UID / GID resolving on SMB mounted volumes (AD authenticated)
Hi,
I'm currently trying to setup the "magic triangle" with AD (Win 2003 Server) providing authentication services through kerberos while an OD-Master (10.4.11 OS X Server) is supposed to tweak a few settings (dock, automounts, etc.) on the mac client machines (all running10.4.11) . So far I've been pretty successfull: I can login with an AD user account on a mac client using smb mounted network homes. The home directories and other shares are located on a linux samba server (Debian 4.0) which is also a member of the AD realm. This setup works quite well for our Windows XP clients on the network. The goal is to share home directories and other network volumes between WinXP and Mac OS X clients.
Even though the (auto)mounting of samba shares seems to work quite well, there are issues concerning the permissions on mounted volumes that render these almost useless from a user perspective. For some reason the Mac client (Intel iMac 2.4 GHz , 10.4.11) has problems resolving the UID / GID from the AD. In a terminal window the home directory mounted at /Network/Server/ of the currently logged in user looks like this:
iwwmac:~ gunag$ ls -la
total 274
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Dec 11 20:53 .
drwxr-xr-x 3 root wheel 102 Dec 11 20:52 ..
-rwxrwxrwx + 1 4294967195 IWW\domà 6148 Dec 11 20:52 .DS_Store
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Dec 11 20:54 .Spotlight-V100
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Dec 11 20:52 .Trash
-rwxrwxrwx + 1 4294967195 IWW\domà 0 Dec 11 20:52 .Xauthority-c
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Dec 11 15:01 .ssh
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Aug 15 14:33 .winprofile
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Dec 11 20:52 Desktop
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Dec 11 20:56 Library
Note: IWW\domà spells out as IWW\domänen-benutzer (or "domusers" in W2K terms)
The directory listing of another mounted samba share looks like this:
iwwmac:/Volumes/parkplatz/kollegiumgebaeude gunag$ ls -la
total 888
drwxrwxrwx + 1 4294967195 2181038082 16384 Dec 11 21:16 .
drwxrwxrwx + 1 4294967195 2181038082 16384 Jan 1 1970 ..
-rwxrwxrwx + 1 4294967195 IWW\domà 12292 Dec 7 15:46 .DS_Store
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Oct 9 21:37 AaXXX
drwxrwxrwx + 1 ansil IWW\domà 16384 Oct 9 21:37 AnXXX
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Nov 17 16:53 CanXXX
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Oct 28 06:45 CaXXX
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Nov 25 06:47 ChaXXX
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Oct 9 21:37 EcXXX
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Nov 21 11:41 GerXXX
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Dec 11 19:30 GudXX
drwxrwxrwx + 1 anmar IWW\domà 16384 Dec 4 11:01 JoXXX
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Oct 9 21:37 LiXXX
drwxrwxrwx + 1 makub IWW\domà 16384 Nov 12 15:35 MartXXX
As you can see the UID is sometimes resolved to an AD login and sometimes not. The trouble is that the AD user logged in on a Mac cannot delete or modify previously copied files on the samba share due to these funny permission settings (What is this "+" all about?). At first glance this seems to be a result of misinterpreting or ignoring the ACLs on the samba share.
For example: if the current user just copies a file from the Mac desktop to the samba share the following ACLs are being set ("getfacl" done on the linux machine):
-r--rwxr--+ 1 gunag domusers 341 2007-12-11 18:24 Ohne Titel.rtf
# owner: gunag
# group: domusers
user::r--
user:gunag:rwx
group::r--
mask::rwx
other::r--
The user "gunag" should have full access, but the attempt to delete the file using the Mac Finder gives a "permission denied".
Look at the directory listing in the terminal window on the Mac client...weird!
-rwxrwxrwx + 1 4294967195 IWW\domà 361 Dec 11 18:24 Ohne Titel.rtf
To make things even more complicated: on another machine (old B&W with 10.4.11 also bound to AD an OD) the home directory and other volumes show permissions like these (directory listing from terminal on Mac client):
-rw-r--r-- 1 gunag nobody 0 2007-12-11 17:48 test2
All files / directories on smb mounted volumes are owned by "gunag" (current user) and group "nobody" and what is even more important can be modified or deleted. However, sometimes(!) the mounted directories even on this B&W Mac look like in the previous example (weird permission without UID / GID resolving).
I really hope that someone can help me resolving this issue or actually have to give up my Single-Sign-On plans for now which would be quite frustrating after spending about two weeks and getting so close.
