Re: [Samba] ACLS without winbind (but WITH correct user mapping)
On 26/06/12 11:54, Colin Fowler wrote: On 26/06/12 06:48, Andrew Bartlett wrote: On Fri, 2012-06-22 at 16:11 +0100, Colin Fowler wrote: On 21/06/12 17:50, Jeremy Allison wrote: On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote: Note the DOMAIN and not Unix User. Clicking apply simply makes the new entry disappear. If username mapping is working correctly, why does adding an ACL for DOMAIN\nigel not set an ACL for Unix User\nigel? I'm not sure username mapping is being done in that codepath. This is designed to work (and normally tested with) winbindd. Jeremy. I've done some poking and I've found an answer as to why it won't work with username to username mapping. Quite simply, the client doesn't ask samba to apply an ACL to a username. It is instead asked to apply it to an SID [2012/06/22 15:22:10.495700, 0] smbd/posix_acls.c:1735(create_canon_ace_lists) create_canon_ace_lists: unable to map SID S-1-5-21-2516220118-3886572273-1107914255-8269 to uid or gid. [2012/06/22 15:22:10.498944, 10] smbd/posix_acls.c:3412(posix_get_nt_acl) posix_get_nt_acl: called for file test2/New Text Document.txt I'm not running winbind so samba can't map the SID to a UID. All is not lost though! net -P ads sid S-1-5-21-2516220118-3886572273-1107914255-8269 works correctly. I can obviously grep the username/groupname out of there and use id to turn it into a valid unix uid or gid A simple script could do this easily if I add some code to source3/smbd/posix_acls.c and add an option such as username sid map script = to the smb.conf. Is this completely nuts or would a patch like this be accepted? This would essentially be the same as running winbindd and using idmap_nss as I understand it. We wrote winbindd for a purpose, and it handles many of the important tasks of being in an AD domain. We do support not running it, but it is a degraded mode. Andrew Bartlett Thanks Andrew, I'll take a good look at idmap_nss now. For the last week we've trialled idmap_nss and so far everything seems to be working great! Thanks for all the suggestions. Our last problem is with Dreamweaver CS6 not being able to save files (when notepad can!), but we're debugging that now :) regards, Colin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACLS without winbind (but WITH correct user mapping)
On Fri, 2012-06-22 at 16:11 +0100, Colin Fowler wrote: On 21/06/12 17:50, Jeremy Allison wrote: On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote: Note the DOMAIN and not Unix User. Clicking apply simply makes the new entry disappear. If username mapping is working correctly, why does adding an ACL for DOMAIN\nigel not set an ACL for Unix User\nigel? I'm not sure username mapping is being done in that codepath. This is designed to work (and normally tested with) winbindd. Jeremy. I've done some poking and I've found an answer as to why it won't work with username to username mapping. Quite simply, the client doesn't ask samba to apply an ACL to a username. It is instead asked to apply it to an SID [2012/06/22 15:22:10.495700, 0] smbd/posix_acls.c:1735(create_canon_ace_lists) create_canon_ace_lists: unable to map SID S-1-5-21-2516220118-3886572273-1107914255-8269 to uid or gid. [2012/06/22 15:22:10.498944, 10] smbd/posix_acls.c:3412(posix_get_nt_acl) posix_get_nt_acl: called for file test2/New Text Document.txt I'm not running winbind so samba can't map the SID to a UID. All is not lost though! net -P ads sid S-1-5-21-2516220118-3886572273-1107914255-8269 works correctly. I can obviously grep the username/groupname out of there and use id to turn it into a valid unix uid or gid A simple script could do this easily if I add some code to source3/smbd/posix_acls.c and add an option such as username sid map script = to the smb.conf. Is this completely nuts or would a patch like this be accepted? This would essentially be the same as running winbindd and using idmap_nss as I understand it. We wrote winbindd for a purpose, and it handles many of the important tasks of being in an AD domain. We do support not running it, but it is a degraded mode. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACLS without winbind (but WITH correct user mapping)
On 21/06/12 17:50, Jeremy Allison wrote: On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote: Note the DOMAIN and not Unix User. Clicking apply simply makes the new entry disappear. If username mapping is working correctly, why does adding an ACL for DOMAIN\nigel not set an ACL for Unix User\nigel? I'm not sure username mapping is being done in that codepath. This is designed to work (and normally tested with) winbindd. Jeremy. Am I corect in thinking that this is something that would be desireable for others and not just me and my rather oddball configuration? For people using standalone servers, NSS/LDAP etc and any other places where winbind is not used, this would be a rather useful feature, no? I might actually do some hacking on this myself. Any pointers as to where in the code I should dive in? regards, Colin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACLS without winbind (but WITH correct user mapping)
