If a user is created locally as well as in AD then mapping issue is observed. Local User ---------- # getent passwd tuser -s files tuser:x:500:500::/home/tuser:/bin/bash AD User -------- # getent passwd tuser -s winbind tuser:*:16777216:16777216::/home/EXAMPLE/tuser:/bin/bash If "winbind use default domain = true" is set and AD user with the same name is mapped to local user then access to directory owned by local user is not working. As per Samba man page (https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html) under "username map" parameter the unix user should be mentioned on the left side. ----------------------------------------------------------------------------- For example to map from the name admin or administrator to the UNIX name root you would use: root = admin administrator Or to map anyone in the UNIX group system to the UNIX name sys you would use: sys = @system ----------------------------------------------------------------------------- Testing Details are given below. File Configuration =================== 1) /etc/samba/smb.conf --------------------------------------------------------- [global] workgroup = EXAMPLE realm = EXAMPLE.COM security = ads idmap config * : range = 16777216-33554431 idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 10000 - 1000000 template shell = /bin/bash winbind separator = + winbind use default domain = true username map = /etc/samba/usermap winbind offline logon = false server string = Samba Server Version %v log file = /var/log/samba/log.%m max log size = 50 passdb backend = tdbsam load printers = yes cups options = raw [test] comment = TestShare path = /test browseable = yes valid users = tuser guest ok = no writable = yes printable = no --------------------------------------------------------- 2) /etc/nsswitch.conf --------------------------- passwd: files winbind shadow: files winbind group: files winbind --------------------------- ID OUTPUT =========== # id tuser uid=500(tuser) gid=500(tuser) groups=500(tuser),16777216(domain users),16777218(domain admins),16777217(denied rodc password replication group),16777220(BUILTIN+users),16777219(BUILTIN+administrators) # id EXAMPLE+tuser uid=16777216(tuser) gid=16777216(domain users) groups=16777216(domain users),16777218(domain admins),16777217(denied rodc password replication group),16777220(BUILTIN+users),16777219(BUILTIN+administrators) Samba Share Directory Permission ================================ # ls -ld /test/ drwxrwx---. 2 tuser tuser 4096 Oct 15 13:30 /test/ # ls -lnd /test/ drwxrwx---. 2 500 500 4096 Oct 15 13:30 /test/ # ls -ltr /test/ total 0 -rw-r--r--. 1 tuser tuser 0 Oct 15 13:30 a.txt # ls -lntr /test/ total 0 -rw-r--r--. 1 500 500 0 Oct 15 13:30 a.txt TESTING RESULT ============== A) /etc/samba/usermap and "winbind use default domain = false" ----------------------------------------------------------- Test 1) EXAMPLE+tuser = tuser (Note Able to login due to "NT_STATUS_ACCESS_DENIED") # smbclient \\\\192.168.122.15\\test -U tuser%test123 Domain=[EXAMPLE] OS=[Unix] Server=[Samba 3.6.23-20.el6] tree connect failed: NT_STATUS_ACCESS_DENIED Test 2) tuser = EXAMPLE+tuser (Access and directory listing working) # smbclient \\\\192.168.122.15\\test -U tuser%test123 Domain=[EXAMPLE] OS=[Unix] Server=[Samba 3.6.23-20.el6] smb: \> ls . D 0 Thu Oct 15 13:30:53 2015 .. DR 0 Thu Oct 15 13:21:46 2015 a.txt 0 Thu Oct 15 13:30:53 2015 35036 blocks of size 524288. 22261 blocks available smb: \> B) /etc/samba/usermap and "winbind use default domain = true" ---------------------------------------------------------- Test 1) EXAMPLE+tuser = tuser (Able to login but getting NT_STATUS_ACCESS_DENIED during directory listing due to directory permission) # smbclient \\\\192.168.122.15\\test -U tuser%test123 Domain=[EXAMPLE] OS=[Unix] Server=[Samba 3.6.23-20.el6] smb: \> ls NT_STATUS_ACCESS_DENIED listing \* smb: \> Test 2) tuser = EXAMPLE+tuser (Able to login but getting NT_STATUS_ACCESS_DENIED during directory listing due to directory permission) # smbclient \\\\192.168.122.15\\test -U tuser%test123 Domain=[EXAMPLE] OS=[Unix] Server=[Samba 3.6.23-20.el6] smb: \> ls NT_STATUS_ACCESS_DENIED listing \* smb: \>
Can someone explain how 'username map' is supposed to work in different scenarios (file server, authentication) and how 'winbind use default domain' affects it. Do we have bugs here or is the documentation simply very very bad and people start to do stupid stuff cause of the missing docs?
(In reply to Andreas Schneider from comment #1) The username map syntax is *really* old and crufty. Never really got updated for AD-environments. I continue to *hate* "winbindd use default domain" in all cases :-). Having said that I'm unclear what the original submitter is actually complaining about. So to the submitter: a). What do you want to do ? b). How is username map not doing that ?
Jeremy, the issue here is that he has an AD and a Unix user with the same name. If I understand the 'username map' syntax correctly, it only supports: unixuser = smb_user (ad_user) The mapping is done via getpwnam() calls so we are only support what comes out of nsswitch, right?
winbind use default domain usage is not a good idea, especially with overlapping local/ad user names, this is considered to be an unsupported setup