Greetings from Germany
Lars Wessels
I'm currently trying to setup the "magic triangle" with AD (Win 2003 Server) providing authentication services through kerberos while an OD-Master (10.4.11 OS X Server) is supposed to tweak a few settings (dock, automounts, etc.) on the mac client machines (all running10.4.11) . So far I've been pretty successfull: I can login with an AD user account on a mac client using smb mounted network homes. The home directories and other shares are located on a linux samba server (Debian 4.0) which is also a member of the AD realm. This setup works quite well for our Windows XP clients on the network. The goal is to share home directories and other network volumes between WinXP and Mac OS X clients.
Even though the (auto)mounting of samba shares seems to work quite well, there are issues concerning the permissions on mounted volumes that render these almost useless from a user perspective. For some reason the Mac client (Intel iMac 2.4 GHz , 10.4.11) has problems resolving the UID / GID from the AD. In a terminal window the home directory mounted at /Network/Server/ of the currently logged in user looks like this:
iwwmac:~ gunag$ ls -la
total 274
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Dec 11 20:53 .
drwxr-xr-x 3 root wheel 102 Dec 11 20:52 ..
-rwxrwxrwx + 1 4294967195 IWW\domà 6148 Dec 11 20:52 .DS_Store
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Dec 11 20:54 .Spotlight-V100
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Dec 11 20:52 .Trash
-rwxrwxrwx + 1 4294967195 IWW\domà 0 Dec 11 20:52 .Xauthority-c
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Dec 11 15:01 .ssh
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Aug 15 14:33 .winprofile
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Dec 11 20:52 Desktop
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Dec 11 20:56 Library
Note: IWW\domà spells out as IWW\domänen-benutzer (or "domusers" in W2K terms)
The directory listing of another mounted samba share looks like this:
iwwmac:/Volumes/parkplatz/kollegiumgebaeude gunag$ ls -la
total 888
drwxrwxrwx + 1 4294967195 2181038082 16384 Dec 11 21:16 .
drwxrwxrwx + 1 4294967195 2181038082 16384 Jan 1 1970 ..
-rwxrwxrwx + 1 4294967195 IWW\domà 12292 Dec 7 15:46 .DS_Store
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Oct 9 21:37 AaXXX
drwxrwxrwx + 1 ansil IWW\domà 16384 Oct 9 21:37 AnXXX
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Nov 17 16:53 CanXXX
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Oct 28 06:45 CaXXX
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Nov 25 06:47 ChaXXX
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Oct 9 21:37 EcXXX
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Nov 21 11:41 GerXXX
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Dec 11 19:30 GudXX
drwxrwxrwx + 1 anmar IWW\domà 16384 Dec 4 11:01 JoXXX
drwxrwxrwx + 1 4294967195 IWW\domà 16384 Oct 9 21:37 LiXXX
drwxrwxrwx + 1 makub IWW\domà 16384 Nov 12 15:35 MartXXX
As you can see the UID is sometimes resolved to an AD login and sometimes not. The trouble is that the AD user logged in on a Mac cannot delete or modify previously copied files on the samba share due to these funny permission settings (What is this "+" all about?). At first glance this seems to be a result of misinterpreting or ignoring the ACLs on the samba share.
For example: if the current user just copies a file from the Mac desktop to the samba share the following ACLs are being set ("getfacl" done on the linux machine):
-r--rwxr--+ 1 gunag domusers 341 2007-12-11 18:24 Ohne Titel.rtf
# owner: gunag
# group: domusers
user::r--
user:gunag:rwx
group::r--
mask::rwx
other::r--
The user "gunag" should have full access, but the attempt to delete the file using the Mac Finder gives a "permission denied".
Look at the directory listing in the terminal window on the Mac client...weird!
-rwxrwxrwx + 1 4294967195 IWW\domà 361 Dec 11 18:24 Ohne Titel.rtf
To make things even more complicated: on another machine (old B&W with 10.4.11 also bound to AD an OD) the home directory and other volumes show permissions like these (directory listing from terminal on Mac client):
-rw-r--r-- 1 gunag nobody 0 2007-12-11 17:48 test2
All files / directories on smb mounted volumes are owned by "gunag" (current user) and group "nobody" and what is even more important can be modified or deleted. However, sometimes(!) the mounted directories even on this B&W Mac look like in the previous example (weird permission without UID / GID resolving).
I really hope that someone can help me resolving this issue or actually have to give up my Single-Sign-On plans for now which would be quite frustrating after spending about two weeks and getting so close.
Greetings from Germany
Lars Wessels
iMac 2.4GHz, Mac OS X (10.4.11)