0

I have a Synology NAS running Samba that serves up shares in my network. I've set up autofs, LDAP and sssd and can mount Samba home directories on the fly when I log into Linux and MacOS machines.

My shares on the NAS are on an Ext4 volume, i.e. they have never been anything other than Linux files on a Linux filesystem. On the NAS they look like this:

-rwxrwxrwx+ 1 smbowner users    0 Jan 30 03:05 abc
drwxrwxr--+ 2 smbowner users 4096 Jan 30 02:37 bin
-rw-r--r--  1 smbowner users    0 Jan 30 16:43 def

However, on a Linux client they look like this:

---------- 1 netbackup netbackup 0 Jan 30 03:05 abc
drwxr-x--- 2 netbackup netbackup 0 Jan 30 02:37 bin
-rw-r--r-- 1 netbackup netbackup 0 Jan 30 16:43 def

All of the files were created on the Linux client. And they all initially had the file mode 000, like abc has in the example above. If I change the file mode on the NAS, as I did for def, the change is passed through to the client, as above (0644). However, if I do chmod 0644 on the client side, I get an error message ("changing permissions of 'abc': Operation not supported") but it does it anyway :-) and the result on the NAS is 0666.

In the listing on the NAS side, there are + signs after the file mode, indicating that the files have "syno ACLs", which are proprietary Synology ACLs. These get translated and exported to the client and look like the following when displayed on the client with getcifsacl:

~> getcifsacl def
REVISION:0x1
CONTROL:0x8004
OWNER:S-1-5-21-1620245859-1572950330-1674857983-3068
GROUP:S-1-5-21-1620245859-1572950330-1674857983-1201
ACL:S-1-5-21-1620245859-1572950330-1674857983-3068:ALLOWED/OI|CI/0x1201df
ACL:S-1-5-21-1620245859-1572950330-1674857983-1201:ALLOWED/OI|CI/R
ACL:Everyone@WORLD AUTHORITY:ALLOWED/OI|CI/R
ACL:S-1-5-88-3-33188:DENIED/0x0/
ACL:S-1-5-88-1-1034:DENIED/0x0/
ACL:S-1-5-88-2-100:DENIED/0x0/

Clearly, something is wrong here: the SIDs should have been 'idmapped' into something recognisable to a Linux user.

The autofs command (extracted from LDAP) with which the Samba share is mounted is:

-fstype=cifs,vers=3.1.1,cifsacl,perm,mapposix,user_xattr,domain=<dom>,rw,credentials=<file>,file_mode=0640,dir_mode=0750,uid=&,gid=& ://<machine>/<UNC>

My understanding is that the option cifsacl should have caused the SIDs above to be 'idmapped'. It should also have fixed the file modes too...

On the basis of what I have gleaned from various sources in the web, I have the impression that I need somehow to configure sssd (on the client?) and smbd (on the NAS?) with idmap data. My problem is that I haven't been able to find any information on how to do this in the absence of an Active Directory Domain Controller.

Are my conclusions correct thus far? And is there a way of making sssd and smbd work together to make the permissions on the NAS and on the client resemble each other? Or should I be looking at something else?

Stephen Winnall
  • 165
  • 1
  • 8
  • Just as a footnote: I have no Windows machines and the only reason I'm using SMB for network shares is because - increasingly - that's all that Apple supports. My clients tend to be Apple and my servers are Linux. – Stephen Winnall Jan 31 '21 at 01:27
  • If you are just running smbd on the mas, then it is running as a standalone server, this is akin to running Windows home edition and you are running a workgroup. One of the problems with workgroups is that you have to create the same users & groups on all members of the workgroup. This quickly becomes a pain and is one reason why domains came about. You cannot idmap in a workgroup, each member will have its own SID. I would suggest that you set up a samba AD DC and run a domain. You will have to remove sssd and use winbind instead. – Rowland Penny Jan 31 '21 at 10:09
  • @RowlandPenny - I hadn't thought of the comparison with Windows Home Edition, but I agree. My user management is all in LDAP on an Ubuntu server. I have a Samba server which provides a domain: the NAS is a peripheral, not the centre of my network in any sense (other than data storage!). I shall look at whether joining the NAS into the domain helps. Everything I have read tells me that SSSD is to be preferred to winbind, and I have other reasons for using SSSD anyway. Ultimately I'll probably move to Kerberos, but I'm putting that off for now. Basically, for me AD is a bug to work around. – Stephen Winnall Jan 31 '21 at 17:20
  • If you are using Samba as an NT4-style PDC, then you really need to upgrade, Samba is working hard to totally remove SMBv1 and your PDC relies on this. The other problem is that you cannot sssd with Samba >=4.8.0 on a domain joined computer, you must use winbind. Running a Samba AD DC is no harder than a PDC and gives you ldap, kerberos and a dns server. As for reading matter, try reading this: https://wiki.samba.org/index.php/Main_Page . In my opinion, winbind is preferable to sssd, it does more, but then I am biased. – Rowland Penny Jan 31 '21 at 19:19

1 Answers1

0

I'm not sure this is a proper answer in the broader sense, but to the extent that it solves my problem it is.

Discussions and recommendations in this thread and in other earlier ones (LDAP/Samba/autofs i.a.) led me to reconsider my approach. I was trying to configure a LAN consisting of MacOS clients and Unix/Linux servers with a central LDAP server for authentication, SSH access from machine to machine, some common network file system and autofs. This was triggered partially by Apple's abandonment of MacOS Server and also by Apple's (for me: inexplicable) move to SMB. A more pressing need was to re-establish a working infrastructure for Time Machine backups for the Mac OS clients, which were failing because of Apple's use of their SMBX dialect of SMB, which is not supported on the Synology NAS on which the TM backups were to be stored.

The further I got, the more Windows crud was appearing in my network, which has no Windows machines in it at all. My whole network architecture was being dictated by Active Directory, towards which I was inexorably being pushed. Given that Windows file systems are an awful match (in a purely structural sense) for MacOS and Unix/Linux anyway, using SMB simply on Apple's say-so suddenly appeared ridiculous. Samba is an amazing piece of software, but "you can't make a silk purse out of a sow's ear", as the old saying has it.

So I have started to replace SMB with NFSv4. I now have a network file system that is congruous with my MacOS and Unix/Linux filesystems and I have made more progress in the last three days than in the previous three months.

I still have the problem of providing network access for Time Machine backups, but I'll do that by attaching disks to a Mac Mini (which has been my traditional server and now has time on its hands) and letting Apple's SMB implementation handle what is a purely Apple problem.

I was trying to use SMB because the buzz I got heard off Apple and the net was that it was really the only show in town. Apple were dropping support for AFP (which doesn't really work on Unix/Linux anyway - but then, neither does SMB); and NFS was reputedly too insecure. It may well be that hacking together an SMB solution would be even more insecure, if it even worked. So, I have solved my problem for now, I hope.

Even if this isn't a proper answer :-)

Stephen Winnall
  • 165
  • 1
  • 8