Joseph Dickson
2016-Mar-23 15:32 UTC
[Samba] Samba 4 with sssd - primary Windows group membership not honored
Greetings! I am working with Samba 4 as a domain member fileserver (not a domain controller, just a normal ads member fileserver). Operating system is Centos 7. SSSD is configured and pulling information correctly. I had to work around a bug that wasn't fixed in a released version, so I am using a recent copy from git.. smbd -V: Version 4.5.0pre1-GIT-c06058a I'm relying on Windows ACLs for access control. Many of my ACLs reference the Domain Users group. What I'm seeing is that if a user has "Domain Users" as their primary group (which is common here) that the "Domain Users" group doesn't show up in their list of SIDs. If a different group is primary for that user, then "Domain Users" will show up in the SID list and Samba will allow access properly (though the new primary group won't work correctly) Is there some magic somewhere that I'm missing with how Samba 4 treats the primary windows group? It's definitely hard to keep straight which parts of the system are responsible for SID mapping and management once you add in winbind and sssd.. Any pointers would be very appreciated. If there is any debug output that I can provide, I would be happy to.. Thanks! Joe -- *Joseph Dickson* Director of IT Systems, Evolve Tele-Services, Inc.
Rowland penny
2016-Mar-23 15:53 UTC
[Samba] Samba 4 with sssd - primary Windows group membership not honored
See inline comments On 23/03/16 15:32, Joseph Dickson wrote:> Greetings! > > I am working with Samba 4 as a domain member fileserver (not a domain > controller, just a normal ads member fileserver). Operating system is > Centos 7. SSSD is configured and pulling information correctly. > > I had to work around a bug that wasn't fixed in a released version, so I am > using a recent copy from git.. smbd -V: > Version 4.5.0pre1-GIT-c06058a > > I'm relying on Windows ACLs for access control. Many of my ACLs reference > the Domain Users group. What I'm seeing is that if a user has "Domain > Users" as their primary group (which is common here)As standard, every domain users primary group is 'Domain Users'> that the "Domain > Users" group doesn't show up in their list of SIDs.Again, as standard, no user shows as being a member of 'Domain Users'> If a different group > is primary for that user, then "Domain Users" will show up in the SID list > and Samba will allow access properly (though the new primary group won't > work correctly)To change a users primary group is a bit like jumping through hoops, you have to add the user to the group that you want to be the new primary group, then change the primaryGroupID attribute to contain the RID of the new group and then finally add the user to the 'Domain Users' group. If I were you, I wouldn't bother, as AD expects every users primary group to be 'Domain Users'.> > Is there some magic somewhere that I'm missing with how Samba 4 treats the > primary windows group? It's definitely hard to keep straight which parts > of the system are responsible for SID mapping and management once you add > in winbind and sssd..You shouldn't really be using winbind and sssd together, select one and then remove the other.> > Any pointers would be very appreciated. If there is any debug output that > I can provide, I would be happy to..If you decide to stick with sssd, then I would suggest you will get more and better help from the sssd users mailing list, but if you decide to use winbind instead, then this is the place to ask. Rowland
Joseph Dickson
2016-Mar-23 16:18 UTC
[Samba] Samba 4 with sssd - primary Windows group membership not honored
Thanks for the reply! I'm confused on a few bits: To change a users primary group is a bit like jumping through hoops, you> have to add the user to the group that you want to be the new primary > group, then change the primaryGroupID attribute to contain the RID of the > new group and then finally add the user to the 'Domain Users' group. If I > were you, I wouldn't bother, as AD expects every users primary group to be > 'Domain Users'.I've since come up with a theory.. I'm relying on the NT ACL lists for permissions management, but that creates some hassles with making sure that smbd still has the needed UNIX permissions. I'm using force group = users in my smb.conf, combined with a mask that makes sure files are created as group writable at the UNIX level. It appears that since "force group" changes the user's effective primary group, it is replacing the fact that the user is a member of "Domain Users". This doesn't seem like correct behavior, but I'm not sure. I'm having trouble thinking of a way to work around it without making my files world writeable at the UNIX level.. You shouldn't really be using winbind and sssd together, select one and> then remove the other.I've never seen a succinct description of how this should work in the Samba 4 world. What I've read over and over is that even if you aren't using winbind for UNIX integration (PAM, NSS, etc) that it needs to be running in order for smbd to operate properly.. caching of domain controller connections, etc. In my limited experience, if I stop winbind I start to see all sorts of strange behaviors including raw SIDs listed in Security Panes etc... The way I have it currently set up, sssd is being used for the integration piece (nss, pam) but winbind is running for smbd to use. As best I can tell, that's the recommended configuration.. is there documentation that might clear it up? I've tried digging through the docs I can find and unfortunately it seems to leave most of the guts of this process in the dark, so it's pretty hard to see the most correct/recommended way to configure Samba 4 as a transparent-ish file server replacement.. Thanks! -- *Joseph Dickson* Director of IT Systems, Evolve Tele-Services, Inc.
Harry Jede
2016-Mar-24 11:46 UTC
[Samba] Samba 4 with sssd - primary Windows group membership not honored
Hi Joe,> Greetings! > > I am working with Samba 4 as a domain member fileserver (not a domain > controller, just a normal ads member fileserver). Operating system > is Centos 7. SSSD is configured and pulling information correctly. > > I had to work around a bug that wasn't fixed in a released version, > so I am using a recent copy from git.. smbd -V: > Version 4.5.0pre1-GIT-c06058a > > I'm relying on Windows ACLs for access control. Many of my ACLs > reference the Domain Users group. What I'm seeing is that if a user > has "Domain Users" as their primary group (which is common here) > that the "Domain Users" group doesn't show up in their list of SIDs. > If a different group is primary for that user, then "Domain Users" > will show up in the SID list and Samba will allow access properly > (though the new primary group won't work correctly) > > Is there some magic somewhere that I'm missing with how Samba 4 > treats the primary windows group?No, I believe the magic you are searching for is nss. Their is one group which is defined two times, the name of this group is users. The nss stops searching if a definition is found. You may have 3 possiblities: 1) change the order in /etc/nsswitch.conf *Not recommended* 2) rename/delete users in /etc/group *Not really recommended* but will work 3) use an other group name for users in ad and map Domain Users to this group, choose a gid other then 100> It's definitely hard to keep > straight which parts of the system are responsible for SID mapping > and management once you add in winbind and sssd.. > > Any pointers would be very appreciated. If there is any debug output > that I can provide, I would be happy to.. > > Thanks! > > Joe > > -- > *Joseph Dickson* > Director of IT Systems, Evolve Tele-Services, Inc.-- Regards Harry Jede
Apparently Analagous Threads
- Samba 4 with sssd - primary Windows group membership not honored
- Samba 4 with sssd - primary Windows group membership not honored
- Samba 4 with sssd - primary Windows group membership not honored
- Samba 4 with sssd - primary Windows group membership not honored
- Samba 4 with sssd - primary Windows group membership not honored