On Fri, Jan 11, 2019 at 11:53:45AM +0200, Zdravko Zdravkov wrote:
I have working AD (Samba) for office with mostly Linux machines and
few
users on Windows 10.
I'm using sssd to join the AD with the following configuration:
[sssd]
> domains = xxxxx
> config_file_version = 2
> services = nss, pam
> [domain/xxxxx]
> ad_domain = xxxxxx
> krb5_realm = XXXXXXX
> realmd_tags = manages-system joined-with-samba
> cache_credentials = True
> id_provider = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = True
> use_fully_qualified_names = False
> fallback_homedir = /home/%u
> access_provider = ad
We have EMC storage, joined to the AD. Everyone is using it. On Windows
it's being mapped via smb, and in Linux via nfs.
I'll explain it as simple as I can. If I'm Linux user X and I create folder
on the storage then list it to check ownership and permissions, it appears
as it should - with owner X, and group domain users.
Next, I log on Windows machine with the same user (X), browse the storage
and create another folder. Then, on a Linux machine I list it, to check
ownership. Now for owner I'm getting bizarre generated uID - "1000043",
but
the group remains as it should (domain users). Obviously this is a problem,
as it messes up access to files/folders which need to be used between
different operating systems.
Next, from linux machine I check the uid for that particular user: *id X*,
so I'm getting result "1115001239" which is OK. This is the uid as Linux
understands it.
If I copy that uid, then in AD users and computers management tool (in
windows) I browse that particular user, and manually add the uid to the
shown uidNumber attribute:
[image: ad_attrs.PNG]
Then clear SSSD cache with *sss_cache -E*.
The next file/folder I create from Windows is now successfully shown with
correct owner name in Linux.
If I understand it correctly I would say that this is about how the EMC
storage gets the UID. With NFS it gets the UID used by the Linux client
from the protocol. With SMB there is no UID in the protocol (there is a
POSX extension but I guess it is not used here) and I would expect that
the EMC system is configured to lookup user data from AD. As long as
there is not uidNumber stored in the user's AD object the storage has to
generate an UID on its own when making the files available via NFS.
This is kind of a solution, but isn't perfect as it requires a
bit of
manual interaction. I'm wondering if it has anything to do with SSSD, or it
is purely up to Samba? Is there a better way to achieve what I want.
How comes Samba into play here?
bye,
Sumit
Cheers guys
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...