Our university doesn't provide uids in AD but instead in LDAP, but all the groups we want to refer to/look up are in AD so we map to AD using rid and then force uids to be picked up by LDAP by using "passwd: files ldap" rather than "passwd: files winbind ldap" or just "passwd: files winbind" in /etc/nsswitch. This however breaks acl_xattr in that it doesn't generate the extended attribute security.NTACL for new files or directories under a directory that already has a security.NTACL that specifies for things like inherited permissions. If one forces a 660 or 770 create mask then it automatically gives everyone modify or full privs since there's no security.NTACL . ### So here are relevant portions from smb.conf : ### workgroup = VANDERBILT password server = dc-1.ds.vanderbilt.edu dc-2.ds.vanderbilt.edu dc-3.ds.vanderbilt.edu realm = DS.VANDERBILT.EDU security = ads encrypt passwords = yes allow trusted domains = No idmap config *:backend = tdb idmap config *:range = 4000000 - 5000000 idmap config VANDERBILT : backend = rid idmap config VANDERBILT : range = 5000001 - 9000000 winbind offline logon = false winbind trusted domains only = no winbind use default domain = yes # ldap handles users winbind enum users = no # setting this to no forces samba to use the gid of an equivalently named group from ldap with force group on a share, still allows for winbind in the nsswitch.conf group line winbind enum groups = no winbind expand groups = 3 passdb backend = tdbsam clustering = yes # http://gpfsug.org/pipermail/gpfsug-discuss/2014-March/000356.html unix extensions = yes include = /etc/samba/template_shares.conf include = /etc/samba/test_shares.conf ### /etc/samba/template_shares.conf ### [template_xattr] path = /dors/testfs writeable = yes vfs objects = shadow_copy2 acl_xattr fileid ea support = yes store dos attributes = yes access based share enum = yes map readonly = no map archive = no map system = no mangled names = no force unknown acl user = yes #inherit acls = yes #inherit permissions = yes locking = yes #create mask = 0770 #force create mode = 0770 #directory mask = 0770 #force directory mode = 0770 notify:inotify = no shadow:snapdir = .snapshots shadow:localtime = yes shadow:format = %Y%m%d_%H:%M shadow:fixinodes = yes shadow:snapdirseverywhere = yes shadow:sort = desc posix locking = yes kernel oplocks = no kernel share modes = yes fileid:algorithm = fsname [template_nfs4] comment = GPFS Cluster on mako-smb using %R protocol path = /dors/testfs writeable = yes vfs objects = shadow_copy2 gpfs fileid ea support = yes store dos attributes = yes access based share enum = yes map readonly = no map archive = no map system = no mangled names = no force unknown acl user = yes locking = yes notify:inotify = no shadow:snapdir = .snapshots shadow:localtime = yes shadow:format = %Y%m%d_%H:%M shadow:fixinodes = yes shadow:snapdirseverywhere = yes shadow:sort = desc # vfs_gpfs settings gpfs:acl = yes gpfs:winattr = yes gpfs:dfreequota = yes nfs4:mode = simple nfs4:chown = yes nfs4:acedup = merge ### set these to no if the share will only be accessed by smb/cifs clients ### ## needed to turn off sharemodes, msoffice on windows couldn't save # https://bugzilla.samba.org/show_bug.cgi?id=6762 gpfs:sharemodes = no gpfs:leases = yes posix locking = yes kernel oplocks = no kernel share modes = yes fileid:algorithm = fsname ### /etc/samba/test_shares.conf ### [testfs3] comment = GPFS Cluster on DORS using %R protocol path = /dors/testfs copy = template #admin users = @csbouadmins ### /etc/nsswitch.conf ### passwd: files ldap group: files ldap winbind 1) connect to testfs3 set NTACL's on the top level directory which specify for inherited permissions on lower files/dirs 2) create files or lower level dirs. These files are mapped to a uid provided by ldap rather than winbind, but users that are supposed to have full or modify privs only get read only privs on files and dirs. The security.NTACL extended attribute doesn't get created on sub-dirs or files. In /etc/nsswitch.conf If I put : passwd: files winbind ldap or passwd: files winbind Then everything works properly because all incoming name <-> uid mappings are being mapped to winbind provided sid <-> uid mappings and I guess the user looks like a proper "AD" user to acl_xattr? This would be ok but if I want to share a share out over NFS + SMB then the uid mappings won't be what I need since we have an inter-departmental agreement to use LDAP provided UIDs on all our systems rather than "arbitrary" uid's generated by everyone's smb rid configuration. One interesting thing is that if I go into advanced in the windows dialog and click enable inheritance for a sub-dir/file it magically has its security.NTACL generated for it and the top-level perms are properly propagated, but that's just dumb since it means every single time a file or dir is created under a directory someone has to go in and click the enable inheritance button. Another goofy workaround is to force files and dirs to have 770 or at least 660 perms so that the default posix acl's at least work and become effective rwx or rw- for all files and dirs, but then it gives every user who has at least modify privs, full privs which we don't necessarily want. The only workaround that works correctly with this ldap setup is to use copy = template_nfs4 with vfs_gpfs on the share and make sure the top level directory has nfs4 metadata/acl's so that inheritance and everything else just works. However, this makes for greater administrative overhead because users don't know how to setup the top level nfs4 permissions (they barely understand unix permissions), also not all users have access to their data over gpfs so they can't even use mmeditacl -k nfs4 dirname even if they wanted to (most use nfs and smb), and it's just not posix and breaks setfacl, umask (although no real need for this at that point with default posix or nfs4 acls), etc. I hope this makes sense and someone can help fix this in acl_xattr.
my situation is similar to this : https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP But I need access to AD groups and I don't see how the above would give me that.
different idmap packends for group and passwd are and will not be supported