2

I have an issue that I;m going round in circles with, I hope you can help.

The Set up:

Server 1 (CIFS Client) - CentOS 6.3 AD integrated uing Samba/Winbind & idmap_ad Server 2 (CIFS Server) - CentOS 6.3 AD integrated uing Samba/Winbind & idmap_ad

All users (apart from root) are AD authenticated and this, including groups, etc works happily.

What's working:

I have created a share on Server 2:

[share2]
   path = /srv/samba/share2
   writeable = yes

Permissions on the share:

drwxrwx---. 2 root domain users 4096 Oct 12 09:21 share2

I can log into a Windows machine as user5 (member of domain users) and everything works as it should, for example: If I create a file it shows the correct permissions and attributes on both the MS and the Linux sides.

Where I Fall Down:

I mount the share on Server 1 using:

# mount //server2/share2 /mnt/share2/ -o username=cifsmount,password=blah,domain=blah

Or using fstab:

//server2/share2     /mnt/share2            cifs    credentials=/blah/.creds        0 0

This mounts fine, but....

If I su, or log onto server 1 as a normal user (say user5) and try to create a file I get:

#touch test
touch test
touch: cannot touch `test': Permission denied

Then if I check the folder the file was created but as the cifsmount user:

-rw-r--r--. 1 cifsmount domain users    0 Oct 12 09:21 test

I can rename, delete, move or copy stuff around as user5, I just can't create anything, what am I doing wrong?

I'm guessing it's something to do with the mount action as when I log onto server2 as user5 and access the folder locally it all works as it should.

Can anyone point me in the right direction?

malco
  • 465
  • 1
  • 7
  • 14
  • Does the user user5 have the same UID on both server1 and server2? I don't recall how the IDMAP works with the AD backend. – Gazzonyx Oct 16 '12 at 01:23
  • Yep, no problem there, I'm soley using AD as the backend so all UID/GID's come from the one central location. – malco Oct 17 '12 at 15:29

2 Answers2

1

Look at the "noperm" mount option. Also you may wish to consider looking at the "unix extensions" option on the server too.

just helping
  • 11
  • 1
0

From the mount.cifs manpage:

setuids
       If the CIFS Unix extensions are negotiated with the server the client will attempt to set the effective uid and gid of the local process on newly created files,
       directories, and devices (create, mkdir, mknod). If the CIFS Unix Extensions are not negotiated, for newly created files and directories instead of using the
       default uid and gid specified on the the mount, cache the new file´s uid and gid locally which means that the uid for the file can change when the inode is
       reloaded (or the user remounts the share).

Please add this option to your fstab. If it is still not working, i would asume that the UNIX extensions are not working in your setup.

Thomas Berger
  • 1,700
  • 13
  • 22
  • Thanks but Setuids does not achieve what I need. I have gone abut it a different way. As we have different demands from the Linux side I am presenting the root folder of the share with NFS to Linux and Samba to Windows. This means we can take advantage of the Posix acls and use them to control the underlying permissions for both methods. – malco Oct 17 '12 at 16:11