Bug 10644 - acl_xattr doesn't work properly when incoming uid doesn't map to winbind (AD) sid to uid mapping
Summary: acl_xattr doesn't work properly when incoming uid doesn't map to winbind (AD)...
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: 4.1.7
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-02 06:35 UTC by Sabuj Pattanayek
Modified: 2014-07-26 13:16 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sabuj Pattanayek 2014-06-02 06:35:29 UTC
Our university doesn't provide uids in AD but instead in LDAP, but all the groups we want to refer to/look up are in AD so we map to AD using rid and then force uids to be picked up by LDAP by using "passwd: files ldap" rather than "passwd: files winbind ldap" or just "passwd: files winbind" in /etc/nsswitch. This however breaks acl_xattr in that it doesn't generate the extended attribute security.NTACL for new files or directories under a directory that already has a security.NTACL that specifies for things like inherited permissions. If one forces a 660 or 770 create mask then it automatically gives everyone modify or full privs since there's no security.NTACL .

### So here are relevant portions from smb.conf : ###

workgroup = VANDERBILT
password server = dc-1.ds.vanderbilt.edu dc-2.ds.vanderbilt.edu dc-3.ds.vanderbilt.edu
realm = DS.VANDERBILT.EDU
security = ads
encrypt passwords = yes
allow trusted domains = No
idmap config *:backend = tdb
idmap config *:range = 4000000 - 5000000
idmap config VANDERBILT : backend  = rid
idmap config VANDERBILT : range    = 5000001 - 9000000
winbind offline logon = false
winbind trusted domains only = no
winbind use default domain = yes
# ldap handles users
winbind enum users  = no
# setting this to no forces samba to use the gid of an equivalently named group from ldap with force group on a share, still allows for winbind in the nsswitch.conf group line
winbind enum groups = no
winbind expand groups = 3
passdb backend = tdbsam

clustering = yes
# http://gpfsug.org/pipermail/gpfsug-discuss/2014-March/000356.html
unix extensions = yes

include = /etc/samba/template_shares.conf
include = /etc/samba/test_shares.conf

### /etc/samba/template_shares.conf ###

[template_xattr]
path = /dors/testfs
writeable = yes
vfs objects = shadow_copy2 acl_xattr fileid
ea support = yes
store dos attributes = yes
access based share enum = yes
map readonly = no
map archive = no
map system = no
mangled names = no
force unknown acl user = yes
#inherit acls = yes
#inherit permissions = yes
locking = yes
#create mask = 0770
#force create mode = 0770
#directory mask = 0770
#force directory mode = 0770
notify:inotify = no
shadow:snapdir = .snapshots
shadow:localtime = yes
shadow:format = %Y%m%d_%H:%M
shadow:fixinodes = yes
shadow:snapdirseverywhere = yes
shadow:sort = desc
posix locking = yes
kernel oplocks = no
kernel share modes = yes
fileid:algorithm = fsname

[template_nfs4]
comment = GPFS Cluster on mako-smb using %R protocol
path = /dors/testfs
writeable = yes
vfs objects = shadow_copy2 gpfs fileid
ea support = yes
store dos attributes = yes
access based share enum = yes
map readonly = no
map archive = no
map system = no
mangled names = no
force unknown acl user = yes
locking = yes
notify:inotify = no
shadow:snapdir = .snapshots
shadow:localtime = yes
shadow:format = %Y%m%d_%H:%M
shadow:fixinodes = yes
shadow:snapdirseverywhere = yes
shadow:sort = desc
# vfs_gpfs settings
gpfs:acl = yes
gpfs:winattr = yes
gpfs:dfreequota = yes
nfs4:mode = simple
nfs4:chown = yes
nfs4:acedup = merge
### set these to no if the share will only be accessed by smb/cifs clients ###
## needed to turn off sharemodes, msoffice on windows couldn't save
# https://bugzilla.samba.org/show_bug.cgi?id=6762
gpfs:sharemodes = no
gpfs:leases = yes
posix locking = yes
kernel oplocks = no
kernel share modes = yes
fileid:algorithm = fsname

### /etc/samba/test_shares.conf ###

[testfs3]
comment = GPFS Cluster on DORS using %R protocol
path = /dors/testfs
copy = template
#admin users = @csbouadmins

### /etc/nsswitch.conf ###

passwd:     files ldap
group:      files ldap winbind

1) connect to testfs3 set NTACL's on the top level directory which specify for inherited permissions on lower files/dirs
2) create files or lower level dirs. These files are mapped to a uid provided by ldap rather than winbind, but users that are supposed to have full or modify privs only get read only privs on files and dirs. The security.NTACL extended attribute doesn't get created on sub-dirs or files.

In /etc/nsswitch.conf If I put :

passwd: files winbind ldap 

or

passwd: files winbind

Then everything works properly because all incoming name <-> uid mappings are being mapped to winbind provided sid <-> uid mappings and I guess the user looks like a proper "AD" user to acl_xattr? This would be ok but if I want to share a share out over NFS + SMB then the uid mappings won't be what I need since we have an inter-departmental agreement to use LDAP provided UIDs on all our systems rather than "arbitrary" uid's generated by everyone's smb rid configuration. One interesting thing is that if I go into advanced in the windows dialog and click enable inheritance for a sub-dir/file it magically has its security.NTACL generated for it and the top-level perms are properly propagated, but that's just dumb since it means every single time a file or dir is created under a directory someone has to go in and click the enable inheritance button. Another goofy workaround is to force files and dirs to have 770 or at least 660 perms so that the default posix acl's at least work and become effective rwx or rw- for all files and dirs, but then it gives every user who has at least modify privs, full privs which we don't necessarily want.


The only workaround that works correctly with this ldap setup is to use copy = template_nfs4 with vfs_gpfs on the share and make sure the top level directory has nfs4 metadata/acl's so that inheritance and everything else just works. However, this makes for greater administrative overhead because users don't know how to setup the top level nfs4 permissions (they barely understand unix permissions), also not all users have access to their data over gpfs so they can't even use mmeditacl -k nfs4 dirname even if they wanted to (most use nfs and smb), and it's just not posix and breaks setfacl, umask (although no real need for this at that point with default posix or nfs4 acls), etc.

I hope this makes sense and someone can help fix this in acl_xattr.
Comment 1 Sabuj Pattanayek 2014-06-02 12:29:25 UTC
my situation is similar to this :

https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP

But I need access to AD groups and I don't see how the above would give me that.
Comment 2 Björn Jacke 2014-07-26 13:16:58 UTC
different idmap packends for group and passwd are and will not be supported