Thomas Burger
2015-Jan-13 09:02 UTC
[Samba] Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)
Hello all, after spending the last days fighting and researching I hope someone can point me to an solution here. Even if I am using Debian / Ubuntu since years I wouldn?t consider myself as a Linux professional. I have some experience though. What I try to accomplish: - Centrally administrated groups for file services. Right now it is only one server but there will be more. Setup: - System 1: Ubuntu 14.04 LTS as Active Directory Controller with Samba 4.1 (Sernet package) - System 2: Ubuntu 14.04 LTS as Member server. What works: - DNS & NTP - Kerberos integration via Keytab file. SSSD 1.11.5 uses "id_provider = ad" for this. - getting AD members and groups via getent passwd and getent group - Authentication with a domain user on "System 2" via SSH - Authentication on Samba instance "Server 2" via AD-Users. - getfacl / setfacl setting with domain object names. My issue: Authorization is not working. For example: - Write list / read list / valid users options in smb.conf are not honored. Either I have all users being able to access everything or they can login to the server but if accessing the share this will fail. - Skipped the samba authorization and moved this to the filesystem level. Set the acl to the appropriate AD groups with the appropriate level results in the same issue. I also getting an "access denied" if I try to access the folder from within the SSH-session of an AD user. The user is in the group though. My guesses: Option 1: Somehow groups populated through SSSD are not being used for authorization. Neither for Samba share definition nor for the filesystem. I recognized that the IDs of "objects" coming from the AD are very high like User: guest:*:1994200501:1994200514:Guest:/: Group: domain admins:*:1994200512:administrator Option 2: in samba logs I can see, that the user authenticates with a "primary" group id but I am missing the "other groups". Is that expected? [2015/01/12 22:23:51.235050, 2] ../source3/smbd/service.c:848(make_connection_snum) workstation (ipv4:x.y.z.y:63206) connect to service share1 initially as user >myuser< (uid=1994201119, gid=1994200513) (pid 1790) ID reflects the domain users: domain users:*:1994200513: My Questions: Why is it not working? Do I have a conceptual issue? If it is related to the IDs, how can I "lower" them. ID-Mapping is active already. I also tried an installation with winbind but the situation kept the same. After that system has been reinstalled to ensure that everything is cleaned up properly. Any help is greatly appreciated! Thomas KRB5 conf: >> [libdefaults] default_realm = MYDOMAIN.DE dns_lookup_realm = false dns_lookup_kdc = true # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] MYDOMAIN.DE = { kdc = DC admin_server = DC } [domain_realm] .mydomain.de = MYDOMAIN.DE [login] krb4_convert = true krb4_get_tickets = false >> sssd.conf >> [sssd] services = nss, pam config_file_version = 2 domains = mydomain.de [nss] [pam] [domain/mydomain.de] id_provider = ad access_provider = ad ad_hostname = dc.mydomain.de ad_server = dc.mydomain.de ad_domain = mydomain.de enumerate = true krb5_keytab=/etc/krb5.sssd.keytab >> smb.conf >> [global] #### GLOBAL SETTINGS netbios name = SERVER2 server string = SERVER2 workgroup = MYDOMAIN realm = MYDOMAIN.DE server role = MEMBER SERVER #### SECURITY SETTINGS security = ads allow trusted domains = Yes map untrusted to domain = Yes encrypt passwords = yes client use spnego = yes client ntlmv2 auth = yes restrict anonymous = 2 #### SERVER SETTINGS dns proxy = yes domain master = no local master = no preferred master = no os level = 0 follow symlinks = yes veto files = /.DS_Store/Thumbs.db/thumbs.db/ server min protocol = SMB2 server max protocol = SMB3 #### PRINTING disable spoolss = yes load printers = no idmap_ldb:use rfc2307 = yes #### LOGGING log level = 2 username level = 3 log file = /var/log/samba/log.%m max log size = 50 syslog only = no syslog = 2 panic action = /usr/share/samba/panic-action %d ######## SHARES [share1] path = /share/share1 browsable = yes read only = no guest ok = no # The access control is configured on the file system level. >>
Hans-Kristian Bakke
2015-Jan-14 17:03 UTC
[Samba] Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)
sssd-ad can't provide proper ID-mapping for internal Samba fileserver use until sssd 1.12 where the following functionality was introduced: * SSSD provides an ID-mapping plugin for cifs-utils so that Windows SIDs can be mapped onto POSIX IDs and/or names without requiring Winbind and using the same code as the SSSD uses for identity information. Hence you have to have winbind installed and setup for samba fileserver use in sssd < 1.12.X. You should not install libpam-winbind and libnss-winbind, as you will still use sssd-ad for all authentication purposes in the system. Winbind is there only to resolve Windows SIDs for Samba fileserver purposes. This should be sufficient: --- apt-get install winbind --- And something like this added to your samba config (from my own): --- # Winbind configuration. Remove winbind when sssd-ad 1.12.1 arrives to jessie winbind cache time = 300 winbind enum users = no winbind enum groups = no winbind expand groups = 5 winbind use default domain = yes winbind refresh tickets = yes winbind offline logon = no winbind nss info = rfc2307 idmap config * : backend = tdb idmap config * : range = 100000-299999 idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 