Tovey, Mark
2015-Oct-09 17:54 UTC
[Samba] Make a share owned by a service account available to members of an AD group
Got it. I changed that section as follows: idmap config *:backend = tdb idmap config *:range = 5000-29999 idmap config DEVELOPMENT:backend = ad idmap config DEVELOPMENT:schema_mode = rfc2307 idmap config DEVELOPMENT:range = 30000-99999 It did not change the “map to guest = Bad Uid” issue, however. The error I see in the log file is “check_ntlm_password: Authentication for user [testuser] -> [testuser] FAILED with error NT_STATUS_NO_SUCH_USER”. If I add the testuser account to the Linux system’s passwd file, then I see “check_ntlm_password: authentication for user [testuser] -> [testuser] -> [testuser] succeeded”. The testuser account does not have a password on the Linux system, the password exists only in the AD system. So, I am able to map the share to my workstation using the testuser account only when the testuser account exists in both the AD system and the Linux system, which is what I am trying to avoid. I want to have the testuser account be in the AD system only. The documentation for “map to guest = Bad Uid” states: “user logins which are successfully authenticated but which have no valid Unix user account should be mapped to the defined guest account.” The guest account is set to “nobody” and it does exist in the passwd file, but the mapping does not seem to be occurring. Am I misunderstanding the meaning here? Or perhaps how the guest account functions? -Mark ________________________________________________________________ Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA MTovey at go2uti.com | O / C +1 503 953-1389 -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny Sent: Friday, October 9, 2015 1:19 AM To: samba at lists.samba.org Subject: Re: [Samba] Make a share owned by a service account available to members of an AD group On 08/10/15 23:20, Tovey, Mark wrote:> I have a requirement where I need to make a directory tree on a Linux system available to a group of users that authenticate against an AD system. I have successfully joined my system to our AD domain and I am able to manage access to a share with a security group in AD, so long as the group members also have accounts on the Linux system. I need to be able to set it up so that the user accounts do not need to exist on the Linux system, simply adding them to the AD security group is enough to grant them access to the share (providing that they properly authenticate). In addition, I want to map the members of the AD group to a specific account that is on the Linux server, and this account will be the owner of the share's directory tree and its contents.> The goal here is for application management. The members of the AD group will be moving documents into and out of the application, and the application needs to be able to read and write to the share. So far I have not been able to get the group members to application account mapping to function.> One other requirement is that I need to be able to support multiple share on one server, each with a different owner, so setting guest account to an application account is not going to work.> Below is the configuration I have cobbled together from various posts and from reading the documentation:>> [global]> server string = Samba Server Version %v>> log file = /var/log/samba/log.%m> max log size = 500>> log level = 3>> workgroup = DEVELOPMENT> realm = DEVELOPMENT.MYDOMAIN.COM> security = ADS> password server = adserv.development.go2uti.com> passdb backend = tdbsam>> domain master = no> local master = no> preferred master = no>> disable netbios = yes> dns proxy = no>> dedicated keytab file = /etc/krb5.keytab> kerberos method = secrets and keytab>> idmap config *:backend = tdb> idmap config *:range = 5000-50000> idmap config DEVELOPMENT:backend = ad> idmap config DEVELOPMENT:schema_mode = rfc2307> idmap config DEVELOPMENT:range = 10000-99999Lets deal with this problem first, the first range (*) is for the well-known RIDs, the second (DEVELOPMENT) is for your users & groups. these ranges must *not* overlap, yours do! Rowland>> winbind nss info = rfc2307> winbind trusted domains only = no> winbind use default domain = yes> winbind enum users = yes> winbind enum groups = yes> winbind refresh tickets = Yes> winbind normalize names = Yes>> map untrusted to domain = yes> map to guest = Bad Uid> username map = /etc/samba/users.map>> load printers = no> printcap name = /dev/null> printing = bsd>>> [data]> path = /opt/app/data> read only = no> writable = yes> browseable = no> hide dot files = yes> hide special files = yes> valid users = @DEVELOPMENT\smbgrp> write list = @DEVELOPMENT\smbgrp>> And the contents of the users.map file:>> appacct = @DEVELOPMENT\smbgrp>> I am using Samba 4.0.0 on an OEL 6.5 server (RHEL 6.5 equivalent).> And help will be greatly appreciated.> Thanks,> -Mark>>> ________________________________________________________________> Mark Tovey - UNIX Engineer | Service Strategy & Design> UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland> | Oregon | 97204 | USA MTovey at go2uti.com<mailto:MTovey at go2uti.com<mailto:MTovey at go2uti.com%3cmailto:MTovey at go2uti.com>> | O> / C +1 503 953-1389>-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Oct-09 18:35 UTC
[Samba] Make a share owned by a service account available to members of an AD group
On 09/10/15 18:54, Tovey, Mark wrote:> > Got it. I changed that section as follows: > > idmap config *:backend = tdb > > idmap config *:range = 5000-29999 > > idmap config DEVELOPMENT:backend = ad > > idmap config DEVELOPMENT:schema_mode = rfc2307 > > idmap config DEVELOPMENT:range = 30000-99999 > > It did not change the “map to guest = Bad Uid” issue, however. > The error I see in the log file is “check_ntlm_password: > Authentication for user [testuser] -> [testuser] FAILED with error > NT_STATUS_NO_SUCH_USER”. If I add the testuser account to the Linux > system’s passwd file, then I see “check_ntlm_password: authentication > for user [testuser] -> [testuser] -> [testuser] succeeded”. The > testuser account does not have a password on the Linux system, the > password exists only in the AD system. So, I am able to map the share > to my workstation using the testuser account only when the testuser > account exists in both the AD system and the Linux system, which is > what I am trying to avoid. I want to have the testuser account be in > the AD system only. > > The documentation for “map to guest = Bad Uid” states: “user > logins which are successfully authenticated but which have no valid > Unix user account should be mapped to the defined guest account.” The > guest account is set to “nobody” and it does exist in the passwd file, > but the mapping does not seem to be occurring. Am I misunderstanding > the meaning here? Or perhaps how the guest account functions? > > -Mark > > ________________________________________________________________ > > Mark Tovey - UNIX Engineer | Service Strategy & Design > > UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA > > MTovey at go2uti.com | O / C +1 503 953-1389 > > -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of > Rowland Penny > Sent: Friday, October 9, 2015 1:19 AM > To: samba at lists.samba.org > Subject: Re: [Samba] Make a share owned by a service account available > to members of an AD group > > On 08/10/15 23:20, Tovey, Mark wrote: > > > I have a requirement where I need to make a directory tree on a > Linux system available to a group of users that authenticate against > an AD system. I have successfully joined my system to our AD domain > and I am able to manage access to a share with a security group in > AD, so long as the group members also have accounts on the Linux > system. I need to be able to set it up so that the user accounts do > not need to exist on the Linux system, simply adding them to the AD > security group is enough to grant them access to the share (providing > that they properly authenticate). In addition, I want to map the > members of the AD group to a specific account that is on the Linux > server, and this account will be the owner of the share's directory > tree and its contents. > > > The goal here is for application management. The members of > the AD group will be moving documents into and out of the application, > and the application needs to be able to read and write to the share. > So far I have not been able to get the group members to application > account mapping to function. > > > One other requirement is that I need to be able to support > multiple share on one server, each with a different owner, so setting > guest account to an application account is not going to work. > > > Below is the configuration I have cobbled together from various > posts and from reading the documentation: > > > > > > [global] > > > server string = Samba Server Version %v > > > > > > log file = /var/log/samba/log.%m > > > max log size = 500 > > > > > > log level = 3 > > > > > > workgroup = DEVELOPMENT > > > realm = DEVELOPMENT.MYDOMAIN.COM > > > security = ADS > > > password server = adserv.development.go2uti.com > > > passdb backend = tdbsam > > > > > > domain master = no > > > local master = no > > > preferred master = no > > > > > > disable netbios = yes > > > dns proxy = no > > > > > > dedicated keytab file = /etc/krb5.keytab > > > kerberos method = secrets and keytab > > > > > > idmap config *:backend = tdb > > > idmap config *:range = 5000-50000 > > > idmap config DEVELOPMENT:backend = ad > > > idmap config DEVELOPMENT:schema_mode = rfc2307 > > > idmap config DEVELOPMENT:range = 10000-99999 > > Lets deal with this problem first, the first range (*) is for the > well-known RIDs, the second (DEVELOPMENT) is for your users & groups. > > these ranges must *not* overlap, yours do! > > Rowland > > > > > > winbind nss info = rfc2307 > > > winbind trusted domains only = no > > > winbind use default domain = yes > > > winbind enum users = yes > > > winbind enum groups = yes > > > winbind refresh tickets = Yes > > > winbind normalize names = Yes > > > > > > map untrusted to domain = yes > > > map to guest = Bad Uid > > > username map = /etc/samba/users.map > > > > > > load printers = no > > > printcap name = /dev/null > > > printing = bsd > > > > > > > > > [data] > > > path = /opt/app/data > > > read only = no > > > writable = yes > > > browseable = no > > > hide dot files = yes > > > hide special files = yes > > > valid users = @DEVELOPMENT\smbgrp > > > write list = @DEVELOPMENT\smbgrp > > > > > > And the contents of the users.map file: > > > > > > appacct = @DEVELOPMENT\smbgrp > > > > > > I am using Samba 4.0.0 on an OEL 6.5 server (RHEL 6.5 equivalent). > > > And help will be greatly appreciated. > > > Thanks, > > > -Mark > > > > > > > > > ________________________________________________________________ > > > Mark Tovey - UNIX Engineer | Service Strategy & Design > > > UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland > > > | Oregon | 97204 | USA MTovey at go2uti.com<mailto:MTovey at go2uti.com > <mailto:MTovey at go2uti.com%3cmailto:MTovey at go2uti.com>> | O > > > / C +1 503 953-1389 > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba >You cannot have a local user and an AD user with the same name, so I would suggest removing the local user. I know you have set up the 'ad' backend in smb.conf but have you given any of your users a uidNumber attribute (and Domain Users a gidNumber) ? these numbers need to be inside the range set in your smb.conf. If you haven't done this, then either do so, or change this line 'idmap config DEVELOPMENT:backend = ad' to 'idmap config DEVELOPMENT:backend = rid' Rowland
Tovey, Mark
2015-Oct-09 19:31 UTC
[Samba] Make a share owned by a service account available to members of an AD group
The only way it seems to work is if I do have both the local and AD user with the same name. But my goal here is to not require that, to have the AD account only. I have applied Unix attributes to the users. testuser uidNumber = 30089 and gidNumber = 100. However, when I try to query with wbinfo, I was unable to look that up: wbinfo -i "DEVELOPMENT\testuser" failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND I get the same result regardless of if the account is in the local passwd file or not. I switched to “rid” and now I can successfully query for the testuser account: wbinfo -i "DEVELOPMENT\testuser" testuser:*:36385:30513::/home/testuser:/bin/bash but the uidNumber and gidNumber do not match what is in AD. And it still will not allow the testuser account to map the share unless the account exists in the local passwd file. It is getting the password from AD, but only if the account exists in the local system too. -Mark ________________________________________________________________ Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA MTovey at go2uti.com | O / C +1 503 953-1389 ________________________________________________________________ -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny Sent: Friday, October 9, 2015 11:36 AM To: samba at lists.samba.org Subject: Re: [Samba] Make a share owned by a service account available to members of an AD group On 09/10/15 18:54, Tovey, Mark wrote:> > Got it. I changed that section as follows: > > idmap config *:backend = tdb > > idmap config *:range = 5000-29999 > > idmap config DEVELOPMENT:backend = ad > > idmap config DEVELOPMENT:schema_mode = rfc2307 > > idmap config DEVELOPMENT:range = 30000-99999 > > It did not change the “map to guest = Bad Uid” issue, however. > The error I see in the log file is “check_ntlm_password: > Authentication for user [testuser] -> [testuser] FAILED with error > NT_STATUS_NO_SUCH_USER”. If I add the testuser account to the Linux > system’s passwd file, then I see “check_ntlm_password: authentication > for user [testuser] -> [testuser] -> [testuser] succeeded”. The > testuser account does not have a password on the Linux system, the > password exists only in the AD system. So, I am able to map the share > to my workstation using the testuser account only when the testuser > account exists in both the AD system and the Linux system, which is > what I am trying to avoid. I want to have the testuser account be in > the AD system only. > > The documentation for “map to guest = Bad Uid” states: “user > logins which are successfully authenticated but which have no valid > Unix user account should be mapped to the defined guest account.” The > guest account is set to “nobody” and it does exist in the passwd file, > but the mapping does not seem to be occurring. Am I misunderstanding > the meaning here? Or perhaps how the guest account functions? > > -Mark > > ________________________________________________________________ > > Mark Tovey - UNIX Engineer | Service Strategy & Design > > UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA > > MTovey at go2uti.com | O / C +1 503 953-1389 >You cannot have a local user and an AD user with the same name, so I would suggest removing the local user. I know you have set up the 'ad' backend in smb.conf but have you given any of your users a uidNumber attribute (and Domain Users a gidNumber) ? these numbers need to be inside the range set in your smb.conf. If you haven't done this, then either do so, or change this line 'idmap config DEVELOPMENT:backend = ad' to 'idmap config DEVELOPMENT:backend = rid' Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Possibly Parallel Threads
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group