Hello everybody, Google as I might, I cannot find any recent discussions on solving this problem, many times asked, but no solutions have worked for me. Synopsis of Details: Centos 5.5 64_bit, samba3x-common-3.3.8-0.52.el5_5.2 samba3x-winbind-3.3.8-0.52.el5_5.2 WIndows AD 2008. As all the threads I find are quite old, hopefully things have changed, or maybe I am wasting time and it is not possible ? Please let me know if this is the case. Why does samba+winbind ignore the local unix groups ? I have joined my samba server to Windows AD. I have configured a share with the values: [public_share] #Perms are 777 path = /home/pub_share comment = Public_Share writable = yes create mask = 775 directory mask = 775 browsable = yes valid users = @adgroup If I use a group from Windows AD, there is no problem accessing the share, but we do not want to add / change groups in AD, we need to add users to our local /etc/groups as access to Windows AD is very limited and we would rather control things on the linux side, and use the single sign on from AD for the users. If I change valid users to: valid users = @linuxgroup And create a user and add them to that group on the samba server, it does not work, they can ssh into the machine using the local user password OR their Win AD credentials via winbind, but not access the share via SMB. id <username> shows all groups the user belongs to in WinAD and /etc/group getent password getent group wbinfo -g wbinfo -u All show the correct values I would expect. Below are my configs if you need more info let me know, I have tried many things including group maps, adding DOMAIN+user and various other things. If you have a working SAMBA+AD+WINBIND+LOCALGROUPS I would love to know about it! Thanks, Steve. CONFIGURATION FILES: #/etc/smb.conf [global] # General name options log level = 2 workgroup = xxxx netbios name = smb1 server string = samba test server idmap backend = rid:xxxx=5000-100000000 idmap uid = 10000-100000000 idmap gid = 10000-100000000 security = ads encrypt passwords = yes realm = xxx password server = xxx os level = 10 # Winbind Stuff - Active Directory winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind use default domain = yes winbind separator = + template shell = /bin/bash template homedir = /home/%D/%U obey pam restrictions = yes # Disabled printing load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # Extended ACL support map acl inherit = no nt acl support = no [public_share] path = /home/pub_share comment = Public_Share writable = yes create mask = 775 directory mask = 775 browsable = yes valid users = @linuxgroup -------------------------------------------------- /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_smb_auth.so use_first_pass nolocal auth sufficient pam_winbind.so use_first_pass auth krb5_ccache_type=FILE auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha256 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session required pam_mkhomedir.so skel=/etc/skel umask=0022 silent session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so -------------------------------------------------- #nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind --------------------------------------------------
Hi, -------- Original-Nachricht --------> Why does samba+winbind ignore the local unix groups ? > > I have joined my samba server to Windows AD. > > I have configured a share with the values: > [public_share] > #Perms are 777 > path = /home/pub_share > comment = Public_Share > writable = yes > create mask = 775 > directory mask = 775 > browsable = yes > valid users = @adgroup > > > If I use a group from Windows AD, there is no problem accessing the share, > but we do not want to add / change groups in AD, we need to add users to > our > local /etc/groups as access to Windows AD is very limited and we would > rather control things on the linux side, and use the single sign on from > AD > for the users. >i am not the best expert the mailing list has to offer, but i think when you are using ad and winbind you need group information locally and in ad + mapping between ad and local groups - otherwise you will step into various problems. alternatives are (1) switching off winbind (then samba falls back to local group information only) or (2) administer your local groups via ad rfc2307 schema extension + winbind + nsswitch. hth werner -- NEU: FreePhone - kostenlos mobil telefonieren und surfen! Jetzt informieren: http://www.gmx.net/de/go/freephone
sf878787767676 at gmail.com
2011-Mar-29 01:28 UTC
[Samba] samba winbind ignores local unix groups.
Hi, thanks very much for your feeback. I now have it working in my Virtualbox lab and will make the changes in production shortly. The trick was to rely on kerberos only thanks for the winbind tip, it was confusing me horribly. I disabled winbind and did more testing, now anyone who has authenticated to AD, and is in a local linux group for the share can connect. Thanks again, Steve. On , Werner Durgarten <wernerdurgarten at gmx.de> wrote:> Hi,> -------- Original-Nachricht --------> > Why does samba+winbind ignore the local unix groups ?> >> > I have joined my samba server to Windows AD.> >> > I have configured a share with the values:> > [public_share]> > #Perms are 777> > path = /home/pub_share> > comment = Public_Share> > writable = yes> > create mask = 775> > directory mask = 775> > browsable = yes> > valid users = @adgroup> >> >> > If I use a group from Windows AD, there is no problem accessing the > share,> > but we do not want to add / change groups in AD, we need to add users to> > our> > local /etc/groups as access to Windows AD is very limited and we would> > rather control things on the linux side, and use the single sign on from> > AD> > for the users.> >> i am not the best expert the mailing list has to offer, but i think when > you are using ad and winbind you need group information locally and in ad > + mapping between ad and local groups - otherwise you will step into > various problems. alternatives are (1) switching off winbind (then samba > falls back to local group information only) or (2) administer your local > groups via ad rfc2307 schema extension + winbind + nsswitch.> hth> werner> --> NEU: FreePhone - kostenlos mobil telefonieren und surfen!> Jetzt informieren: http://www.gmx.net/de/go/freephone
On Mon, Mar 28, 2011 at 05:26:30PM +1300, s f wrote:> Google as I might, I cannot find any recent discussions on solving this > problem, many times asked, but no solutions have worked for me.Try "username map script = /bin/echo". Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen