[Help] Samba4 AD and Unix UIDs problem...

Come here to share your tips and tricks for using Samba4
Locked
ulysse31
Messages: 2
Registration: March 20, 2018 - 11:46

March 20, 2018 - 12:13

Good morning,

I'm not sure if this is the right section to ask for help, please excuse me if it isn't.

I followed the documentation available from you in order to create a new AD-compatible domain with samba4 in PDC.
I did specify "--use-rfc2307" to enable Unix attributes; the provisioning line looked like this:

Code: Select all

samba-tool domain provision --use-rfc2307 --realm=DOMAIN.LAN --domain DOMAIN --adminpass XXXXXX --server-role=dc
I then created my users and groups by specifying appropriate uids and gids.
I configured nslcd/nscd locally so that it queries the ldap samba with kerberos keytab authentication and provides the appropriate mapping.
If I do an "id user", I get the user's Unix uid and their groups with Unix id.
So far, so good, you might say ^^: yes, so far so good.
However, I created a test share on the domain controller, with restrictions for a specific group (this restriction also works). The user can connect to the share and create files and folders. However, the UIDs of the created files/folders are in the 300000X range, whereas the user's UID should normally be in the 22XX range... the GIDs seem correct (set to the Unix GID of the user's primary group: 513)...

Here is some information about the current configuration:

smb.conf:

Code: Select all


# Global parameters
[global]
        dns forwarder = 8.8.8.8
        netbios name = ADSERVER
        realm = DOMAIN.LAN
        server role = active directory domain controller
        workgroup = DOMAIN
        idmap_ldb:use rfc2307 = yes
        log level = 10

[netlogon]
        path = /var/lib/samba/sysvol/domain.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[IT]
        comment = IT Local Share
        writable = yes
        path = /share/groups/IT
        valid users = "@Unix Admins"
        browseable = yes
        create mask = 2660
        directory mask = 2770
A few checks:

Code: Select all

# wbinfo -i user
DOMAIN\user:*:2242:513::/home/DOMAIN/user:/bin/false
# wbinfo --name-to-sid user
S-1-5-21-2164598009-1727115798-1474587502-1343 SID_USER (1)
#  wbinfo --sid-to-uid S-1-5-21-2164598009-1727115798-1474587502-1343
2242
# ls -lan /share/groups/IT/
total 40                                                                                                                                                                                                                                                                       
drwxr-xr-x  6    2287 171 4096 Mar 20 11:34 .                                                                                                                                                                                                                                  
drwxr-xr-x  3       0   0 4096 Feb 26 10:36 ..                                                                                                                                                                                                                                 
drwxrwx---+ 2 3000002 513 4096 Mar 20 11:04 lol                                                                                                                                                                                                                                
drwxrwx---+ 2 3000002 513 4096 Mar 20 11:31 lol2                                                                                                                                                                                                                               
drwxrwx---+ 2 3000002 513 4096 Mar 20 11:33 plop                                                                                                                                                                                                                               
drwxrwx---+ 2 3000002 513 4096 Mar 20 11:34 plop2

So, I confess I really don't understand why it's creating the files on the Windows share with a UID of 300000XX...
I've enabled logging... but I haven't found anything conclusive :/ ... If anyone has any ideas, I would be extremely grateful ^^'

Thank you all.


--
Ulysses31
High
ulysse31
Messages: 2
Registration: March 20, 2018 - 11:46

March 21, 2018 - 10:23

Hello,

I'm replying to my own thread to leave a record of the progress, in case someone else has the same problem someday.
After running "net cache flush" on the server, then "net cache list | grep user", and then accessing the share with that user, creating directories and files fixes the correct UID on the files and folders... However, why... and how it "returned to normal"... I have no idea... no changes to the server configuration...
This doesn't exactly reassure me for the future... I'm going to test with other test accounts, we'll see...

Have a good day everyone,

--
Ulysse31
High
Locked

Return to "Tips and Tricks"


  • To go further with WAPT