Web lists-archives.com

Re: [Samba] Samba 4.5: trying to setup an omnios system as a DC member




Hello Rowland,

thanks, configuring the uidNumber and gidNumber on the AD fixed the issue, now getent passwd works.
I just have one remaining issue, it seems the ACL doesn't work.
As an example when I set ACL with full permission for user andrea:

# /usr/bin/ls -ldV /cache/testsamba/
d---------+  3 root     root           5 Jun 19 19:40 /cache/testsamba/
            user:andrea:rwxpdDaARWcCos:fd-----:allow

the user andrea can't mount the share.
I have added the following entry in smb.conf for ACL:

    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

and the directory is shared as follow:

[testsamba]
available = yes
browsable = yes
path = /cache/testsamba
read only = no

am I missing something?

Thanks in advance
Andrea


Il 6/19/2018 5:52 PM, Rowland Penny via samba ha scritto:
On Tue, 19 Jun 2018 16:10:33 +0200
Andrea Cucciarrè via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hello,

I'm trying to setup an omnios system as a Samba DC member, and I need
AD backend for consistent IDs on all Samba clients.
The AD join is successful, the wbinfo shows the AD users

# /opt/samba/bin/wbinfo -n andrea
S-1-5-21-2680195940-2267646359-3814218302-1109 SID_USER (1)

however, " getent passwd ..." returns nothing for the user (all the
AD user)

I have enabled debugging and I can see the following relevant error:

[2018/06/19 15:53:54.302030,  5, pid=638, effective(0, 0), real(0,
0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal)
    Search for (uid=andrea) in <dc=HYPERFILE,dc=NET> gave 0 replies
[2018/06/19 15:53:54.302082,  5, pid=638, effective(0, 0), real(0,
0), class=winbind]
../source3/winbindd/winbindd_cache.c:1276(resolve_alias_to_username)
    resolve_alias_to_username: backend query returned
NT_STATUS_OBJECT_NAME_NOT_FOUND
...
[2018/06/19 15:53:54.309621,  5, pid=638, effective(0, 0), real(0,
0), class=winbind]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
    Could not convert sid
S-1-5-21-2680195940-2267646359-3814218302-1109: NT_STATUS_NONE_MAPPED

Also the command wbinfo fails to convert the SID to UID

# /opt/samba/bin/wbinfo -S
S-1-5-21-2680195940-2267646359-3814218302-1109 failed to call
wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid
S-1-5-21-2680195940-2267646359-3814218302-1109 to uid

This is the relevant smb.conf:

===============================
[global]
      log file = /opt/samba/log/%m.log
      log level = 10
      workgroup = HYPERFILE
      security = ADS
      realm = HYPERFILE.NET
      dedicated keytab file = /etc/krb5.keytab
      kerberos method = secrets and keytab
      server string = Data %h
      winbind enum users = yes
      winbind enum groups = yes
      winbind use default domain = yes
      winbind expand groups = 4
      winbind nss info = rfc2307
      winbind refresh tickets = Yes
      winbind normalize names = Yes

      idmap config * : backend = tdb
      idmap config * : range = 1000000-2000000
      idmap config * : schema_mode = rfc2307
Hmm, the range is slightly excessive. The '*' domain is for the 'Well
Known SIDs' (and there are less than 200 of these) and anything outside
the domain, do you really expect around '999,800' users & groups from
outside the domain to connect to the domain ?
You also do not use 'idmap config * : schema_mode = rfc2307' with the
'*' domain.

idmap config HYPERFILE:backend = ad
idmap config HYPERFILE:schema_mode = rfc2307
idmap config HYPERFILE:range = 1000-9999
idmap config HYPERFILE:unix_primary_group = yes
Have you really only have 8,999 users ?
Do they have a uidNumber inside the '1000-9999' range
Does 'Domain Users' have a gidNumber inside the same range ?
Neither the uidNumber or gidNumber attributes are added automatically,
you must add them manually.
And on the subject of the '1000-9999' range, do you not have any Unix
users other than the system users ?

Rowland



--
Gestione problematica Andrea Cucciarrè
Technical Support Engineer | EMEA
acucciarre@xxxxxxxxxxxx



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba