File ownership on Samba AD shares

NethServer Version: 7 RC3
Module: nethserver-samba

I am currently evaluating NethServer for use in our office. I’m quite impressed so far. :smiley:

It is to replace an ageing Windows server and an iRedMail server. So that you know where I’m coming from, I know Linux like the back of my hand but my Windows knowledge is a bit sketchy these days and I’ve never really dealt with Active Directory. I know a bit about LDAP and sssd and I can competently configure NFSv4 but had never tried it with Kerberos until yesterday.

We have Linux, Windows, and Mac desktops to serve so Samba AD seemed like the right option but my boss is keen to have proper ownership and permissions on the shares. If some user creates a file, he wants that user to be shown as the owner across the network. However, I found that when I created some files on a NethServer share from my Fedora desktop using GVfs, an ls -l on the server revealed that they were owned by the administrator user even though I’d connected as myself. This tallies with the inherit owner = yes setting in smb.conf that is hardcoded in the template. If I change this to no then files are created as my own user as I would expect.

This desktop hasn’t yet joined the domain so an ls -l locally just shows every file being owned by my local user. If I adjust the permissions server side then I can get permission denied client side even though the POSIX permissions indicate that I should be able to read the file. I suppose this is to be expected without any meaningful way to map UIDs.

Meanwhile, my colleague works remotely and has a slow connection. He’s shuddering at the thought of using Samba and really wants to use NFS instead. I was disappointed to find that NethServer does not support this but I found a guide on how to authenticate via Samba and I got it working remarkably easily on a CentOS client that had already joined the domain using realmd. I was pleased to find that the UID mapping worked perfectly in this case. Given how easy it was for me to do this, surely an NFS module or even just a tick box is a possibility? It’s something I wouldn’t mind contributing.

I gather I could use a local site override on the smb.conf template to put inherit owner = no but would I be straying too far from the intended path? It seems to work but I’ve only tried it briefly and I don’t know if there would be wider consequences. I’ve read that you can still set ACLs within Samba shares but I don’t understand how this works when everything appears to be owned by the same user. Please expand my AD knowledge! :confused:

I also note that documentation on the template system can only be found in older releases. Is this because the documentation simply hasn’t been updated? Is this something I should be messing with? There was also an Ibay profile feature that has now gone away. Issue #1881 noted that this should be done via the command line now. Does this mean by using the template system? Again, if you consider the ability to change inherit owner a useful feature to have in the web UI then I could whip up a patch.

6 Likes

This behavior is a ns6 legacy. Its reason was: administrator (that is not root) must always be entitled to modify (fix) any shared folder.

In ns7 we are discussing a feature that could overcome this limitation based on “username map”: please chime in! Of course “inhert owner” could be set “no” if we find another way of always granting access to admins.

Meanwhile your boss could appreciate the samba-audit module that tracks all operations executed on shared folders.

2 Likes

Yep I have this in mind, a module on nfs, but I worry that it is (probably) incompatible with the shared folder. I’m not sure that I can share the data between samba and nfs. I admit I must try it because I succeeded with SME9 (samba3). Does it is a blocker if each protocol get the data not shared ?

can you share your source and what you did, it could be nice to write some note on the wiki

Good point. I wonder whether POSIX ACLs can help. I’ve found that they can be remarkably resilient, save for an obscure bug in tar that I haven’t got around to figuring out. I’ll experiment a little but I won’t be back in the office until the 9th.

I’d noticed that and yes, he certainly will!

Yeah, we really need it to be shared but it did seem to work when I briefly tried it. I’m cautiously optimistic.

As I said, I won’t be back in the office for a while, but it was something along the lines of:

  • Join the client to the realm with realmd.
  • Allow TCP/UDP 111,2049 on server firewall. Other ports not needed for v4.
  • yum install nfs-utils on both.
  • Add lines below to /etc/exports on server. Can possibly be simplified, needs further investigation.
  • Correctly set domain in /etc/idmapd.conf on both.
  • systemctl start nfs-idmap on both.
  • systemctl start nfs-server on server.
  • net -u administrator ads keytab add nfs on server.
  • systemctl start nfs-utils on client.
  • mount -t nfs4 -o sec=krb5p neth.example.com:/foo /mnt/foo on client.

/etc/exports

/var/lib/nethserver/ibays  *(rw,sec=sys:krb5:krb5i:krb5p,fsid=0)
/var/lib/nethserver/ibays/foo  *(rw,sec=sys:krb5:krb5i:krb5p,fsid=1)

I now wonder whether idmap is actually needed when the client has joined the domain via sssd. A quick search just now reveals there is some crossover here. I’ll look into it.

1 Like

Of course completely out of this topic, I saw that you did some commits for glusterfs on github, what about of glusterFS vs NFS

Thanks for your inputs :slight_smile:

That was actually the Chef cookbook for Gluster, not Gluster itself. We are indeed using it though and are about to use it more. We use the geo-replication feature rather than its main cluster feature though. This is good for off-site backups and we’re probably going to hook it up to NethServer but it’s not an easy thing to fully script out. I’m just getting Chef to do the simpler bits. It’s not a replacement for NFS as clustering is latency-sensitive and geo-replication is not bidirectional.

2 Likes