Hi, i'm trying to setup Samba 4.6 on CentOS 7.4 as a Domain Member of a Windows 2012R2 Domain Controller with AD. To administer share security i have to use the "username map" feature. This works when i enumerate individual AD users there. When i want to use AD groups it only works with "primary" groups. This way i can't use the "Domain Admins" group from AD there, since "primary" group (unix style) of all AD users is "Domain Users". I'm using the "rid" idmap backend, where i can't change linux primary group membership of AD users (to my experience). I know i can change linux primary group membership with the "ad" idmap backend, but also only when using the Unix extensions in AD (changing Windows primary group has no effect and is deprecated anyway). I want to avoid this and don't want to believe this is necessary in the first place. Some configuration details: smb.conf: security = ADS passdb backend = tdbsam idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config MYDOMAIN : backend = rid idmap config MYDOMAIN : range = 10000-999999 winbind enum users = yes winbind enum groups = yes username map = /etc/samba/user.map /etc/samba/user.map: !root = "@MYDOMAIN\Domain Admins" "@MYDOMAIN\domain admins" -> this doesn't work! /etc/nsswitch.conf: passwd: files winbind group: files winbind # sudo -u 'MYDOMAIN\mleopo53' id uid=13627(MYDOMAIN\mleopo53) gid=10513(MYDOMAIN\domain users) groups=10513(MYDOMAIN\domain users),3000(BUILTIN\administrators),3001(BUILTIN\users),10512(MYDOMAIN\domain admins),10572(MYDOMAIN\denied rodc password replication group),13627(MYDOMAIN\mleopo53) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 How can i solve this? -- Matthias Leopold IT Systems & Communications Medizinische Universität Wien Spitalgasse 23 / BT 88 /Ebene 00 A-1090 Wien Tel: +43 1 40160-21241 Fax: +43 1 40160-921200
On Mon, 19 Feb 2018 17:03:31 +0100 Matthias Leopold via samba <samba at lists.samba.org> wrote:> Hi, > > i'm trying to setup Samba 4.6 on CentOS 7.4 as a Domain Member of a > Windows 2012R2 Domain Controller with AD. To administer share > security i have to use the "username map" feature. This works when i > enumerate individual AD users there. When i want to use AD groups it > only works with "primary" groups. This way i can't use the "Domain > Admins" group from AD there, since "primary" group (unix style) of > all AD users is "Domain Users". > > I'm using the "rid" idmap backend, where i can't change linux primary > group membership of AD users (to my experience). I know i can change > linux primary group membership with the "ad" idmap backend, but also > only when using the Unix extensions in AD (changing Windows primary > group has no effect and is deprecated anyway). I want to avoid this > and don't want to believe this is necessary in the first place. > > Some configuration details: > > smb.conf: > security = ADS > passdb backend = tdbsam > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config MYDOMAIN : backend = rid > idmap config MYDOMAIN : range = 10000-999999 > winbind enum users = yes > winbind enum groups = yes > username map = /etc/samba/user.mapIs that your entire smb.conf ?> > /etc/samba/user.map: > !root = "@MYDOMAIN\Domain Admins" "@MYDOMAIN\domain admins"I have never tried to map a group to a User, but in any case you don't need to ;-) You are using the 'rid' backend, so 'Domain Admins' gets a group ID, or to put it another way, the underlying Unix OS knows who 'Domain Admins' is. Have you read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland
Am 2018-02-19 um 17:39 schrieb Rowland Penny via samba:> On Mon, 19 Feb 2018 17:03:31 +0100 > Matthias Leopold via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> i'm trying to setup Samba 4.6 on CentOS 7.4 as a Domain Member of a >> Windows 2012R2 Domain Controller with AD. To administer share >> security i have to use the "username map" feature. This works when i >> enumerate individual AD users there. When i want to use AD groups it >> only works with "primary" groups. This way i can't use the "Domain >> Admins" group from AD there, since "primary" group (unix style) of >> all AD users is "Domain Users". >> >> I'm using the "rid" idmap backend, where i can't change linux primary >> group membership of AD users (to my experience). I know i can change >> linux primary group membership with the "ad" idmap backend, but also >> only when using the Unix extensions in AD (changing Windows primary >> group has no effect and is deprecated anyway). I want to avoid this >> and don't want to believe this is necessary in the first place. >> >> Some configuration details: >> >> smb.conf: >> security = ADS >> passdb backend = tdbsam >> idmap config * : backend = tdb >> idmap config * : range = 3000-7999 >> idmap config MYDOMAIN : backend = rid >> idmap config MYDOMAIN : range = 10000-999999 >> winbind enum users = yes >> winbind enum groups = yes >> username map = /etc/samba/user.map > > Is that your entire smb.conf ? > >> >> /etc/samba/user.map: >> !root = "@MYDOMAIN\Domain Admins" "@MYDOMAIN\domain admins" > > I have never tried to map a group to a User, but in any case you don't > need to ;-) > > You are using the 'rid' backend, so 'Domain Admins' gets a group ID, or > to put it another way, the underlying Unix OS knows who 'Domain Admins' > is. > Have you read this: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLsThis is the documentation i have been following. I was trying to use "acl_xattr:ignore system acls = yes" for the first time. This doesn't seem to work (as i expected). When i use the default "acl_xattr:ignore system acls = no" everything is fine and i don't have to use a "username map". thx matthias