NethServer Version: 7 RC3
I am currently evaluating NethServer for use in our office. I'm quite impressed so far. ￼
It is to replace an ageing Windows server and an iRedMail server. So that you know where I'm coming from, I know Linux like the back of my hand but my Windows knowledge is a bit sketchy these days and I've never really dealt with Active Directory. I know a bit about LDAP and sssd and I can competently configure NFSv4 but had never tried it with Kerberos until yesterday.
We have Linux, Windows, and Mac desktops to serve so Samba AD seemed like the right option but my boss is keen to have proper ownership and permissions on the shares. If some user creates a file, he wants that user to be shown as the owner across the network. However, I found that when I created some files on a NethServer share from my Fedora desktop using GVfs, an
ls -l on the server revealed that they were owned by the administrator user even though I'd connected as myself. This tallies with the
inherit owner = yes setting in smb.conf that is hardcoded in the template. If I change this to
no then files are created as my own user as I would expect.
This desktop hasn't yet joined the domain so an
ls -l locally just shows every file being owned by my local user. If I adjust the permissions server side then I can get
permission denied client side even though the POSIX permissions indicate that I should be able to read the file. I suppose this is to be expected without any meaningful way to map UIDs.
Meanwhile, my colleague works remotely and has a slow connection. He's shuddering at the thought of using Samba and really wants to use NFS instead. I was disappointed to find that NethServer does not support this but I found a guide on how to authenticate via Samba and I got it working remarkably easily on a CentOS client that had already joined the domain using
realmd. I was pleased to find that the UID mapping worked perfectly in this case. Given how easy it was for me to do this, surely an NFS module or even just a tick box is a possibility? It's something I wouldn't mind contributing.
I gather I could use a local site override on the smb.conf template to put
inherit owner = no but would I be straying too far from the intended path? It seems to work but I've only tried it briefly and I don't know if there would be wider consequences. I've read that you can still set ACLs within Samba shares but I don't understand how this works when everything appears to be owned by the same user. Please expand my AD knowledge!
I also note that documentation on the template system can only be found in older releases. Is this because the documentation simply hasn't been updated? Is this something I should be messing with? There was also an Ibay profile feature that has now gone away. Issue #1881 noted that this should be done via the command line now. Does this mean by using the template system? Again, if you consider the ability to change
inherit owner a useful feature to have in the web UI then I could whip up a patch.