Re: [Samba] Why isn't Samba honouring UNIX permissions? [NOT PROTECTIVELY MARKED]

[Nigel.Pain]

Classification: NOT PROTECTIVELY MARKED

I recompiled and it now appears to be working. The things that were
different in the compile were:

The previous compile was done with ADS, Kerberos and LDAP whereas I
didn't add any switches this time (not using ADS security).
The person who compiled it last time did so as root. I'm not clear that
this would make a difference but then I'm a complete novice when it
comes to compiling software. I've previously just installed packages
from the SunFreeWare site.

Any thoughts?


Nigel Pain



This e-mail (and any files or other attachments transmitted with it) is 
intended solely for the attention of the addressee(s).  Unauthorised use, 
disclosure, storage, copying or distribution of any part of this e-mail is not 
permitted.  If you are not the intended recipient please destroy the email, 
remove any copies from your system and inform the sender immediately by return.

 

Communications with the Scottish Government may be monitored or recorded in 
order to secure the effective operation of the system and for other lawful 
purposes.  The views or opinions contained within this e-mail may not 
necessarily reflect those of the Scottish Government.




The original of this email was scanned for viruses by the Government Secure 
Intranet virus scanning service supplied by Cable&Wireless in partnership with 
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this 
email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or 
recorded for legal purposes.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Why isn't Samba honouring UNIX permissions? [NOT PROTECTIVELY MARKED]

[Nigel.Pain]

Classification: NOT PROTECTIVELY MARKED

Following some offline advice from JHT I created a new share with 777
UNIX permissions to test whether users were being mapped correctly when
they created a file from Windows (they were). Files were created with
744 permissions. I then changed the permissions on the share to 775
(removing write access to the directory for "Everyone"). I checked my
effective permissions from Windows and had:

Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Read Permissions

ie. Read access. However, I was able to create a file in the directory
from Windows - which I couldn't do from UNIX. 


Nigel Pain

 

> -Original Message-
> From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com] 
> Sent: 04 March 2010 14:39
> To: samba@lists.samba.org
> Subject: Re: [Samba] Why isn't Samba honouring UNIX 
> permissions? [NOT PROTECTIVELY MARKED]
> 
> What do the permissions look like in Windows?  I am using 
> Samba 3.0.x on 
> Solaris 10 ZFS file systems, so this may not be relevant in your case.
> 
> I found that sometimes Samba/Windows interprets permissions 
> differently 
> than unix.  E.g. a 660 permission in unix sometimes results 
> in a Windows 
> access control entry of "deny everyone."However, at least by 
> default, the combination of "windows" permissions and "unix" 
> permissions 
> should result in "most restrictive" - which means if you 
> can't do it in 
> unix you should not be able to to it Windows (or even if you 
> can do it 
> in unix you may still be unable to do it in Windows.)
> 
> Are you able to "su - somewindowsuser" under unix to verify what they 
> can/cannot do what you expect? The "default:user:rwx" and 
> "default:group:rwx" acls look like they may be an issue.  
> Although the 
> syntax for acl's changed with ZFS so I am a little rusty with 
> ufs acl's.
> 
> 
> 
> 
> 
> On 03/04/2010 08:17 AM, nigel.p...@scotland.gsi.gov.uk wrote:
> > Classification: NOT PROTECTIVELY MARKED
> >
> > Solaris 9
> > Samba 3.4.5
> >
> > I know this isn't the sort of query that gets much response 
> but I'd be
> > really grateful of any advice people can offer.
> >
> > I'm getting really fed up with Samba as I've never been 
> able to make it
> > work properly. Either I'm missing something basic 
> (probably) or it just
> > doesn't behave in the way I think it should!
> >
> > The main issue I'm having is that it doesn't appear to honour the
> > permissions that I have set in Solaris. I'm using UNIX acls so a
> > directory can have a permissions set something like this:
> >
> > $ getfacl OCEA
> >
> > # file: OCEA
> > # owner: root
> > # group: sdmu
> > user::rwx
> > group::rwx  #effective:rwx
> > group:ocea:r-x  #effective:r-x
> > mask:rwx
> > other:---
> > default:user::rwx
> > default:group::rwx
> > default:group:ocea:r-x
> > default:mask:rwx
> > default:other:---
> >
> > Now, under UNIX, a member of group sdmu should be able to 
> read, write
> > and delete within the directory, a member of group ocea 
> should only be
> > able to read and other users shouldn't be able to open it 
> even. I would
> > expect the same to happen via Samba. However, any domain 
> user that maps
> > to a local user can do anything they like within the directory.
> >
> > I'm using Domain security but this happens with server 
> security too. I
> > wanted to use ADS security but I'm coming up with the Solaris
> > NGROUPS_MAX problem (most of our domain users have in 
> excess of 70 group
> > memberships). Here's the smb.conf:
> >
> > [global]
> >  unix charset = LOCALE
> >  workgroup = OURDOMAIN
> >  realm = OURDOMAIN.GOV.UK
> >  server string = OURSERVER
> >  bind interfaces only = Yes
> >  security = DOMAIN
> >  password server = dc.ourdomain.gov.uk
> >  log level = 2
> >  log file = /usr/local/samba/var/log.%m
> >  max log size = 1
> >  domain master = No
> >
> > [testshare]
> >  path = /testshare
> >  read only = No
> >  acl group control = Yes
> >  create mask = 0775
> >  directory mask = 0775
> >  inherit permissions = Yes
> >  inherit acls = Yes
> >
> > Many thanks.
> >
> > Nigel Pain
> > The Scottish Government
> > Corporate Systems Support
> >
> >
> > 
> >
> > This e-mail (and any files or other attachments transmitted 
> with it) is intended solely for the attention of the 
> addressee(s).  Unauthorised use, disclosure, storage, copying 
> or distribution of any part of this e-mail is not permitted.  
> If you are not the intended recipient please destroy the 
> email, remove any copies from your system and inform the 
> sender immediately by return.
> >
> >
> >
> > Communications with the Scottish Government may be 
> monitored or recorded in order to secure the effective 
> 

[Samba] Why isn't Samba honouring UNIX permissions? [NOT PROTECTIVELY MARKED]

[Nigel.Pain]

Classification: NOT PROTECTIVELY MARKED

Solaris 9 
Samba 3.4.5 

I know this isn't the sort of query that gets much response but I'd be
really grateful of any advice people can offer. 

I'm getting really fed up with Samba as I've never been able to make it
work properly. Either I'm missing something basic (probably) or it just
doesn't behave in the way I think it should!

The main issue I'm having is that it doesn't appear to honour the
permissions that I have set in Solaris. I'm using UNIX acls so a
directory can have a permissions set something like this:

$ getfacl OCEA 

# file: OCEA 
# owner: root 
# group: sdmu 
user::rwx 
group::rwx  #effective:rwx 
group:ocea:r-x  #effective:r-x 
mask:rwx 
other:--- 
default:user::rwx 
default:group::rwx 
default:group:ocea:r-x 
default:mask:rwx 
default:other:--- 

Now, under UNIX, a member of group sdmu should be able to read, write
and delete within the directory, a member of group ocea should only be
able to read and other users shouldn't be able to open it even. I would
expect the same to happen via Samba. However, any domain user that maps
to a local user can do anything they like within the directory.

I'm using Domain security but this happens with server security too. I
wanted to use ADS security but I'm coming up with the Solaris
NGROUPS_MAX problem (most of our domain users have in excess of 70 group
memberships). Here's the smb.conf:

[global] 
unix charset = LOCALE 
workgroup = OURDOMAIN 
realm = OURDOMAIN.GOV.UK 
server string = OURSERVER 
bind interfaces only = Yes 
security = DOMAIN 
password server = dc.ourdomain.gov.uk 
log level = 2 
log file = /usr/local/samba/var/log.%m 
max log size = 1 
domain master = No 

[testshare] 
path = /testshare 
read only = No 
acl group control = Yes 
create mask = 0775 
directory mask = 0775 
inherit permissions = Yes 
inherit acls = Yes 

Many thanks. 

Nigel Pain 
The Scottish Government 
Corporate Systems Support 




This e-mail (and any files or other attachments transmitted with it) is 
intended solely for the attention of the addressee(s).  Unauthorised use, 
disclosure, storage, copying or distribution of any part of this e-mail is not 
permitted.  If you are not the intended recipient please destroy the email, 
remove any copies from your system and inform the sender immediately by return.

 

Communications with the Scottish Government may be monitored or recorded in 
order to secure the effective operation of the system and for other lawful 
purposes.  The views or opinions contained within this e-mail may not 
necessarily reflect those of the Scottish Government.




The original of this email was scanned for viruses by the Government Secure 
Intranet virus scanning service supplied by Cable&Wireless in partnership with 
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this 
email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or 
recorded for legal purposes.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Share Permissions on an ADS member server [NOT PROTECTIVELY MARKED]

[Nigel.Pain]

Classification: NOT PROTECTIVELY MARKED

Samba 3.4.5 
Solaris 9 
Windows 2000 AD domain 
Heimdal Kerberos 1.3.1 

Samba is configured and the server is joined to the domain. wbinfo works
as it should do, and so did getent when I had enumeration turned on. I
can view and change security properties from a Windows client (as a
member of the owner group).

I've created a share and set permissions to directories within it.
However, Samba does not seem to be honouring permissions for domain
users.

For example, from Windows clients any domain user can write to the
directory /testshare/Communities/HASS which has the following POSIX
acls:

# file: Communities/HASS 
# owner: u101529 
# group: dl raes b isis css 
user::rwx 
group::rwx  #effective:rwx 
group:sdmu:rwx  #effective:rwx 
group:housing:rwx   #effective:rwx 
group:dl just v cas:r-x #effective:r-x 
group:dl just b cas hass:rwx#effective:rwx 
mask:rwx 
other:--- 
default:user::rwx 
default:group::rwx 
default:group:sdmu:rwx 
default:group:housing:rwx 
default:group:dl just v cas:r-x 
default:group:dl just b cas hass:rwx 
default:mask:rwx 
default:other:--- 

Groups "dl raes b isis css", "dl just v cas" and "dl just b cas hass"
and user u101529 are from the domain, the other groups are native UNIX
ones. My understanding is that only the owner and members of sdmu,
housing, "dl raes b isis css" and "dl just b cas hass" should be able to
write to this directory and nobody in groups not listed in the ACLs
should even be able to open it. Native UNIX users and groups are still
bound by these permissions. 

This is doing my head in so any insights would be welcome! 

smb.conf: 

Top of Form 1

[global] 
unix charset = LOCALE 
workgroup = OURDOMAIN 
realm = OUR.REALM 
server string = MC18UNXA 
bind interfaces only = Yes 
security = ADS 
password server = dc.our.realm 
ntlm auth = No 
client NTLMv2 auth = Yes 
log level = 3 
log file = /usr/local/samba/var/log.%m 
max log size = 100 
domain master = No 
idmap alloc backend = tdb 
idmap uid = 7-20 
idmap gid = 7-20 
winbind use default domain = Yes 

[testshare] 
path = /testshare 
read only = No 
acl group control = Yes 
inherit permissions = Yes 
inherit acls = Yes 

Bottom of Form 1

 
Nigel Pain 
The Scottish Government 




This e-mail (and any files or other attachments transmitted with it) is 
intended solely for the attention of the addressee(s).  Unauthorised use, 
disclosure, storage, copying or distribution of any part of this e-mail is not 
permitted.  If you are not the intended recipient please destroy the email, 
remove any copies from your system and inform the sender immediately by return.

 

Communications with the Scottish Government may be monitored or recorded in 
order to secure the effective operation of the system and for other lawful 
purposes.  The views or opinions contained within this e-mail may not 
necessarily reflect those of the Scottish Government.




The original of this email was scanned for viruses by the Government Secure 
Intranet virus scanning service supplied by Cable&Wireless in partnership with 
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this 
email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or 
recorded for legal purposes.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Problems compiling ADS support on Solaris 9

[Nigel.Pain]

We are encountering some problems compiling a working version of Samba
3.4.1 with ADS support on Solaris 9. We've run autogen.sh and configure
successfully (config.log attached), followed by make and make install.
However, despite having openldap and Heimdal Kerberos (1.2.1) installed,
and including the configure switches --with-ads --with-ldap
--with-krb5=/usr/heimdal, when we try a net join we get the following:

# net ads join
ADS support not compiled in

There are a few errors and warnings in the config.log but I really don't
understand the compilation process so can't work out what they mean, how
to rectify them or even if they are important.

If anyone was able to point me in the right direction I'd be ve 
<> ry grateful.
 

Nigel Pain
The Scottish Government





This e-mail (and any files or other attachments transmitted with it) is 
intended solely for the attention of the addressee(s).  Unauthorised use, 
disclosure, storage, copying or distribution of any part of this e-mail is not 
permitted.  If you are not the intended recipient please destroy the email, 
remove any copies from your system and inform the sender immediately by return.

 

Communications with the Scottish Government may be monitored or recorded in 
order to secure the effective operation of the system and for other lawful 
purposes.  The views or opinions contained within this e-mail may not 
necessarily reflect those of the Scottish Government.




The original of this email was scanned for viruses by the Government Secure 
Intranet virus scanning service supplied by Cable&Wireless in partnership with 
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this 
email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or 
recorded for legal purposes.-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Compiling 3.4.0 on SPARC Solaris 9

[Nigel.Pain]

Thanks Michael. We tried 3.4.1 which made no difference. However, we
discovered that Makefile-noincludes will install but needs
LD_LIBRARY_PATH set to work. We're now moving on to try and get it to
compile with ADS support - whole extra bag of worms!

Nigel

Nigel Pain
The Scottish Government
Corporate Systems Support
Information Systems and Information Services (ISIS)
Victoria Quay 
EDINBURGH 
EH6 6QQ 
UK 
Tel +44 131 244 7237 
Mob. +44 7795 618362

Pedal for Scotland 2009: Glasgow to Edinburgh, 13th September for
Maggie's Centres. Please sponsor me:
http://www.justgiving.com/nigel_pain




This e-mail (and any files or other attachments transmitted with it) is 
intended solely for the attention of the addressee(s).  Unauthorised use, 
disclosure, storage, copying or distribution of any part of this e-mail is not 
permitted.  If you are not the intended recipient please destroy the email, 
remove any copies from your system and inform the sender immediately by return.

 

Communications with the Scottish Government may be monitored or recorded in 
order to secure the effective operation of the system and for other lawful 
purposes.  The views or opinions contained within this e-mail may not 
necessarily reflect those of the Scottish Government.




The original of this email was scanned for viruses by the Government Secure 
Intranet virus scanning service supplied by Cable&Wireless in partnership with 
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this 
email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or 
recorded for legal purposes.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Compiling 3.4.0 on SPARC Solaris 9

[Nigel.Pain]

I've been trying to compile Samba 3.4.0 on a Solaris 9 server. However,
when I run configure, it is only creating a Makefile-noincludes, not the
standard Makefile. Looking at the config.log file, there are lines that
suggest that it can't find the libiconv libraries. These are installed
(version 1.11) in /usr/local so I tried re-running configure with the
option --with-libiconv=/usr/local. However, this also fails as conftest
now will not compile.

Thanks in advance for any suggestions.


Nigel Pain
The Scottish Government
Corporate Systems Support
Information Systems and Information Services (ISIS)
Victoria Quay 
EDINBURGH 
EH6 6QQ 
UK 
Tel +44 131 244 7237 
Mob. +44 7795 618362
Mailto:nigel.p...@scotland.gsi.gov.uk 
Website: http://www.scotland.gov.uk 

Pedal for Scotland 2009: Glasgow to Edinburgh, 13th September for
Maggie's Centres  . Please sponsor me:
http://www.justgiving.com/nigel_pain




This e-mail (and any files or other attachments transmitted with it) is 
intended solely for the attention of the addressee(s).  Unauthorised use, 
disclosure, storage, copying or distribution of any part of this e-mail is not 
permitted.  If you are not the intended recipient please destroy the email, 
remove any copies from your system and inform the sender immediately by return.

 

Communications with the Scottish Government may be monitored or recorded in 
order to secure the effective operation of the system and for other lawful 
purposes.  The views or opinions contained within this e-mail may not 
necessarily reflect those of the Scottish Government.




The original of this email was scanned for viruses by the Government Secure 
Intranet virus scanning service supplied by Cable&Wireless in partnership with 
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this 
email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or 
recorded for legal purposes.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

RE: [Samba] Retry: Mapping AD domain users to UNIX users

[Nigel.Pain]

Many thanks (somewhat belated) to all those who made suggestions about
this matter. However, I'm still no further forward, having tried:
 
Using a usermap file to translate between upper and lower case account
names.
(Finally) managing to compile 3.0.28 and using idmap_nss.
Not using Winbind.
 
In all cases, user accounts appear in file properties on Windows
machines as:
 
u123456 (Unix User\u123456)
 
I'm sure I must be missing something somewhere.

 
Nigel Pain 
The Scottish Government 
Corporate Systems Support 
Information Systems and Information Services (ISIS) 
Victoria Quay 
EDINBURGH 
EH6 6QQ 
UK 




This e-mail (and any files or other attachments transmitted with it) is 
intended solely for the attention of the addressee(s).  Unauthorised use, 
disclosure, storage, copying or distribution of any part of this e-mail is not 
permitted.  If you are not the intended recipient please destroy the email, 
remove any copies from your system and inform the sender immediately by return.

 

Communications with the Scottish Government may be monitored or recorded in 
order to secure the effective operation of the system and for other lawful 
purposes.  The views or opinions contained within this e-mail may not 
necessarily reflect those of the Scottish Government.




The original of this email was scanned for viruses by the Government Secure 
Intranet virus scanning service supplied by Cable&Wireless in partnership with 
MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi this 
email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or 
recorded for legal purposes.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Retry: Mapping AD domain users to UNIX users

[Nigel.Pain]

That looks hopeful. However, we are using 3.0.23b (binaries downloaded from 
samba.org, not SunFreeware as I previously said). I hesitate to try compiling a 
more recent version as I've not managed to compile successfully so far!

Regards,
Nigel

Nigel Pain
Corporate Systems Support
ISIS
1-C (South)
Victoria Quay
Ext. 47237
Mob. 07795 618362
Email: Pain NDA (Nigel) 
Go to http://sascluster/sdmu_wiki/FrontPage for more information

Please shut down and switch off your PC when you go to lunch or a meeting


> -Original Message-
> From: Hansjörg Maurer [mailto:[EMAIL PROTECTED] 
> Sent: 23 January 2008 13:20
> To: Pain NDA (Nigel)
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Retry: Mapping AD domain users to UNIX users
> 
> 
> ***
> This email has been received from an external party and 
> has been swept for the presence of computer viruses.
> ***
> Hi
> 
> with recent (< =3.0.26 I think) samba Versions it is possible to use
> 
> http://us3.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html
> 
> idmap domains =  DOMNAME
> idmap config DOMNAME:backend  = nss
> idmap config DOMNAME:readonly = yes
> 
> in our case.
> 
> We are running 3.0.28 in security = ADS,
> and Linux gets the same usernames from NIS vis nss.
> 
> They are correctly mapped , and zhe windows security dialog 
> shows DOMNAME\username
> 
> Regards
> 
> Hansjörg
> 
> 
> 



This e-mail (and any files or other attachments transmitted with it) is 
intended solely for the attention of the addressee(s).  Unauthorised use, 
disclosure, storage, copying or distribution of any part of this e-mail is not 
permitted.  If you are not the intended recipient please destroy the email, 
remove any copies from your system and inform the sender immediately by return.

 

Communications with the Scottish Government may be monitored or recorded in 
order to secure the effective operation of the system and for other lawful 
purposes.  The views or opinions contained within this e-mail may not 
necessarily reflect those of the Scottish Government.




The original of this email was scanned for viruses by the Government Secure 
Intranet virus scanning service supplied by Cable&Wireless in partnership with 
MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi this 
email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or 
recorded for legal purposes.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Retry: Mapping AD domain users to UNIX users

[Nigel.Pain]

This is where I don't really understand how Samba works! My
understanding was that there would be an implicit mapping between domain
accounts and local accounts of the same name. Therefore, if permissions
were set for the local user within UNIX, those would propagate to the
equivalent domain user. I can see where there could be confusion with
UIDs using Winbind. Am I better not using it?

Regards,
Nigel

Nigel Pain
The Scottish Government
Corporate Systems Support
Information Systems and Information Services (ISIS)
Victoria Quay 
EDINBURGH 
EH6 6QQ 
UK 

> -Original Message-
> From: Bardo Wolf [mailto:[EMAIL PROTECTED] 
> Sent: 23 January 2008 13:14
> To: Pain NDA (Nigel)
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Retry: Mapping AD domain users to UNIX users
> 
> 
> perhaps it is not a good idea to use the same names for a 
> Unix User and the AD User.
> 
> If for example you have unix-user xyz with uid=7738
> 
> and an AD-User xyz so the AD-USer xyz gets via winbind 
> perhaps uid=199300
> 
> What answer should
> id xyz
> 
> give?
> 
> Bardo
> 



This e-mail (and any files or other attachments transmitted with it) is 
intended solely for the attention of the addressee(s).  Unauthorised use, 
disclosure, storage, copying or distribution of any part of this e-mail is not 
permitted.  If you are not the intended recipient please destroy the email, 
remove any copies from your system and inform the sender immediately by return.

