John Snowdon
2007-Feb-02 11:10 UTC
[Samba] Active Directory for users authentication only?
Hi folks, I'm setting up a new samba box (Redhat ES 4.0, with Rehat samba-3.0.10-1.4E.9) to replace a proprietry OS X version that's been running home directories for our school staff - we've previously used local accounts and groups on the OS X server rather than the AD accounts all our staff have; one of the key goals in moving to a new system was to allow users to logon without having to re-enter their windows usernames and passwords. To this end I've got my krb5.conf, pam.d/samba, pam.d/logon, pam.d/sshd and smb.conf all setup to work with AD. The machine joined the directory successfully with the net join command, getent retrieves the user and group entries without problem and my users (those few that are helping me during this development phase) can logon via ssh and samba by using their active directory usernames and passwords (or without, as in the case of windows clients with their cached credentials - my test users are very happy with the setup!). However I've hit a stumbling block, (presumably because of our previous server!) we have a fair few local group entries in /etc/group that just don't exist in AD (and never will), we need these groups over those listed by AD for the users... in fact we don't even need the AD provided groups AT ALL! Using 'groups USER' at the shell successfully enumerated all the groups for a given user; both those defined in /etc/groups, and those winbind retrieves from AD.... however it doesn't seem as if the local groups are being picked up by samba. I then edited nsswitch.conf so that group details are only retrieved by "file" (users are of course "files winbind") but I'm still having problems accessing directories in a share that has folders owned by groups which are defined in /etc/group rather than winbind.. e.g I have a 'Group' share with the following test directories at the moment: drwxrwx--- 23 root FMSC 4096 Jan 31 09:28 FMSC drwxrwx--- 7 root website 4096 Jan 22 11:28 School Website My account, now that I've edited nsswitch to use files for groups only, is a member of the following (/etc/group) groups: # groups njps3 njps3 : Domuser FMSC school isd cetl timetable anatomy faculty hhstaff Assets website (Domuser is the primary group id as returned by winbind - I simply created an entry in /etc/group so that it doesn't just show a numberic GID)... Yet I cannot open the directory 'FMSC'... Samba reports the following: [2007/02/02 09:49:07, 3] smbd/process.c:process_smb(1091) Transaction 18 of length 90 [2007/02/02 09:49:07, 3] smbd/process.c:switch_message(886) switch message SMBtrans2 (pid 14973) conn 0x2aef37f0 [2007/02/02 09:49:07, 3] smbd/trans2.c:call_trans2qfilepathinfo(2346) call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004 [2007/02/02 09:49:07, 3] smbd/trans2.c:call_trans2qfilepathinfo(2380) call_trans2qfilepathinfo FMSC (fnum = -1) level=1004 call=5 total_data=0 [2007/02/02 09:49:07, 3] smbd/process.c:process_smb(1091) Transaction 19 of length 100 [2007/02/02 09:49:07, 3] smbd/process.c:switch_message(886) switch message SMBtrans2 (pid 14973) conn 0x2aef37f0 [2007/02/02 09:49:07, 3] smbd/trans2.c:call_trans2findfirst(1359) call_trans2findfirst: dirtype = 22, maxentries = 1366, close_after_first=0, close_if_end = 1 requires_resume_key = 1 level 0x104, max_data_bytes = 16384 [2007/02/02 09:49:07, 3] smbd/error.c:error_packet(105) error string = Permission denied [2007/02/02 09:49:07, 3] smbd/error.c:error_packet(129) error packet at smbd/trans2.c(1429) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED I assume, perhaps naively, that this is because Samba is purely looking up group information for my account from winbind? If so, what do I need to modify so that Samba ignores group information from winbind and purely uses /etc/group? Regards -John (Hopefully all relevant config information is included below) [global] workgroup = CAMPUS realm = CAMPUS.NCL.AC.UK password server = password.server client use spnego = no server signing = auto server string = School of Medical Education Development hosts allow = some.address.ranges. printcap name = /etc/printcap load printers = no log file = /var/log/samba/%m.log log level = 2 max log size = 50 security = ads password level = 8 username level = 8 encrypt passwords = yes dns proxy = no idmap uid = 16777217-33554431 idmap gid = 20-33554431 template shell = /bin/false winbind use default domain = yes winbind separator = \ winbind enum users = yes winbind enum groups = yes winbind nested groups = Yes winbind trusted domains only = yes [groups] comment = School of Medical Education Development project groups path = /export/Groups browseable = no read only = no public = no browseable = no writable = yes create mode = 0660 directory mask = 0775 default case = lower preserve case = yes pam.d/samba #%PAM-1.0 auth required pam_nologin.so #auth required pam_stack.so service=system-auth auth sufficient pam_winbind.so account sufficient pam_winbind.so account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth password required pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf #password required pam_stack.so service=system-auth nsswitch.conf passwd: files winbind shadow: files winbind group: files John Snowdon - IT Support Specialist -==========================================- School of Medical Education Development Faculty of Medical Sciences Computing University of Newcastle Email : j.p.snowdon@ncl.ac.uk
John Snowdon said:> SNIP > > I assume, perhaps naively, that this is because Samba is purely looking > up group information for my account from winbind? If so, what do I need > to modify so that Samba ignores group information from winbind and > purely uses /etc/group?I've encountered a similar problem and opened a bug report. https://bugzilla.samba.org/show_bug.cgi?id=4353 Ralf
Possibly Parallel Threads
- Active Directory for users & authentication only?
- 'Apple' Samba 2.2.3a on OS X 10.2.6 -> Samba 2.2.8a upgrade
- Smbpasswd + password sync on OS X
- Problems Running an executable from samba share.
- Windows 7 v. Samba: why is default network profile in 'NETLOGON/Default User.v2' not used?