I am working on replacing an undocumented Samba server with one I have setup after very helpful wiki. I am just having an issue with using an Active Directory security group with the setting "valid users" to limit access to the share. I would like to use an existing security group on the Windows side to control access to the share, if possible. Server 2012 R2 forest and OS on Windows side. I have taken pains to only use WinBind on RHEL as Red Hat weenies will point you to using tools like "realm" that introduce SSSD that I do not want to use. valid user = MYDOMAIN\myuserid If I use the above syntax for my user account I can gain access to the share just as I expect. valid user = +MYDOMAIN\"MySecurityGroup" The above syntax does not work (I am a member of the group). I also tried omitting the quotes around the group name since I do not have a space in the name. I also tried using the alternate syntax that you can use on Windows like MySecurityGroup at domain.com. getent group MYDOMAIN\\MySecurityGroup The above command does return my group from AD. chown root:MySecurityGroup somefile.txt This above command does update the permissions so that the group is used and displays on the ls command. SID +MYDOMAIN\MySecurityGroup is not in a valid format I upped the log level to 3 and I see the above message. IDMAP Setting: idmap config * : backend = autorid idmap config * : range = 100000-19999999 idmap config * : rangesize = 1000000
Rowland Penny
2023-Jan-28 07:28 UTC
[Samba] Valid Users Does Not Like My AD Group or Syntax
On 28/01/2023 00:07, E R via samba wrote:> I am working on replacing an undocumented Samba server with one I have > setup after very helpful wiki. I am just having an issue with using an > Active Directory security group with the setting "valid users" to limit > access to the share. I would like to use an existing security group on the > Windows side to control access to the share, if possible. Server 2012 R2 > forest and OS on Windows side. I have taken pains to only use WinBind on > RHEL as Red Hat weenies will point you to using tools like "realm" that > introduce SSSD that I do not want to use. > > valid user = MYDOMAIN\myuserid > If I use the above syntax for my user account I can gain access to the > share just as I expect. > > valid user = +MYDOMAIN\"MySecurityGroup" > The above syntax does not work (I am a member of the group). I also tried > omitting the quotes around the group name since I do not have a space in > the name. I also tried using the alternate syntax that you can use on > Windows like MySecurityGroup at domain.com. > > getent group MYDOMAIN\\MySecurityGroup > The above command does return my group from AD. > > chown root:MySecurityGroup somefile.txt > This above command does update the permissions so that the group is used > and displays on the ls command. > > SID +MYDOMAIN\MySecurityGroup is not in a valid format > I upped the log level to 3 and I see the above message. > > IDMAP Setting: > idmap config * : backend = autorid > idmap config * : range = 100000-19999999 > idmap config * : rangesize = 1000000Can we please see the output of 'testparm -s'. Can you also tell us what version of Samba you are using and the RHEL version. Rowland