thr3ads.net - samba - [Samba] Valid Users Does Not Like My AD Group or Syntax [Jan 2023]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2023-Jan-28 07:28 UTC

[Samba] Valid Users Does Not Like My AD Group or Syntax

On 28/01/2023 00:07, E R via samba wrote:> I am working on replacing an undocumented Samba server with one I have
> setup after very helpful wiki.  I am just having an issue with using an
> Active Directory security group with the setting "valid users" to
limit
> access to the share.  I would like to use an existing security group on the
> Windows side to control access to the share, if possible.  Server 2012 R2
> forest and OS on Windows side. I have taken pains to only use WinBind on
> RHEL as Red Hat weenies will point you to using tools like
"realm" that
> introduce SSSD that I do not want to use.
> 
> valid user = MYDOMAIN\myuserid
> If I use the above syntax for my user account I can gain access to the
> share just as I expect.
> 
> valid user = +MYDOMAIN\"MySecurityGroup"
> The above syntax does not work (I am a member of the group).  I also tried
> omitting the quotes around the group name since I do not have a space in
> the name.  I also tried using the alternate syntax that you can use on
> Windows like MySecurityGroup at domain.com.
> 
> getent group MYDOMAIN\\MySecurityGroup
> The above command does return my group from AD.
> 
> chown root:MySecurityGroup somefile.txt
> This above command does update the permissions so that the group is used
> and displays on the ls command.
> 
> SID +MYDOMAIN\MySecurityGroup is not in a valid format
> I upped the log level to 3 and I see the above message.
> 
> IDMAP Setting:
> idmap config * : backend = autorid
> idmap config * : range = 100000-19999999
> idmap config * : rangesize = 1000000

Can we please see the output of 'testparm -s'.
Can you also tell us what version of Samba you are using and the RHEL 
version.

Rowland

E R

2023-Jan-28 18:34 UTC

head link

[Samba] Valid Users Does Not Like My AD Group or Syntax

[root at local]# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
        bind interfaces only = Yes
        disable netbios = Yes
        dns proxy = No
        kerberos encryption types = strong
        load printers = No
        log file = /var/log/samba/log.%m
        ntlm auth = disabled
        realm = MYDOMAIN.COM
        security = ADS
        server signing = required
        server string = Samba Server
        unix extensions = No
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind refresh tickets = Yes
        workgroup = MYDOMAIN
        idmap config * : rangesize = 1000000
        idmap config * : range = 100000-19999999
        idmap config * : backend = autorid
        hosts allow = 192.168.1.3


[www-test]

        comment = Samba share for test
        create mask = 0664
        directory mask = 0775
        path = /export/home/www/htdocs/test
        read only = No
        valid users = +MYDOMAIN\Samba-www-test

On Sat, Jan 28, 2023 at 1:29 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
>
>
> On 28/01/2023 00:07, E R via samba wrote:
> > I am working on replacing an undocumented Samba server with one I have
> > setup after very helpful wiki.  I am just having an issue with using
an
> > Active Directory security group with the setting "valid
users" to limit
> > access to the share.  I would like to use an existing security group
on
> the
> > Windows side to control access to the share, if possible.  Server 2012
R2
> > forest and OS on Windows side. I have taken pains to only use WinBind
on
> > RHEL as Red Hat weenies will point you to using tools like
"realm" that
> > introduce SSSD that I do not want to use.
> >
> > valid user = MYDOMAIN\myuserid
> > If I use the above syntax for my user account I can gain access to the
> > share just as I expect.
> >
> > valid user = +MYDOMAIN\"MySecurityGroup"
> > The above syntax does not work (I am a member of the group).  I also
> tried
> > omitting the quotes around the group name since I do not have a space
in
> > the name.  I also tried using the alternate syntax that you can use on
> > Windows like MySecurityGroup at domain.com.
> >
> > getent group MYDOMAIN\\MySecurityGroup
> > The above command does return my group from AD.
> >
> > chown root:MySecurityGroup somefile.txt
> > This above command does update the permissions so that the group is
used
> > and displays on the ls command.
> >
> > SID +MYDOMAIN\MySecurityGroup is not in a valid format
> > I upped the log level to 3 and I see the above message.
> >
> > IDMAP Setting:
> > idmap config * : backend = autorid
> > idmap config * : range = 100000-19999999
> > idmap config * : rangesize = 1000000
>
>
> Can we please see the output of 'testparm -s'.
> Can you also tell us what version of Samba you are using and the RHEL
> version.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Apparently Analagous Threads

Search for more apparently analagous threads

samba - Jan 2023 - Valid Users Does Not Like My AD Group or Syntax

[Samba] Valid Users Does Not Like My AD Group or Syntax

[Samba] Valid Users Does Not Like My AD Group or Syntax

Apparently Analagous Threads