Rowland Penny
2022-Jan-13 15:07 UTC
[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups
On Thu, 2022-01-13 at 15:00 +0100, Martin Decker via samba wrote:> Hello List, > > I am trying to set up Samba 4.14 on CentOS 8. > > The linux node is already joined to an AD domain with sssd for local > SSH > authentication and I can log on to the system with my AD account. > > Now, I need to set up Samba to share some directories with Windows > Desktop > Clients. Some of the shares should only be accessible with local > Linux > username/password credentials so that the client has to map network > drive > and put in username/password credentials of the local linux account. > > Other shares should take the AD account of the windows client user > and map > the share directly without asking for username/passwd. > > 1) Is such a mixture possible?Not really, even red-hat admits that while you can use sssd with Samba, they do not recommend it, see here: https://access.redhat.com/articles/4355391> > 2) The "realm" String is the realm name from AD. What is the correct > value > for "WORKGROUP"? How can I find out which value to put there?Run 'wbinfo --own-domain'> > 3) This is the current - no-working - smb.conf file: > > [global] > realm = EXAMPLE.NET > workgroup = EXAMPLE > security = ads > netbios name = myhostnameYou do not actually need the above line> os level = 20 > winbind enum users = yes > winbind enum groups = yesOr those> server string = %m > preferred master = noOr that> winbind refresh tickets = yes > winbind separator = + > kerberos method = secrets and keytab > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config EXAMPLE:backend = rid > idmap config EXAMPLE:schema_mode = rfc2307Not when using the 'rid' backend> idmap config EXAMPLE:range = 10000-999999 > idmap config EXAMPLE:unix_nss_info = yesNot when using the 'rid' backend> winbind use default domain = yes > dns proxy = no > printing = cups > printcap name = cups > load printers = no > cups options = raw > winbind offline logon = yes > max log size = 50 > log file = /var/log/samba/log.%m > encrypt passwords = yesWill someone tell red-hat that is a default setting> read only = No > template shell = /bin/bash > template homedir = /home/%U > passdb backend = tdbsamAs is that.> > [intranet] > valid users = mylocaluser > comment = Intranet > path = /SHARES/intranet > wide links = yes > directory mask = 0775 > create mode = 0664 > directory mode = 0775 > write list = mylocaluser > create mask = 0775 > force create mask = 0775You might want to read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs It is a better way. Also, are you aware that the share would be read only ? Rowland
Luc Lalonde
2022-Jan-13 15:22 UTC
[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups
Hello Rowland, I've read the article mentionned below...? and I don't see how it could be interpreted as a 'non-recomendation'. When you go through the documentation for RHEL AD integration, they mostly point to SSSD use. In fact, that article states that the two (Winbind and SSSD) are complimentary. SSSD needs Winbind for AD integration.?? Winbind can be used alone for AD integration... I have to say though, I've had success using Winbind alone on RHEL7, but not RHEL8. This subject has been beaten to death on this list... So sorry for adding to it.?? Just want to add my personal note. We use SSSD with Winbind on all our systems (CentOS 7, 8 and Fedora).?? It's rock solid for us. Cheers, Luc. On 1/13/22 10:07, Rowland Penny via samba wrote:> Not really, even red-hat admits that while you can use sssd with Samba, > they do not recommend it, see here: > > https://access.redhat.com/articles/4355391-- Luc Lalonde, analyste ----------------------------- D?partement de g?nie informatique et g?nie logiciel: ?cole polytechnique de MTL (514) 340-4711 x5049 Luc.Lalonde at polymtl.ca