 

Communications with the Scottish Government may be monitored or recorded in 
order to secure the effective operation of the system and for other lawful 
purposes.  The views or opinions contained within this e-mail may not 
necessarily reflect those of the Scottish Government.




The original of this email was scanned for viruses by the Government Secure 
Intranet virus scanning service supplied by Cable&Wireless in partnership with 
MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi this 
email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or 
recorded for legal purposes.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Retry: Mapping AD domain users to UNIX users

[Nigel.Pain]

Further information:
 
Someone suggested that the problem might be because of the AD user names
being uppercase, which could be resolved with a usermap file. There are
some AD user IDs that are uppercase (whereas all the UNIX ones are
lowercase). However, I thought that the automatic mapping took care of
that? Also, I wanted to avoid having an explicit usermap file as that's
one extra thing to manage. Maybe I'm expecting too much of Samba?
 
I tried configuring for a usermap file and adding an account mapping
into it. However, the security properties on the Windows side still
display the account in the form:
 
u123456 (Unix User\u123456)
 
Regards,
Nigel

 
Nigel Pain 
The Scottish Government 
Corporate Systems Support 
Information Systems and Information Services (ISIS) 
Victoria Quay 
EDINBURGH 
EH6 6QQ 
UK 




This e-mail (and any files or other attachments transmitted with it) is 
intended solely for the attention of the addressee(s).  Unauthorised use, 
disclosure, storage, copying or distribution of any part of this e-mail is not 
permitted.  If you are not the intended recipient please destroy the email, 
remove any copies from your system and inform the sender immediately by return.

 

Communications with the Scottish Government may be monitored or recorded in 
order to secure the effective operation of the system and for other lawful 
purposes.  The views or opinions contained within this e-mail may not 
necessarily reflect those of the Scottish Government.




The original of this email was scanned for viruses by the Government Secure 
Intranet virus scanning service supplied by Cable&Wireless in partnership with 
MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi this 
email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or 
recorded for legal purposes.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Retry: Mapping AD domain users to UNIX users

[Nigel.Pain]

I posted this last week but haven't heard anything. I'm not sure if this
is because nobody knows the answer (can't believe that!) or I'm missing
something obvious in the documentation and people are thinking "Read The
Fine Manual". Whatever the reason, if anyone has any insights into this
problem I'd be very grateful for their comments.

We're using Samba 3.0.23b (binaries downloaded from Sunfreeware) on
Solaris 9 as a member server, using "security = DOMAIN" in an Active
Directory 2003 domain. The server is primarily an application server,
running SAS software, but we have a share to Windows to enable users to
save programs and data from their Windows XP workstations. Historically
we've been using PC Netlink, Sun's version of Lanman, but this isn't
compatible with AD 2003 so we need to move to Samba.

We're struggling to establish a mapping between domain user accounts and
UNIX user accounts that are similarly named (the same naming convention
is used for both). My understanding of Samba, albeit sketchy, was that
it could automatically make a mapping between local and domain accounts
of the same name. However, this doesn't appear to be happening. If I set
a file's permissions for a specified user in Solaris it appears in the
file's security within Windows, but the user is listed as a Unix User
along the lines of:

u123456 (Unix User\u123456)

I was expecting that there should be an implicit mapping between u123456
in Solaris and domain\u123456 but maybe I've got the wrong end of the
stick. We need to maintain the local users so that we can control who
has access to the server software, and we maintain password aging both
on the server and the domain so maintaining a separate password database
for Samba would be a complication. an Extract from nsswitch.conf and
(edited) smb.conf and included below.

As you will see from nsswitch.conf, we are using winbind. wbinfo will
resolve any domain information and getent passwd will return domain user
accounts.

Many thanks in advance.

nsswitch.conf:

passwd: files winbind
group:  files winbind

hosts:  files dns winbind

smb.conf:

[global]
workgroup = our-domain-name
netbios aliases = mc18unxa
# dual nics: the netmask is correct for our network
interfaces = xx.xx.xxx.xx/255.255.240.0,
yy.yy.yyy.yy/255.255.240.0
security = DOMAIN
null passwords = Yes
password server = *
passdb backend = tdbsam
lanman auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log level = 1
log file = /var/samba/log/log.%m
max log size = 5
load printers = No
dns proxy = No
ldap ssl = no
idmap uid = 1-1
idmap gid = 1-1
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
create mask = 0644
directory mask = 0775
hosts deny = none
case sensitive = No
preserve case = No
  domain master = no
  local master = no
  preferred master = no
  os level = 0

[dosptn]
path = /dosptn
read only = No
inherit permissions = Yes
guest ok = Yes



Nigel Pain
The Scottish Government
Corporate Systems Support
Information Systems and Information Services (ISIS)
Victoria Quay 
EDINBURGH 
EH6 6QQ 
UK






This e-mail (and any files or other attachments transmitted with it) is 
intended solely for the attention of the addressee(s).  Unauthorised use, 
disclosure, storage, copying or distribution of any part of this e-mail is not 
permitted.  If you are not the intended recipient please destroy the email, 
remove any copies from your system and inform the sender immediately by return.

 

Communications with the Scottish Government may be monitored or recorded in 
order to secure the effective operation of the system and for other lawful 
purposes.  The views or opinions contained within this e-mail may not 
necessarily reflect those of the Scottish Government.




The original of this email was scanned for viruses by the Government Secure 
Intranet virus scanning service supplied by Cable&Wireless in partnership with 
MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi this 
email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or 
recorded for legal purposes.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Mapping AD domain users to UNIX users

[Nigel.Pain]

We're using Samba 3.0.23b (binaries downloaded from Sunfreeware) on
Solaris 9 as a member server, using "security = DOMAIN" in an Active
Directory 2003 domain. The server is primarily an application server,
running SAS software, but we have a share to Windows to enable users to
save programs and data from their Windows XP workstations. Historically
we've been using PC Netlink, Sun's version of Lanman, but this isn't
compatible with AD 2003 so we need to move to Samba.

We're struggling to establish a mapping between domain user accounts and
UNIX user accounts that are similarly named (the same naming convention
is used for both). My understanding of Samba, albeit sketchy, was that
it could automatically make a mapping between local and domain accounts
of the same name. However, this doesn't appear to be happening. If I set
a file's permissions for a specified user in Solaris it appears in the
file's security within Windows, but the user is listed as a Unix User
along the lines of:

u123456 (Unix User\u123456)

I was expecting that there should be an implicit mapping between u123456
in Solaris and domain\u123456 but maybe I've got the wrong end of the
stick. We need to maintain the local users so that we can control who
has access to the server software, and we maintain password aging both
on the server and the domain so maintaining a separate password database
for Samba would be a complication. an Extract from nsswitch.conf and
(edited) smb.conf and included below.

As you will see from nsswitch.conf, we are using winbind. wbinfo will
resolve any domain information and getent passwd will return domain user
accounts.

Many thanks in advance.

nsswitch.conf:

passwd: files winbind
group:  files winbind

hosts:  files dns winbind

smb.conf:

[global]
workgroup = our-domain-name
netbios aliases = mc18unxa
# dual nics: the netmask is correct for our network
interfaces = xx.xx.xxx.xx/255.255.240.0,
yy.yy.yyy.yy/255.255.240.0
security = DOMAIN
null passwords = Yes
password server = *
passdb backend = tdbsam
lanman auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log level = 1
log file = /var/samba/log/log.%m
max log size = 5
load printers = No
dns proxy = No
ldap ssl = no
idmap uid = 1-1
idmap gid = 1-1
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
create mask = 0644
directory mask = 0775
hosts deny = none
case sensitive = No
preserve case = No
  domain master = no
  local master = no
  preferred master = no
  os level = 0

[dosptn]
path = /dosptn
read only = No
inherit permissions = Yes
guest ok = Yes



Nigel Pain
The Scottish Government
Corporate Systems Support
Information Systems and Information Services (ISIS)
Victoria Quay 
EDINBURGH 
EH6 6QQ 
UK






This e-mail (and any files or other attachments transmitted with it) is 
intended solely for the attention of the addressee(s).  Unauthorised use, 
disclosure, storage, copying or distribution of any part of this e-mail is not 
permitted.  If you are not the intended recipient please destroy the email, 
remove any copies from your system and inform the sender immediately by return.

 

Communications with the Scottish Government may be monitored or recorded in 
order to secure the effective operation of the system and for other lawful 
purposes.  The views or opinions contained within this e-mail may not 
necessarily reflect those of the Scottish Government.




The original of this email was scanned for viruses by the Government Secure 
Intranet virus scanning service supplied by Cable&Wireless in partnership with 
MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi this 
email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or 
recorded for legal purposes.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba