samba - Nov 2017 - How to use AD authentication for normal Samba file sharing

>From your Global config I see no IDMAP settings. You need that for Linux to
recognize your ad users.

See my blog top post for example: Monklinux.blogspot.com

Try my configuration, should work perfectly. Soz 4 short reply, typing on
phone.

Lemme know if it works. Note, pay attention to section under installing
samba.

On Sep 19, 2017 22:19, "Jamie McParland via samba" <samba at
lists.samba.org>
wrote:
> Thanks for everyone chiming in on my problem. I really do appreciate it.
>
> Just to clarify, I’m working on a share called Edwards_Public. I’m trying
> to get it so the members of the AD group called do_superintendent are the
> only people able to read and write any files in that directory.
>
> Here is my global config:
>
> workgroup = NSD
> client signing = yes
> client use spnego = yes
> kerberos method = secrets and keytab
> log file = /var/log/samba/%m.log
> log level = 5
> realm = NSD.NEWBERG.K12.OR.US
> security = ads
> wide links = yes
> unix extensions = no
> obey pam restrictions = yes
> hide files = /$*/
> hide files = /*.tmp
> hide special files = yes
> hide dot files = yes
> veto files = /.DS_Store/
> delete veto files = yes
>
> Based on the recommendations in this thread I’ve done the following:
>
> setfacl -m g:"domain admins":rwx,g:"domain users":rx
Edwards_Public
>
> net rpc rights grant "BUILTIN\Administrators"
SeDiskOperatorPrivilege -U
> "NSD\Administrator"
>
> Still not having any luck though.
>
> Jurie:
> >>Why not set your permissions from the windows server via security
tab on
> folder properties?
> I would like to do that. My account (mcparlandj) is in the domain admin AD
> group. But when I use the “Computer Management” application on Windows 7,
> click properties for the share I want to edit the permissions on and click
> the Security tab, I see this:
>
> “You do not have permission to view or edit this object’s permission
> settings”
>
> If I click on the Share Permissions tab, I’m able to add / remove / modify
> permissions for “Groups or user names”, but they don’t seem to actually
> work or do anything. For example, I set the do_superintendent group to
> allow Full Control, Change, Read. When I login to a windows machine as a
> user that is a member of the do_superintendent group and I click on the
> share they should have access to, I get a log and password prompt that pops
> up. I’m not able to get into that share.
>
> Also, another weird thing is after awhile I’ll go back to the “Computer
> Management” application, click on the Share Permissions tab, all the group
> names have changed into what look like SID numbers and the little person
> icon has a red question mark next to it.
>
> Lastly, I’ve opened an SSH session to the server, changed into the share in
> question. Then did an su to the user in the do_superintendent group and
> tried to create a file. I wasn’t able to. This may be expected behavior
> though as an ssh session doesn’t use SMB, but I’m grasping at straws trying
> to figure out what’s wrong.
>
>
>
>
>
> Thanks,
> Jamie McParland
> Technology Supervisor - Newberg Public Schools
> Office - 503•554•5026
>
> Visit our blog for how tos and Tech news.
> http://www.newberg.k12.or.us/tech/
>
> Tech Help Desk 6:30AM to 3:30PM (503) 554-5044
>
>
>
>
>
> On Tue, Sep 19, 2017 at 2:39 AM, L.P.H. van Belle via samba <
> samba at lists.samba.org> wrote:
>
> > Hai,
> >
> > I've just read you howto, and its a very good start point.
> > You may have to correct a few small things there, but imo pretty good
> yes.
> >
> > This :
> > > chown root."domain admins" /SHAREPATH