On 22/06/12 11:41, Colin Fowler wrote: On 21/06/12 17:50, Jeremy Allison wrote: On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote: Am I corect in thinking that this is something that would be desireable for others and not just me and my rather oddball configuration? For people using standalone servers, NSS/LDAP etc and any other places where winbind is not used, this would be a rather useful feature, no? Hi Colin, Hi Jeremy I don't think it's so oddball. We also use nss for our rfc2307 mappings from the S4 directory for Linux clients joined to the domain. It works perfectly via NFS to Linux but acls on shares on s3fs between Linux and windows are not quite right. Colin: Are you talking about setting an acl on windows and it being honoured by Linux and vica versa? Jeremy: are you saying that acl mappings 'both ways' only work with winbind? If so, a big +1 from me to get the 'both' ways working. Very desirable. Maybe this will get easier when we can put stuff like create mode= and force group= in smb.conf. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACLS without winbind (but WITH correct user mapping)
On 22/06/12 11:46, steve wrote: On 22/06/12 11:41, Colin Fowler wrote: On 21/06/12 17:50, Jeremy Allison wrote: On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote: Am I corect in thinking that this is something that would be desireable for others and not just me and my rather oddball configuration? For people using standalone servers, NSS/LDAP etc and any other places where winbind is not used, this would be a rather useful feature, no? Hi Colin, Hi Jeremy I don't think it's so oddball. We also use nss for our rfc2307 mappings from the S4 directory for Linux clients joined to the domain. It works perfectly via NFS to Linux but acls on shares on s3fs between Linux and windows are not quite right. Colin: Are you talking about setting an acl on windows and it being honoured by Linux and vica versa? Jeremy: are you saying that acl mappings 'both ways' only work with winbind? If so, a big +1 from me to get the 'both' ways working. Very desirable. Maybe this will get easier when we can put stuff like create mode= and force group= in smb.conf. Cheers, Steve Hi Steve, yes, I'd like users to be able to set an ACL in Windows for a domain user and for it to be honoured in Linux for the mapped Unix user. Currently if I set an ACL in Linux for the Unix user, it actually appears correctly in the security dialog box on windows. I just can't set a new ACL from Windows. regards, Colin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACLS without winbind (but WITH correct user mapping)
On 22/06/12 12:50, Colin Fowler wrote: On 22/06/12 11:46, steve wrote: On 22/06/12 11:41, Colin Fowler wrote: On 21/06/12 17:50, Jeremy Allison wrote: On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote: Am I corect in thinking that this is something that would be desireable for others and not just me and my rather oddball configuration? For people using standalone servers, NSS/LDAP etc and any other places where winbind is not used, this would be a rather useful feature, no? Hi Colin, Hi Jeremy I don't think it's so oddball. We also use nss for our rfc2307 mappings from the S4 directory for Linux clients joined to the domain. It works perfectly via NFS to Linux but acls on shares on s3fs between Linux and windows are not quite right. Colin: Are you talking about setting an acl on windows and it being honoured by Linux and vica versa? Jeremy: are you saying that acl mappings 'both ways' only work with winbind? If so, a big +1 from me to get the 'both' ways working. Very desirable. Maybe this will get easier when we can put stuff like create mode= and force group= in smb.conf. Cheers, Steve Hi Steve, yes, I'd like users to be able to set an ACL in Windows for a domain user and for it to be honoured in Linux for the mapped Unix user. Currently if I set an ACL in Linux for the Unix user, it actually appears correctly in the security dialog box on windows. I just can't set a new ACL from Windows. regards, Colin Hi Colin That's interesting. I have a bugzilla open on something similar: https://bugzilla.samba.org/show_bug.cgi?id=8938 So, when a user creates a file, e.g. in his home folder in windows, do the acl and permissions appear correct back on the fileserver or when the same file is viewed on a Linux client? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACLS without winbind (but WITH correct user mapping)
On 22/06/12 12:22, steve wrote: On 22/06/12 12:50, Colin Fowler wrote: On 22/06/12 11:46, steve wrote: On 22/06/12 11:41, Colin Fowler wrote: On 21/06/12 17:50, Jeremy Allison wrote: On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote: Am I corect in thinking that this is something that would be desireable for others and not just me and my rather oddball configuration? For people using standalone servers, NSS/LDAP etc and any other places where winbind is not used, this would be a rather useful feature, no? Hi Colin, Hi Jeremy I don't think it's so oddball. We also use nss for our rfc2307 mappings from the S4 directory for Linux clients joined to the domain. It works perfectly via NFS to Linux but acls on shares on s3fs between Linux and windows are not quite right. Colin: Are you talking about setting an acl on windows and it being honoured by Linux and vica versa? Jeremy: are you saying that acl mappings 'both ways' only work with winbind? If so, a big +1 from me to get the 'both' ways working. Very desirable. Maybe this will get easier when we can put stuff like create mode= and force group= in smb.conf. Cheers, Steve Hi Steve, yes, I'd like users to be able to set an ACL in Windows for a domain user and for it to be honoured in Linux for the mapped Unix user. Currently if I set an ACL in Linux for the Unix user, it actually appears correctly in the security dialog box on windows. I just can't set a new ACL from Windows. regards, Colin Hi Colin That's interesting. I have a bugzilla open on something similar: https://bugzilla.samba.org/show_bug.cgi?id=8938 So, when a user creates a file, e.g. in his home folder in windows, do the acl and permissions appear correct back on the fileserver or when the same file is viewed on a Linux client? Cheers, Steve Hi Steve, I'm running Samba 3.6.5 currently, not 4.0 and I'm running without winbind· When a user in windows (DOMAIN\bob) creates a file, it appears on linux as owned by the unix user bob. There's no acls on the file, just a file with the ownerships of bob and bob's primary group (staff). If on Linux I add an ACL for the user tom via setfacl, I can see the user tom in the security list in Windows as (Unix User\tom). What I can't do is add ACLs from windows. Colin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACLS without winbind (but WITH correct user mapping)
On 21/06/12 17:50, Jeremy Allison wrote: On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote: Note the DOMAIN and not Unix User. Clicking apply simply makes the new entry disappear. If username mapping is working correctly, why does adding an ACL for DOMAIN\nigel not set an ACL for Unix User\nigel? I'm not sure username mapping is being done in that codepath. This is designed to work (and normally tested with) winbindd. Jeremy. I've done some poking and I've found an answer as to why it won't work with username to username mapping. Quite simply, the client doesn't ask samba to apply an ACL to a username. It is instead asked to apply it to an SID [2012/06/22 15:22:10.495700, 0] smbd/posix_acls.c:1735(create_canon_ace_lists) create_canon_ace_lists: unable to map SID S-1-5-21-2516220118-3886572273-1107914255-8269 to uid or gid. [2012/06/22 15:22:10.498944, 10] smbd/posix_acls.c:3412(posix_get_nt_acl) posix_get_nt_acl: called for file test2/New Text Document.txt I'm not running winbind so samba can't map the SID to a UID. All is not lost though! net -P ads sid S-1-5-21-2516220118-3886572273-1107914255-8269 works correctly. I can obviously grep the username/groupname out of there and use id to turn it into a valid unix uid or gid A simple script could do this easily if I add some code to source3/smbd/posix_acls.c and add an option such as username sid map script = to the smb.conf. Is this completely nuts or would a patch like this be accepted? regards, Colin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ACLS without winbind (but WITH correct user mapping)
Thanks to some of the guys on #samba-technical (obnox in particular!), I now have a working samba configuration. The environment: In our setup each user has an entry in both openldap (no samba schemes) and AD. Each account has the same name and even has a Unix UID entry in AD. Our users ssh into Linux boxes, authenticating off of openldap. Files are shared via samba. Due to the account duplication the config I use has NO winbind. Instead the username map script option is used with echo username map script = echo A rather simple but beatiful solution thanks to the IRC lads. User bob auths via AD, the AD username is mapped to unix username and file permissions work perfectly. ACLS: The filesystem supports ACLS. When I view the security tab on a Windows 7 client, I see the user perissions as following Everyone bob (Unix User\bob) staff (Unix Group\staff) If I add an acl for tom on the unix server via setfacl I then see Everyone bob (Unix User\bob) tom (Unix User\tom) staff (Unix Group\staff) Great! Attempting to add a user to the ACLs from the windows side fails however. I click edit, then add and type in a username In the box I now have bob (Unix User\bob) tom (Unix User\tom) nigel (DOMAIN\nigel) staff (Unix Group\staff) Note the DOMAIN and not Unix User. Clicking apply simply makes the new entry disappear. If username mapping is working correctly, why does adding an ACL for DOMAIN\nigel not set an ACL for Unix User\nigel? Any help appreciated! Colin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACLS without winbind (but WITH correct user mapping)
On Thu, Jun 21, 2012 at 05:50:45PM +0100, Colin Fowler wrote: Note the DOMAIN and not Unix User. Clicking apply simply makes the new entry disappear. If username mapping is working correctly, why does adding an ACL for DOMAIN\nigel not set an ACL for Unix User\nigel? I'm not sure username mapping is being done in that codepath. This is designed to work (and normally tested with) winbindd. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACLs and winbind
On Thursday 09 August 2007 15:58, Angela Gavazzi wrote: My working nsswitch.conf look like this: passwd: files winbind ldap group: files winbind ldap shadow: files winbind ldap By, Angela Can nss_winbind be used against a Samba domain? AFAICS it is only used to identify users/groups of Windows domains. Please correct me if I'm wrong. I found three options to allow windows users to manage ACLs in their homes on a Samba server which is joined to a Samba domain and uses nss_ldap against the DC's backend LDAP server. option 1: basic smb.conf - winbind needed to add ACLs - winbind trusted domains only = yes needed so that the domain appears in the original ACLs (and not the NetBIOS name of the server) and winbind_idmap.tdb maps domain users/groups to their LDAP uids/gids option2: smb.conf with LDAP idmap backend Same requirements. Note that as above I need to define ranges for idmap uid and gid although winbindd_idmap.tdb never changes option3: smb.conf with LDAP passdb backend - winbind needed (but netlogon proxy only mode is OK) otherwise ACLs can be added but when displayed users/groups are not resolved Are there other options? What is the best in terms of performance? While I can imagine why winbind is needed for option 1 I don't see - why it can't be used in netlogon proxy only mode for option 2 and - why it is needed at all for otion 3. Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACLs and winbind
8 aug 2007 kl. 16:18 skrev Thierry Lacoste: I'm trying to allow XP clients to add ACLs in the homes share. It appears that I'm unable to do it unless I use winbind although I'm in a pure Samba/OpenLDAP environment. I have a PDC and BDC with Samba/OpenLDAP and a member Samba server with homes and profiles (below is its smb.conf) on which I have Posix ACLs. If I comment out the idmap lines I cannot add ACLs from XP in my home share though. I can browse and pick domain users and groups but cannot add them to the security tab of a file in a user's home share. Do I really need winbind? Yes, I'm pretty sure you'll need winbind. Cheers, henke Regards, Thierry. workgroup = STARS netbios name = CAPELLA security = DOMAIN name resolve order = wins bcast wins server = castor netbios aliases = AHOMES APROFILES password server = ALDAP1 ALDAP2 log level = 2 idmap gid = 1-2 idmap uid = 1-2 [homes] comment = Home Directories valid users = %S read only = No browseable = No [Profiles] comment = Roaming Profile Share path = /export/profiles read only = No profile acls = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACLs and winbind
On Thursday 09 August 2007 08:38, Henrik Zagerholm wrote: 8 aug 2007 kl. 16:18 skrev Thierry Lacoste: I'm trying to allow XP clients to add ACLs in the homes share. It appears that I'm unable to do it unless I use winbind although I'm in a pure Samba/OpenLDAP environment. I have a PDC and BDC with Samba/OpenLDAP and a member Samba server with homes and profiles (below is its smb.conf) on which I have Posix ACLs. If I comment out the idmap lines I cannot add ACLs from XP in my home share though. I can browse and pick domain users and groups but cannot add them to the security tab of a file in a user's home share. Do I really need winbind? Yes, I'm pretty sure you'll need winbind. Cheers, henke Thanks Henrik. Can someone explain why or point me to some doc? What I read everywhere