Web lists-archives.com

[Samba] UID GID mapping with sssd no longer supported on samba 4.7.4?




I'm struggling with a permission problem on a samba server that is configured to resolve unix uids and gids via nss using sssd. This mostly works. The windows side sees files as being owned by SID=S-1-22-<unix uid of user> and the group is SID=S-1-22-<unix gid of group>

This all works fine for files owned by the windows user, or files that are world readable, but fails for files owned by root, but belonging to a the user's primary group.

On the linux side:
-rw-rw----  1 poyner  pvt-poyner  0 Feb 19 17:32 poynerFile
drwxrws---  2 root    pvt-poyner  2 Feb 19 19:30 rootPoynerDir

On the windows side using powershell get-acl

get-acl .\poynerDir\
Path      Owner            Access
----      -----            ------
poynerDir O:S-1-22-1-17907 S-1-22-1-17907 Allow  FullControl...

and

get-acl .\rootPoynerDir\
get-acl : Attempted to perform an unauthorized operation.

This is very similar to bug 12719 which was closed with advice to use winbindd.

https://bugzilla.samba.org/show_bug.cgi?id=12719

So is winbindd now the only option for resolving UID and GID?

Is idmap_nss deprecated? Or only supported for unix users in the local password file?

My config


smb4.conf:
[global]
   workgroup = ENGR
   server string = cbeserv
   security = ADS
   load printers = no
   realm = AD.SCHOOL.EDU

   min protocol = SMB2

   dns proxy = no
   unix extensions = no
   nmbd bind explicit broadcast = no
   oplocks = yes
   level2 oplocks = yes
   kernel oplocks = no

nsswitch.conf:
passwd:     files sss
shadow:     files
group:      files sss


Thanks
Russ Poyner



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba