with folders and files created from the Windows > > PCs. Linux doesn't "see" the actual user/group that owns given > > folder. It interprets it into ID numbers starting from 1000. I'm > > quite sure that this is common and known issue, but I don't know > > what is the right way to deal with it, so any wisdom will be > > helpful. > > > > Here's smb.conf from server > > > > [global] > > > > > > netbios name = AD > > > realm = XXXXXX > > > server role = active directory domain controller > > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > > > workgroup = XXXX > > > idmap config XXXX:unix_nss_info = yes > > Your "idmap config" setting implies that you are setting full RFC2307 > attributes (uidNumber, gidNumber, homeDirectory, loginShell, et. al.) > in LDAP. > > If that is correct, then your sssd.conf ldap_id_mapping setting: > > > > log file = /var/log/samba/samba.log > > > log level = 3 > > > [netlogon] > > > path = /usr/local/samba/var/locks/sysvol/XXXXXX/scripts > > > read only = No > > > [sysvol] > > > path = /usr/local/samba/var/locks/sysvol > > > read only = No > > > > also, sssd.conf from client > > > > > [sssd] > > > > > > domains = xxxx > > > config_file_version = 2 > > > services = nss, pam > > > > > > [domain/xxxx] > > > > > > ad_domain = xxxx > > > krb5_realm = XXXX > > > realmd_tags = manages-system joined-with-samba > > > cache_credentials = True > > > id_provider = ad > > > krb5_store_password_if_offline = True > > > default_shell = /bin/bash > > > ldap_id_mapping = True > > …is wrong. This must be False, so that sssd uses the RFC2307 > attributes, instead of auto-generating uid/gid values based on the > SID/RID attributes. See the "ID MAPPING" section of sssd-ldap(5). > > > > use_fully_qualified_names = False > > > fallback_homedir = /home/%u > > > access_provider = ad > > > > and nsswitch.conf > > > > > passwd: files sss > > > shadow: files sss > > > group: files sss > > > > Will appreciate any wisdom. > > You need to be consistent about how uid/gid information is derived > from LDAP. > > Either set full RFC2307 attributes and use them, or configure ID > mapping. But whichever path you choose, you must implement it > consistently. (You can have sssd mimic winbind's idmap_autorid > algorithm if necessary; see the ldap_idmap_autorid_compat setting.) > > Also note that once you go down either path, you're pretty much stuck > with that decision, because changing the mechanism would invalidate > all existing uids/gids. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