is that winbind is used to identify users of a windows domain at the NSS level (mapping them localy with winbindd_idmap.tdb or globaly with ldap) while my users are correctly identified by nss_ldap. What puzzles me is that I didn't touch my /etc/nsswitch.conf which reads: group: files ldap hosts: files dns networks: files passwd: files ldap Is this a common setting to use winbind for samba and not for NSS? Also I realized that my smb.conf was not entirely functional. When I create a file with XP the domain part of the initial ACLs is the NetBIOS name of the server and not my domain name. Moreover when I pick a domain group (which truly appears as a domain group) to add it in the ACLs of the file it is mapped to gid 1 through entries in winbindd_idmap.tdb. Adding the following lines to my smb.conf solved the problem. passdb backend = ldapsam:ldap://aldap1.stars.net ldap ssl = start_tls ldap suffix = o=stars ldap admin dn = cn=sambamgr,ou=Managers,o=stars ldap machine suffix = ou=Computers,ou=Accounts ldap user suffix = ou=Users,ou=Accounts ldap group suffix = ou=Groups In this case getfacl reports the correct group and winbindd_idmap.tdb appears to never change. Still I need the idmap lines to be able to add ACLs. Regards, Thierry. workgroup = STARS netbios name = CAPELLA security = DOMAIN name resolve order = wins bcast wins server = castor netbios aliases = AHOMES APROFILES password server = ALDAP1 ALDAP2 log level = 2 idmap gid = 1-2 idmap uid = 1-2 [homes] comment = Home Directories valid users = %S read only = No browseable = No [Profiles] comment = Roaming Profile Share path = /export/profiles read only = No profile acls = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACLs and winbind
On Thursday 09 August 2007 13:28:49 Thierry Lacoste wrote: Thanks Henrik. Can someone explain why or point me to some doc? What I read everywhere is that winbind is used to identify users of a windows domain at the NSS level (mapping them localy with winbindd_idmap.tdb or globaly with ldap) while my users are correctly identified by nss_ldap. What puzzles me is that I didn't touch my /etc/nsswitch.conf which reads: group: files ldap hosts: files dns networks: files passwd: files ldap Is this a common setting to use winbind for samba and not for NSS? My working nsswitch.conf look like this: passwd: files winbind ldap group: files winbind ldap shadow: files winbind ldap By, Angela Also I realized that my smb.conf was not entirely functional. When I create a file with XP the domain part of the initial ACLs is the NetBIOS name of the server and not my domain name. Moreover when I pick a domain group (which truly appears as a domain group) to add it in the ACLs of the file it is mapped to gid 1 through entries in winbindd_idmap.tdb. Adding the following lines to my smb.conf solved the problem. passdb backend = ldapsam:ldap://aldap1.stars.net ldap ssl = start_tls ldap suffix = o=stars ldap admin dn = cn=sambamgr,ou=Managers,o=stars ldap machine suffix = ou=Computers,ou=Accounts ldap user suffix = ou=Users,ou=Accounts ldap group suffix = ou=Groups In this case getfacl reports the correct group and winbindd_idmap.tdb appears to never change. Still I need the idmap lines to be able to add ACLs. Regards, Thierry. workgroup = STARS netbios name = CAPELLA security = DOMAIN name resolve order = wins bcast wins server = castor netbios aliases = AHOMES APROFILES password server = ALDAP1 ALDAP2 log level = 2 idmap gid = 1-2 idmap uid = 1-2 [homes] comment = Home Directories valid users = %S read only = No browseable = No [Profiles] comment = Roaming Profile Share path = /export/profiles read only = No profile acls = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ACLs and winbind
I'm trying to allow XP clients to add ACLs in the homes share. It appears that I'm unable to do it unless I use winbind although I'm in a pure Samba/OpenLDAP environment. I have a PDC and BDC with Samba/OpenLDAP and a member Samba server with homes and profiles (below is its smb.conf) on which I have Posix ACLs. If I comment out the idmap lines I cannot add ACLs from XP in my home share though. I can browse and pick domain users and groups but cannot add them to the security tab of a file in a user's home share. Do I really need winbind? Regards, Thierry. workgroup = STARS netbios name = CAPELLA security = DOMAIN name resolve order = wins bcast wins server = castor netbios aliases = AHOMES APROFILES password server = ALDAP1 ALDAP2 log level = 2 idmap gid = 1-2 idmap uid = 1-2 [homes] comment = Home Directories valid users = %S read only = No browseable = No [Profiles] comment = Roaming Profile Share path = /export/profiles read only = No profile acls = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba