Web lists-archives.com

[Samba] UID GID mapping with sssd no longer supported on samba 4.7.4?

I'm struggling with a permission problem on a samba server that is configured to resolve unix uids and gids via nss using sssd. This mostly works. The windows side sees files as being owned by SID=S-1-22-<unix uid of user> and the group is SID=S-1-22-<unix gid of group>

This all works fine for files owned by the windows user, or files that are world readable, but fails for files owned by root, but belonging to a the user's primary group.

On the linux side:
-rw-rw----  1 poyner  pvt-poyner  0 Feb 19 17:32 poynerFile
drwxrws---  2 root    pvt-poyner  2 Feb 19 19:30 rootPoynerDir

On the windows side using powershell get-acl

get-acl .\poynerDir\
Path      Owner            Access
----      -----            ------
poynerDir O:S-1-22-1-17907 S-1-22-1-17907 Allow  FullControl...


get-acl .\rootPoynerDir\
get-acl : Attempted to perform an unauthorized operation.

This is very similar to bug 12719 which was closed with advice to use winbindd.


So is winbindd now the only option for resolving UID and GID?

Is idmap_nss deprecated? Or only supported for unix users in the local password file?

My config

   workgroup = ENGR
   server string = cbeserv
   security = ADS
   load printers = no
   realm = AD.SCHOOL.EDU

   min protocol = SMB2

   dns proxy = no
   unix extensions = no
   nmbd bind explicit broadcast = no
   oplocks = yes
   level2 oplocks = yes
   kernel oplocks = no

passwd:     files sss
shadow:     files
group:      files sss

Russ Poyner

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba