3

I'm trying to get a samba share working with correct IDs on Windows (SID) and Linux (uid/gid) clients. The problem is that the uids and gids are not properly mapped back to SIDs and SIDs are not resolved to names. What could lead to this problem and how can it be fixed?

What works

  • mapping from Active Directory UNIX attributes to uid/gid on Linux
  • access to the share
    • Windows: UNC-Path in Explorer, Kerberos ticket is accepted (no question for credentials)
    • Linux: sudo mount -t cifs //ribonas2/test /mnt/ribonas2/smb/ -o domain=DOMAIN,username=paul.jaehne
  • working with files on the share

What doesn't work

  • files created on Windows have Unix User\ and Unix Group\ (the UNIX uid and gid is also visible for a very short time when opening the security tab) instead of DOMAIN\ as prefix for users and groups
  • adding permissions is flawed: I can add principals from the domain and shortly afterwards the DOMAIN\whatever is displayed correctly. When I wait for some time or look at the share from another computer then only the SID is displayed (the SID is correct, but not resolved to the name):

see picture

Environement/Configuration

sssd.conf:

[sssd]
domains = domain.company.com
config_file_version = 2
services = nss, pam

[domain/domain.company.com]
realmd_tags = manages-system joined-with-adcli
ad_domain = domain.company.com
krb5_realm = DOMAIN.COMPANY.COM

id_provider = ad
cache_credentials = True
krb5_store_password_if_offline = True
enumerate = True
use_fully_qualified_names = False

fallback_homedir = /home/%d/%u
default_shell = /bin/bash

# use uid and gid from active directory
ldap_id_mapping = False

# needed to use correct active directory properties (Windows Server 2003)
ldap_schema = ad
ldap_user_object_class = person
ldap_user_name = msSFU30Name
ldap_user_uid_number = msSFU30UidNumber
ldap_user_gid_number = msSFU30GidNumber
ldap_user_home_directory = msSFU30HomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_user_gecos = displayName
ldap_group_object_class = group
ldap_group_name = msSFU30Name
ldap_group_gid_number = msSFU30GidNumber

smb.conf (settings from standard config file are indented):

[global]
server role = member server
workgroup = DOMAIN
realm = DOMAIN.COMPANY.COM
security = ads
password server = dc1.domain.company.com # shouldn't be necessary and same problem without this line
idmap config * : backend = tdb
idmap config * : range = 100000-999999
idmap config DOMAIN : backend = ad
idmap config DOMAIN : range = 10000-20000 # the UNIX attributes are manually assigned in this range
kerberos method = secrets and keytab

    server string = %h server (Samba, Ubuntu)

    dns proxy = no

    log file = /var/log/samba/log.%m
log level = 10
    max log size = 1000
    syslog = 0

    panic action = /usr/share/samba/panic-action %d

    passdb backend = tdbsam
    obey pam restrictions = yes
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    pam password change = yes

    map to guest = bad user

    usershare allow guests = yes

# needed for Windows ACL/ACE
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

[test]
    path = /srv/samba/test
    writable = yes

TL;DR: Why aren't the UNIX attributes resolved to SIDs and why aren't the SIDs resolved to names?

Sethos II
  • 497
  • 4
  • 7
  • 18

3 Answers3

2

I have the same situation. And I fixed it by installing samba-winbind. I think the root cause being that samba don't know how to properly lookup the name. When you install winbind, smbd will use winbind for name resolution. Otherwise, it just use the linux UID, GID, that's why you saw the Unix User/Unix Group in Windows.

I couldn't explain more, but hope this helps you.

Archer
  • 166
  • 5
  • Can you expand on how you configured winbind? A package `samba-winbind` isn't available in Ubuntu so I gues you mean the normal `winbind` package? – Sethos II Mar 01 '17 at 11:49
  • Finally came around to test this on a fresh install and this solves it, thanks a lot! – Sethos II Mar 09 '17 at 10:45
2

The answer to this is with the id-mapping backends used in Samba and SSSD. Samba's winbind "rid" and "auto-rid" don't map the Windows SID to uid/gid numbers in the same way that SSSD does. So if your CIFS server is joined to the domain with Samba/winbind and your clients are connected via SSSD with the default options, the id mapping will fail.

SSSD has a setting ldap_idmap_autorid_compat that you can set to True in the sssd.conf file that (should): "Changes the behavior of the ID-mapping algorithm to behave more similarly to winbind's "idmap_autorid" algorithm." and thus allow your SSSD clients to resolve this issue.

1

I use use_fully_qualified_names = True in sssd.conf it works without any winbind package.

bukowski
  • 11
  • 3