thr3ads.net - samba - [Samba] Make a share owned by a service account available to members of an AD group [Oct 2015]

If this information is useful, please help other people find it:
Share via:

Tovey, Mark

2015-Oct-09 19:57 UTC

[Samba] Make a share owned by a service account available to members of an AD group

No joy.  I added winbind to the passwd, shadow, and group lines and it is still
not working.  I also switched back to ad instead of rid (I deleted the Samba
database files in /var/lib/samba and rejoined the domain when I switched), and
still the same.  If the account exists locally I can authenticate against AD and
map the share.  No local account and it fails.
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of John Yocum
Sent: Friday, October 9, 2015 12:37 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Make a share owned by a service account available to
members of an AD group

On 10/09/2015 12:31 PM, Tovey, Mark wrote:>     The only way it seems to work is if I do have both the local and AD
user with the same name.  But my goal here is to not require that, to have the
AD account only.
>     I have applied Unix attributes to the users.  testuser uidNumber =
30089 and gidNumber = 100.  However, when I try to query with wbinfo, I was
unable to look that up:
> 
> wbinfo -i "DEVELOPMENT\testuser"
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> 
>     I get the same result regardless of if the account is in the local
passwd file or not.
>     I switched to “rid” and now I can successfully query for the testuser
account:
> 
> wbinfo -i "DEVELOPMENT\testuser"
> testuser:*:36385:30513::/home/testuser:/bin/bash
> 
>     but the uidNumber and gidNumber do not match what is in AD.  And it
still will not allow the testuser account to map the share unless the account
exists in the local passwd file.  It is getting the password from AD, but only
if the account exists in the local system too.
>     -Mark
> 
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW 
> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA 
> MTovey at go2uti.com | O / C +1 503 953-1389
> 

Do you have winbind listed in your nsswitch.conf? If not, you'll need that
so the OS itself will see the AD users.

--
John Yocum, Systems Administrator, DEOHS

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Rowland Penny

2015-Oct-09 20:15 UTC

head link

[Samba] Make a share owned by a service account available to members of an AD group

On 09/10/15 20:57, Tovey, Mark wrote:>      No joy.  I added winbind to the passwd, shadow, and group lines and it
is still not working.  I also switched back to ad instead of rid (I deleted the
Samba database files in /var/lib/samba and rejoined the domain when I switched),
and still the same.  If the account exists locally I can authenticate against AD
and map the share.  No local account and it fails.
>      -Mark
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design
> UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
> MTovey at go2uti.com | O / C +1 503 953-1389
>
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of John
Yocum
> Sent: Friday, October 9, 2015 12:37 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Make a share owned by a service account available to
members of an AD group
>
> On 10/09/2015 12:31 PM, Tovey, Mark wrote:
>>      The only way it seems to work is if I do have both the local and
AD user with the same name.  But my goal here is to not require that, to have
the AD account only.
>>      I have applied Unix attributes to the users.  testuser uidNumber =
30089 and gidNumber = 100.  However, when I try to query with wbinfo, I was
unable to look that up:
>>
>> wbinfo -i "DEVELOPMENT\testuser"
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>
>>      I get the same result regardless of if the account is in the local
passwd file or not.
>>      I switched to “rid” and now I can successfully query for the
testuser account:
>>
>> wbinfo -i "DEVELOPMENT\testuser"
>> testuser:*:36385:30513::/home/testuser:/bin/bash
>>
>>      but the uidNumber and gidNumber do not match what is in AD.  And
it still will not allow the testuser account to map the share unless the account
exists in the local passwd file.  It is getting the password from AD, but only
if the account exists in the local system too.
>>      -Mark
>>
>> ________________________________________________________________
>> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW
>> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>> MTovey at go2uti.com | O / C +1 503 953-1389
>>
>
> Do you have winbind listed in your nsswitch.conf? If not, you'll need
that so the OS itself will see the AD users.
>
> --
> John Yocum, Systems Administrator, DEOHS
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
Until you can get 'getent passwd username' to return the users info, it 
will never work and I can assure it will work if everything is setup 
correctly.
Can you post:
smb.conf
/etc/resolv.conf
/etc/krb5.conf
The result of 'net ads testjoin'

Rowland

Tovey, Mark

2015-Oct-09 21:42 UTC

head link

[Samba] Make a share owned by a service account available to members of an AD group

Here is my configuration:

smb.conf:

[global]
        server string = Samba Server Version %v

        log file = /var/log/samba/log.%m
        max log size = 500

        log level = 3

        workgroup = DEVTST-CORP
        realm = DEVTST-CORP.GO2UTI.COM
        security = ADS
        password server = sinmdp04.devtst-corp.go2uti.com
        passdb backend = tdbsam

        domain master = no
        local master = no
        preferred master = no

        disable netbios = yes
        dns proxy = no

        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab

        idmap config *:backend = tdb
        idmap config *:range = 5000-29999
        idmap config DEVTST-CORP:backend = ad
        idmap config DEVTST-CORP:schema_mode = rfc2307
        idmap config DEVTST-CORP:range = 30000-99999

        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes
        winbind refresh tickets = Yes
        winbind normalize names = Yes

        map untrusted to domain = yes
        map to guest = Bad Uid
        guest account = nobody

        load printers = no
        printcap name = /dev/null
        printing = bsd


[data]
        path = /opt/app/data
        read only = no
        writable = yes
        browseable = no
        guest ok = yes
        hide dot files = yes
        hide special files = yes
        force user = webserv
        force group = webserv
        create mask = 0644
        directory mask = 0755
        valid users = @DEVTST-CORP\smbgrp
        write list = @DEVTST-CORP\smbgrp


resolv.conf:

domain devtst.go2uti.com
search devtst.go2uti.com devtst-corp.go2uti.com

nameserver 10.240.4.100
nameserver 10.254.4.125
nameserver 10.8.246.38


/krb5.conf:

[logging]
  default = FILE:/var/log/samba/krb5libs.log
  kdc = FILE:/var/log/samba/krb5kdc.log
  admin_server = FILE:/var/log/samba/kadmind.log

[libdefaults]
  default_realm = DEVTST-CORP.GO2UTI.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  forwardable = true

[realms]
  DEVTST-CORP.GO2UTI.COM = {
    kdc = sinmdp04.devtst-corp.go2uti.com:88
    admin_server = sinmdp04.devtst-corp.go2uti.com:749
    default_domain = DEVTST-CORP
  }

[domain_realm]
  .devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM
  devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000

    forwardable = true
    krb4_convert = false
}


net ads testjoin:
Join is OK



________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389



Until you can get 'getent passwd username' to return the users info, it
will never work and I can assure it will work if everything is setup correctly.
Can you post:
smb.conf
/etc/resolv.conf
/etc/krb5.conf
The result of 'net ads testjoin'

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Apparently Analagous Threads

Search for more seemingly similar threads

samba - Oct 2015 - Make a share owned by a service account available to members of an AD group

[Samba] Make a share owned by a service account available to members of an AD group

[Samba] Make a share owned by a service account available to members of an AD group

[Samba] Make a share owned by a service account available to members of an AD group

Apparently Analagous Threads