> > Is/should not needed.
> >
> > setacl -m g:"domain admins":rwx,g:"domain
users":rx /SHARELOCALPATH
> > ^^^^^^ you did mean setfacl ?
> > But same, yes it works, and better then above, but you may get other
> > problems later on.
> >
> > For example, can you test the following. ( login as domain admin on a
> > domain joined pc )
> > Start regedit, now can you connect to remote registry with regedit to
a
> > server.
> > ( from within file menu, connect to networkregistry ), search a member
> > server name.
> > And connect, did that work without problems?
> >
> > Imho, The op better use :
> > net rpc rights grant "BUILTIN\Administrators"
SeDiskOperatorPrivilege -U
> > "NSD\Administrator"
> > NSD\Domain Admins is member of BUILTIN\Administrator by default and
imo,
> > this is not sufficent for "Administrators"
> >
> > Setting the correct SePrivileges is imo, very important.
> > The is what i set for "BUILTIN\Administrators" , which i
took from my
> > Win2008R2 server.
> > (net rpc rights list accounts -U Administrator )
> > SeSecurityPrivilege
> > SeBackupPrivilege
> > SeRestorePrivilege
> > SeSystemtimePrivilege
> > SeShutdownPrivilege
> > SeRemoteShutdownPrivilege
> > SeTakeOwnershipPrivilege
> > SeDebugPrivilege
> > SeSystemEnvironmentPrivilege
> > SeSystemProfilePrivilege
> > SeProfileSingleProcessPrivilege
> > SeIncreaseBasePriorityPrivilege
> > SeLoadDriverPrivilege
> > SeCreatePagefilePrivilege
> > SeIncreaseQuotaPrivilege
> > SeChangeNotifyPrivilege
> > SeUndockPrivilege
> > SeManageVolumePrivilege
> > SeImpersonatePrivilege
> > SeCreateGlobalPrivilege
> > SeEnableDelegationPrivilege
> > SeInteractiveLogonRight
> > SeNetworkLogonRight
> > SeRemoteInteractiveLogonRight
> > SeDiskOperatorPrivilege
> >
> > In this post is a more complete output of some Seprivileges
> > https://www.spinics.net/lists/samba/msg144117.html
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > > Jurie Botha via samba
> > > Verzonden: dinsdag 19 september 2017 11:02
> > > Aan: samba at lists.samba.org
> > > Onderwerp: Re: [Samba] Can't set SeDiskOperatorPrivilege to
> > > Domain Admins. (NT_STATUS_NO_SUCH_USER) Error.
> > >
> > > Why not set your permissions from the windows server via
> > > security tab on folder properties?
> > >
> > > I set up mine the following way:
> > >
> > > smb.conf allows domain admins and domain users full RWX
> > > access to share (actual access controlled via ACLs)
> > >
> > > share perms on linux box
> > >
> > > chown root."domain admins" /SHAREPATH
> > >
> > > setacl -m g:"domain admins":rwx,g:"domain
users":rx /SHARELOCALPATH
> > >
> > > I then assigned perms and ownership of folders via Windows.
> > >
> > > See my blog -
> > > http://monklinux.blogspot.com/2017/09/how-to-samba-4-file-
> > > server-as-member.html for how I set it up.
> > >
> > >
> > >
> > >
> > >
> > >
> > > On 19 September 2017 at 00:31, Jamie McParland via samba <
> > > samba at lists.samba.org> wrote:
> > >
> > > >
> > > > “Of course we must fear evil men, but there is another evil
that we
> > > > must fear more… and that is the indifference of good men.”
--
> > > > Monsignor
> > > >
> > > >> We’ve just recently moved over to Samba 4. It looks as
if “force
> > > >> directory security mode” doesn’t work in samba 4. So I’m
trying to
> > > >> setup the Windows ACLs on our groups share.
> > > >>
> > > >> I’ve been working on this for a few days. I’ve read over
> > > the docs, it
> > > >> seems like all the google links are purple and I’m still
stuck.
> > > >> Hopefully someone here will have an idea.
> > > >>
> > > >> We’re running Windows 2008R2 for our AD server. We’re
> > > running CentOS7
