Martin Decker
2022-Jan-13 14:00 UTC
[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups
Hello List,
I am trying to set up Samba 4.14 on CentOS 8.
The linux node is already joined to an AD domain with sssd for local SSH
authentication and I can log on to the system with my AD account.
Now, I need to set up Samba to share some directories with Windows Desktop
Clients. Some of the shares should only be accessible with local Linux
username/password credentials so that the client has to map network drive
and put in username/password credentials of the local linux account.
Other shares should take the AD account of the windows client user and map
the share directly without asking for username/passwd.
1) Is such a mixture possible?
2) The "realm" String is the realm name from AD. What is the correct
value
for "WORKGROUP"? How can I find out which value to put there?
3) This is the current - no-working - smb.conf file:
[global]
realm = EXAMPLE.NET
workgroup = EXAMPLE
security = ads
netbios name = myhostname
os level = 20
winbind enum users = yes
winbind enum groups = yes
server string = %m
preferred master = no
winbind refresh tickets = yes
winbind separator = +
kerberos method = secrets and keytab
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config EXAMPLE:backend = rid
idmap config EXAMPLE:schema_mode = rfc2307
idmap config EXAMPLE:range = 10000-999999
idmap config EXAMPLE:unix_nss_info = yes
winbind use default domain = yes
dns proxy = no
printing = cups
printcap name = cups
load printers = no
cups options = raw
winbind offline logon = yes
max log size = 50
log file = /var/log/samba/log.%m
encrypt passwords = yes
read only = No
template shell = /bin/bash
template homedir = /home/%U
passdb backend = tdbsam
[intranet]
valid users = mylocaluser
comment = Intranet
path = /SHARES/intranet
wide links = yes
directory mask = 0775
create mode = 0664
directory mode = 0775
write list = mylocaluser
create mask = 0775
force create mask = 0775
Any ideas would be greatly appreciated.
Regards,
Martin
Christian Naumer
2022-Jan-13 14:12 UTC
[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups
The way you have set up sssd now, this is not possible. You need to set this up with winbind to make it work. See here: https://access.redhat.com/solutions/4290501 You might get this to work: https://access.redhat.com/solutions/3802321 Behind a login but the account does not cost anything. But this leaves out the local users. There are some on this list who have tried this with various success. REgards Am 13.01.22 um 15:00 schrieb Martin Decker via samba:> Hello List, > > I am trying to set up Samba 4.14 on CentOS 8. > > The linux node is already joined to an AD domain with sssd for local SSH > authentication and I can log on to the system with my AD account. > > Now, I need to set up Samba to share some directories with Windows Desktop > Clients. Some of the shares should only be accessible with local Linux > username/password credentials so that the client has to map network drive > and put in username/password credentials of the local linux account. > > Other shares should take the AD account of the windows client user and map > the share directly without asking for username/passwd. > > 1) Is such a mixture possible? > > 2) The "realm" String is the realm name from AD. What is the correct value > for "WORKGROUP"? How can I find out which value to put there? > > 3) This is the current - no-working - smb.conf file: > > [global] > realm = EXAMPLE.NET > workgroup = EXAMPLE > security = ads > netbios name = myhostname > os level = 20 > winbind enum users = yes > winbind enum groups = yes > server string = %m > preferred master = no > winbind refresh tickets = yes > winbind separator = + > kerberos method = secrets and keytab > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config EXAMPLE:backend = rid > idmap config EXAMPLE:schema_mode = rfc2307 > idmap config EXAMPLE:range = 10000-999999 > idmap config EXAMPLE:unix_nss_info = yes > winbind use default domain = yes > dns proxy = no > printing = cups > printcap name = cups > load printers = no > cups options = raw > winbind offline logon = yes > max log size = 50 > log file = /var/log/samba/log.%m > encrypt passwords = yes > read only = No > template shell = /bin/bash > template homedir = /home/%U > passdb backend = tdbsam > > [intranet] > valid users = mylocaluser > comment = Intranet > path = /SHARES/intranet > wide links = yes > directory mask = 0775 > create mode = 0664 > directory mode = 0775 > write list = mylocaluser > create mask = 0775 > force create mask = 0775 > > > Any ideas would be greatly appreciated. > > Regards, > Martin-- Dr. Christian Naumer Vice President Unit Head Bioprocess Development BRAIN Biotech AG Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com phone +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Lukas Linnig Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
Rowland Penny
2022-Jan-13 15:07 UTC
[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups
On Thu, 2022-01-13 at 15:00 +0100, Martin Decker via samba wrote:> Hello List, > > I am trying to set up Samba 4.14 on CentOS 8. > > The linux node is already joined to an AD domain with sssd for local > SSH > authentication and I can log on to the system with my AD account. > > Now, I need to set up Samba to share some directories with Windows > Desktop > Clients. Some of the shares should only be accessible with local > Linux > username/password credentials so that the client has to map network > drive > and put in username/password credentials of the local linux account. > > Other shares should take the AD account of the windows client user > and map > the share directly without asking for username/passwd. > > 1) Is such a mixture possible?Not really, even red-hat admits that while you can use sssd with Samba, they do not recommend it, see here: https://access.redhat.com/articles/4355391> > 2) The "realm" String is the realm name from AD. What is the correct > value > for "WORKGROUP"? How can I find out which value to put there?Run 'wbinfo --own-domain'> > 3) This is the current - no-working - smb.conf file: > > [global] > realm = EXAMPLE.NET > workgroup = EXAMPLE > security = ads > netbios name = myhostnameYou do not actually need the above line> os level = 20 > winbind enum users = yes > winbind enum groups = yesOr those> server string = %m > preferred master = noOr that> winbind refresh tickets = yes > winbind separator = + > kerberos method = secrets and keytab > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config EXAMPLE:backend = rid > idmap config EXAMPLE:schema_mode = rfc2307Not when using the 'rid' backend> idmap config EXAMPLE:range = 10000-999999 > idmap config EXAMPLE:unix_nss_info = yesNot when using the 'rid' backend> winbind use default domain = yes > dns proxy = no > printing = cups > printcap name = cups > load printers = no > cups options = raw > winbind offline logon = yes > max log size = 50 > log file = /var/log/samba/log.%m > encrypt passwords = yesWill someone tell red-hat that is a default setting> read only = No > template shell = /bin/bash > template homedir = /home/%U > passdb backend = tdbsamAs is that.> > [intranet] > valid users = mylocaluser > comment = Intranet > path = /SHARES/intranet > wide links = yes > directory mask = 0775 > create mode = 0664 > directory mode = 0775 > write list = mylocaluser > create mask = 0775 > force create mask = 0775You might want to read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs It is a better way. Also, are you aware that the share would be read only ? Rowland