I have a Synology NAS running Samba that serves up shares in my network. I've set up autofs
, LDAP and sssd
and can mount Samba home directories on the fly when I log into Linux and MacOS machines.
My shares on the NAS are on an Ext4 volume, i.e. they have never been anything other than Linux files on a Linux filesystem. On the NAS they look like this:
-rwxrwxrwx+ 1 smbowner users 0 Jan 30 03:05 abc
drwxrwxr--+ 2 smbowner users 4096 Jan 30 02:37 bin
-rw-r--r-- 1 smbowner users 0 Jan 30 16:43 def
However, on a Linux client they look like this:
---------- 1 netbackup netbackup 0 Jan 30 03:05 abc
drwxr-x--- 2 netbackup netbackup 0 Jan 30 02:37 bin
-rw-r--r-- 1 netbackup netbackup 0 Jan 30 16:43 def
All of the files were created on the Linux client. And they all initially had the file mode 000
, like abc
has in the example above. If I change the file mode on the NAS, as I did for def
, the change is passed through to the client, as above (0644
). However, if I do chmod 0644
on the client side, I get an error message ("changing permissions of 'abc': Operation not supported") but it does it anyway :-) and the result on the NAS is 0666
.
In the listing on the NAS side, there are +
signs after the file mode, indicating that the files have "syno ACLs", which are proprietary Synology ACLs. These get translated and exported to the client and look like the following when displayed on the client with getcifsacl
:
~> getcifsacl def
REVISION:0x1
CONTROL:0x8004
OWNER:S-1-5-21-1620245859-1572950330-1674857983-3068
GROUP:S-1-5-21-1620245859-1572950330-1674857983-1201
ACL:S-1-5-21-1620245859-1572950330-1674857983-3068:ALLOWED/OI|CI/0x1201df
ACL:S-1-5-21-1620245859-1572950330-1674857983-1201:ALLOWED/OI|CI/R
ACL:Everyone@WORLD AUTHORITY:ALLOWED/OI|CI/R
ACL:S-1-5-88-3-33188:DENIED/0x0/
ACL:S-1-5-88-1-1034:DENIED/0x0/
ACL:S-1-5-88-2-100:DENIED/0x0/
Clearly, something is wrong here: the SIDs should have been 'idmapped' into something recognisable to a Linux user.
The autofs
command (extracted from LDAP) with which the Samba share is mounted is:
-fstype=cifs,vers=3.1.1,cifsacl,perm,mapposix,user_xattr,domain=<dom>,rw,credentials=<file>,file_mode=0640,dir_mode=0750,uid=&,gid=& ://<machine>/<UNC>
My understanding is that the option cifsacl
should have caused the SIDs above to be 'idmapped'. It should also have fixed the file modes too...
On the basis of what I have gleaned from various sources in the web, I have the impression that I need somehow to configure sssd
(on the client?) and smbd
(on the NAS?) with idmap
data. My problem is that I haven't been able to find any information on how to do this in the absence of an Active Directory Domain Controller.
Are my conclusions correct thus far? And is there a way of making sssd
and smbd
work together to make the permissions on the NAS and on the client resemble each other? Or should I be looking at something else?