> > > >> as our smb server.
> > > >>
> > > >> People can login to the share using their AD credentials
> > > and when I
> > > >> run getent group "NSD\Domain Admins”, it returns a
list of
> > > people. So
> > > >> I know it’s talking to the AD server ok.
> > > >>
> > > >> The problem is when I run the following command:
> > > >> net rpc rights grant "NSD\Domain Admins"
> > > SeDiskOperatorPrivilege -U
> > > >> "NSD\Administrator"
> > > >> It asks me to the domain admin password Enter
NSD\Administrator's
> > > >> password:
> > > >> I enter the password and I get this in response:
> > > >> Failed to grant privileges for NSD\Domain Admins
> > > >> (NT_STATUS_NO_SUCH_USER)
> > > >>
> > > >> I’ve added what I need to, to fstab
> > > >> UUID=fd1a97e7-28ea-4df8-9ea1-3cd617c5277a /iscsi-groups
ext4
> > > >> _netdev,user_xattr,acl 0 0
> > > >>
> > > >> I’ve added this to the global section:
> > > >> username map = /etc/samba/user.map
> > > >> enable privileges = yes
> > > >>
> > > >> Here is the contents of /etc/samba/user.map:
> > > >>
> > > >> [root at smbgroups ~]# cat /etc/samba/user.map !root
> > > NSD\Administrator
> > > >> NSD\administrator
> > > >>
> > > >> I haven’t entered the other information to the global
> > > section of the
> > > >> server yet, because I have people using the server. So I
> > > just added
> > > >> it to a test share.
> > > >>
> > > >> [Edwards_Public]
> > > >> path = /iscsi-groups/Edwards_Public
> > > >> comment = Edwards_Public
> > > >> guest ok=no
> > > >> oplocks=yes
> > > >> read only = no
> > > >> inherit permissions=no
> > > >> directory mask=0770
> > > >> strict locking=auto
> > > >> create mask=0770
> > > >> force create mode = 0770
> > > >> nt acl support = Yes
> > > >> vfs objects = full_audit
> > > >> vfs objects = fruit streams_xattr
> > > >>
> > > >> I’ve restarted the SMB service and even restarted the
> > > whole server to
> > > >> no avail. I keep getting the “Failed to grant privileges
for
> > > >> NSD\Domain Admins (NT_STATUS_NO_SUCH_USER)” Error.
> > > >>
> > > >> The only “luck” I’ve had was adding someone like the
following:
> > > >> net rpc rights grant “irlbeckt at nsd.newberg.k12.or.us”
> > > >> SeDiskOperatorPrivilege -U "NSD\Administrator"
> > > >>
> > > >> Irlbeckt is not a local user on the system, but and AD
user.
> > > >>
> > > >> [root at smbgroups ~]# net rpc rights list privileges
> > > >> SeDiskOperatorPrivilege -U "NSD\administrator"
> > > >> Enter NSD\administrator's password:
> > > >> SeDiskOperatorPrivilege:
> > > >>   Unix User\mcparlandj
> > > >>   Unix Group\domain admins
> > > >>   BUILTIN\Administrators
> > > >>   Unix User\irlbeckt
> > > >>   Unix User\conek
> > > >>
> > > >> Unfortunately it comes back as “Unix User\irlbeckt” and
> > > not “NSD\irlbeckt”
> > > >>
> > > >> So at this point I’m stuck as to how to give the domain
admins
> > > >> SeDiskOperatorPrivilege
> > > >>
> > > >> I’d love to hear any ideas. Thanks!
> > > >> Jamie
> > > >> --
> > > >> To unsubscribe from this list go to the following URL
and read the
> > > >> instructions: 
https://lists.samba.org/mailman/options/samba
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Tue, 19 Sep 2017 23:31:51 +0200
Jurie Botha via samba <samba at lists.samba.org> wrote:
> From your Global config I see no IDMAP settings. You need that for
> Linux to recognize your ad users.
> 
> See my blog top post for example: Monklinux.blogspot.com
> 
> Try my configuration, should work perfectly. Soz 4 short reply,
> typing on phone.
Sorry, but it isn't perfect, it is mostly correct, but there are
several errors. Also Samba has its own documentation, so you should
point users to that.

Rowland

I have a Linux host used for file sharing. Although I have a Samba4 AD/DC
configured in the
LAN, this file-sharing host is not currently a domain member. Right now, the
smb.conf set up on
this server does not require any ID or passwords from Windows client
workstations. The current
smb.conf is shown below, only one of the shares is listed.

I would like to have this file-sharing host authenticate using Active Directory
authentication. That is, when the Windows user maps the shared drive, I would
like it to
authenticate with the domain credentials and not require the user to enter ID/PW
on the Map
Network Drive dialog.

Is this possible?

If so, I know how to make the Linux file-sharing host a domain member. What
would I have to do
to get Samba to authenticate the user's domain credentials?

My smb.conf:

[global]
netbios name = OHPRSSTORAGE
   workgroup = WORKGROUP
   server string = HPRS NAS server

domain master = no
prefered master = no

   security = user
   map to guest = Bad User

   hosts allow = 192.168.0. 127.

load printers = no
printcap name = /dev/null
printing = bsd
disable spoolss = yes

guest account = nevermind

   log file = /var/log/samba.%m
   max log size = 50

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   dns proxy = no 

[public]
path = /mnt/RAID/public

hide dot files = yes
map hidden = yes
hide files = /Outlook/outlook/~*/

veto oplock files = /OfficeCalendar.pst/
locking = yes
public = yes
guest ok = yes
guest only = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
force create mode = 0660
directory mask = 0771

With help from kjhambrick at linuxquestions.org I did figure out how to
authenticate from a
Window domain member to a samba share using AD credentials.  My smb.conf is
listed below.  I
was able to map the share from Windows using domain credentials and create a
file on the share.

Here's my next challenge: All the UID.GIDs on the share (287G and +105K
files) are currently
the non-AD values of 1001.301.  For the time being, I'd like to keep all
files, and all newly
created files with this UID.GID. 

How can I do this? On the "classic" samba share (not AD
authentication) this was accomplished
by:

   guest account = ohprso # where ohprso's UID = 1001

I've seen the smb.conf setting:

   !<server user> = <client user>

but I'm not sure that's appropriate in this case.

Is there such a mechanism for AD authenticated clients?

Thanks --Mark

my AD Authenticating smb.conf:

[global]
netbios name = OHPRSSTORAGE

   server string = HPRS NAS server

domain master = no
prefered master = no

realm = HPRS.LOCAL
workgroup = HPRS
usershare allow guests = Yes     # Do I need this?
usershare max shares = 10
security = ADS
template shell = /bin/bash

max log size = 10000
    
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-10099

winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes

[public]
path = /mnt/RAID/public

hide dot files = yes
map hidden = yes
hide files = /Outlook/outlook/~*/

veto oplock files = /OfficeCalendar.pst/

inherit acls = yes
valid users = @"domain users"

locking = yes
public = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
force create mode = 0660
directory mask = 0771
                  
-----Original Message-----
Date: Mon, 20 Nov 2017 15:21:40 -0500
To: samba at lists.samba.org
User-Agent: Heirloom mailx 12.5 7/5/10
Subject: [Samba] How to use AD authentication for normal Samba file sharing
From: Mark Foley via samba <samba at lists.samba.org>

I have a Linux host used for file sharing. Although I have a Samba4 AD/DC
configured in the
LAN, this file-sharing host is not currently a domain member. Right now, the
smb.conf set up on
this server does not require any ID or passwords from Windows client
workstations. The current
smb.conf is shown below, only one of the shares is listed.

I would like to have this file-sharing host authenticate using Active Directory
authentication. That is, when the Windows user maps the shared drive, I would
like it to
authenticate with the domain credentials and not require the user to enter ID/PW
on the Map
Network Drive dialog.

Is this possible?

If so, I know how to make the Linux file-sharing host a domain member. What
would I have to do
to get Samba to authenticate the user's domain credentials?

My smb.conf:

[deleted]