300000-499999 --- Since you really got to have identical ID-mapping in both sssd-ad and winbind there is really no good way to do that other than using centrally stored rfc2307 properties in AD. To use this in sssd-ad you also have to have this in your sssd.conf in you domain section: ---- ldap_id_mapping = false ---- I made a powershell script to automatically add all the properties to AD for everything. Hope this was of some help for you. Regards, Hans-Kristian On 13 January 2015 at 10:02, Thomas Burger <tburger at eritron.de> wrote:> Hello all, > > after spending the last days fighting and researching I hope someone can > point me to an solution here. > > Even if I am using Debian / Ubuntu since years I wouldn?t consider myself as > a Linux professional. I have some experience though. > > What I try to accomplish: > - Centrally administrated groups for file services. Right now it is only one > server but there will be more. > > Setup: > - System 1: Ubuntu 14.04 LTS as Active Directory Controller with Samba 4.1 > (Sernet package) > - System 2: Ubuntu 14.04 LTS as Member server. > > What works: > - DNS & NTP > - Kerberos integration via Keytab file. SSSD 1.11.5 uses "id_provider = ad" > for this. > - getting AD members and groups via getent passwd and getent group > - Authentication with a domain user on "System 2" via SSH > - Authentication on Samba instance "Server 2" via AD-Users. > - getfacl / setfacl setting with domain object names. > > My issue: > Authorization is not working. For example: > - Write list / read list / valid users options in smb.conf are not honored. > Either I have all users being able to access everything or they can login to > the server but if accessing the share this will fail. > - Skipped the samba authorization and moved this to the filesystem level. > Set the acl to the appropriate AD groups with the appropriate level results > in the same issue. I also getting an "access denied" if I try to access the > folder from within the SSH-session of an AD user. The user is in the group > though. > > My guesses: > Option 1: Somehow groups populated through SSSD are not being used for > authorization. Neither for Samba share definition nor for the filesystem. > I recognized that the IDs of "objects" coming from the AD are very high like > User: guest:*:1994200501:1994200514:Guest:/: > Group: domain admins:*:1994200512:administrator > > Option 2: in samba logs I can see, that the user authenticates with a > "primary" group id but I am missing the "other groups". Is that expected? > [2015/01/12 22:23:51.235050, 2] > ../source3/smbd/service.c:848(make_connection_snum) > workstation (ipv4:x.y.z.y:63206) connect to service share1 initially as > user >myuser< (uid=1994201119, gid=1994200513) (pid 1790) > ID reflects the domain users: domain users:*:1994200513: > > > My Questions: > Why is it not working? Do I have a conceptual issue? > If it is related to the IDs, how can I "lower" them. ID-Mapping is active > already. > > I also tried an installation with winbind but the situation kept the same. > After that system has been reinstalled to ensure that everything is cleaned > up properly. > > Any help is greatly appreciated! > > Thomas > > > > KRB5 conf: >>> > [libdefaults] > default_realm = MYDOMAIN.DE > dns_lookup_realm = false > dns_lookup_kdc = true > > # The following krb5.conf variables are only for MIT Kerberos. > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > # The following libdefaults parameters are only for Heimdal Kerberos. > v4_instance_resolve = false > v4_name_convert = { > host = { > rcmd = host > ftp = ftp > } > plain = { > something = something-else > } > } > fcc-mit-ticketflags = true > > [realms] > MYDOMAIN.DE = { > kdc = DC > admin_server = DC > } > [domain_realm] > .mydomain.de = MYDOMAIN.DE > > [login] > krb4_convert = true > krb4_get_tickets = false >>> > > > sssd.conf >>> > [sssd] > services = nss, pam > config_file_version = 2 > domains = mydomain.de > > [nss] > > [pam] > > [domain/mydomain.de] > id_provider = ad > access_provider = ad > ad_hostname = dc.mydomain.de > ad_server = dc.mydomain.de > ad_domain = mydomain.de > enumerate = true > krb5_keytab=/etc/krb5.sssd.keytab > >>> > > smb.conf >>> > [global] > #### GLOBAL SETTINGS > netbios name = SERVER2 > server string = SERVER2 > workgroup = MYDOMAIN > realm = MYDOMAIN.DE > server role = MEMBER SERVER > > #### SECURITY SETTINGS > security = ads > allow trusted domains = Yes > map untrusted to domain = Yes > encrypt passwords = yes > client use spnego = yes > client ntlmv2 auth = yes > restrict anonymous = 2 > > #### SERVER SETTINGS > dns proxy = yes > domain master = no > local master = no > preferred master = no > os level = 0 > follow symlinks = yes > veto files = /.DS_Store/Thumbs.db/thumbs.db/ > server min protocol = SMB2 > server max protocol = SMB3 > > #### PRINTING > disable spoolss = yes > load printers = no > idmap_ldb:use rfc2307 = yes > > #### LOGGING > log level = 2 > username level = 3 > log file = /var/log/samba/log.%m > max log size = 50 > syslog only = no > syslog = 2 > panic action = /usr/share/samba/panic-action %d > > ######## SHARES > [share1] > path = /share/share1 > browsable = yes > read only = no > guest ok = no > # The access control is configured on the file system level. > >>> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Ashish Yadav
2015-Jan-15 04:58 UTC
[Samba] Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)
Hi, On Tue, Jan 13, 2015 at 2:32 PM, Thomas Burger <tburger at eritron.de> wrote:> Hello all, > > after spending the last days fighting and researching I hope someone can > point me to an solution here. > > Even if I am using Debian / Ubuntu since years I wouldn?t consider myself > as a Linux professional. I have some experience though. > > What I try to accomplish: > - Centrally administrated groups for file services. Right now it is only > one server but there will be more. > > Setup: > - System 1: Ubuntu 14.04 LTS as Active Directory Controller with Samba 4.1 > (Sernet package) > - System 2: Ubuntu 14.04 LTS as Member server. > > What works: > - DNS & NTP > - Kerberos integration via Keytab file. SSSD 1.11.5 uses "id_provider > ad" for this. > - getting AD members and groups via getent passwd and getent group > - Authentication with a domain user on "System 2" via SSH > - Authentication on Samba instance "Server 2" via AD-Users. > - getfacl / setfacl setting with domain object names. > > My issue: > Authorization is not working. For example: > - Write list / read list / valid users options in smb.conf are not > honored. Either I have all users being able to access everything or they > can login to the server but if accessing the share this will fail. > - Skipped the samba authorization and moved this to the filesystem level. > Set the acl to the appropriate AD groups with the appropriate level results > in the same issue. I also getting an "access denied" if I try to access the > folder from within the SSH-session of an AD user. The user is in the group > though. > > My guesses: > Option 1: Somehow groups populated through SSSD are not being used for > authorization. Neither for Samba share definition nor for the filesystem. > I recognized that the IDs of "objects" coming from the AD are very high > like > User: guest:*:1994200501:1994200514:Guest:/: > Group: domain admins:*:1994200512:administrator > > Option 2: in samba logs I can see, that the user authenticates with a > "primary" group id but I am missing the "other groups". Is that expected? > [2015/01/12 22:23:51.235050, 2] ../source3/smbd/service.c:848( > make_connection_snum) > workstation (ipv4:x.y.z.y:63206) connect to service share1 initially as > user >myuser< (uid=1994201119, gid=1994200513) (pid 1790) > ID reflects the domain users: domain users:*:1994200513: > > > My Questions: > Why is it not working? Do I have a conceptual issue? > If it is related to the IDs, how can I "lower" them. ID-Mapping is active > already. > > I also tried an installation with winbind but the situation kept the same. > After that system has been reinstalled to ensure that everything is cleaned > up properly.I have done the setting up the Ubuntu 12.04.5 client using Winbind and lowering the uid and gid mapping so that it is easy to handle, My smb.conf is like this, workgroup = INTRA security = ADS realm = INTRA.EXAMPLE.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = Samba 4 Client %h template homedir = /home/%U template shell = /bin/bash winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind expand groups = 4 winbind nss info = rfc2307 winbind refresh tickets = Yes winbind normalize names = Yes idmap config * : backend = rid idmap uid = 5000-4000000000 idmap gid = 5000-4000000000 After that join the Domain using "net ads join -U <Domain Admin>". Then restart "Samaba and winbind services". After that make changes into nsswitch.conf so that it should look like, passwd: compat winbind group: compat winbind After that "id <Domain User>" should work and uid/gid should be showing lower number. --Regards Ashishkumar S. Yadav
Peter Serbe
2015-Jan-15 08:52 UTC
[Samba] Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)
On Tue, Jan 13, 2015 at 2:32 PM, Thomas Burger <tburger at eritron.de> wrote:> What works:...> - getfacl / setfacl setting with domain object names. > > My issue: > Authorization is not working. For example: > - Write list / read list / valid users options in smb.conf are not > honored....> - Skipped the samba authorization and moved this to the filesystem level. > Set the acl to the appropriate AD groups with the appropriate level results > in the same issue.This is not normal. Have You declared the RFC2307 unix attributes? I do this (on my home network, but anyway, I have different users with different privileges) and it works great. If You absolutely don't want to use RFC2307, then You have to check, that all the users and groups got the same IDs on all Your servers (even though there are only two at the moment). This might work with Winbind, too, but You have to do some configuration, too (to complicated for me, I am also not an expert). If You start using RFC2307*) you should add the Unix ID during the creation of the user when You use samba-tool. You could also add the Unix ID from windows, but then You have to do it for every single user by hand. I guess doing it by hand for the groups would be OK, but not for the users - at least if You got hundreds of them. ;-) Best regards Peter *) do a new provisioning if possible, You can also fiddle the attributes into an existing domain, but You have to manipulate the LDB database, and this is not exactly fun
Possibly Parallel Threads
- Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)
- Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)
- Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)
- After some time 4.3.9 Member Server in different Subnet than ADS controller loses trust
- After some time 4.3.9 Member Server in different Subnet than ADS controller loses trust