samba - Jan 2015 - Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)

Hello all,

after spending the last days fighting and researching I hope someone can 
point me to an solution here.

Even if I am using Debian / Ubuntu since years I wouldn?t consider 
myself as a Linux professional. I have some experience though.

What I try to accomplish:
- Centrally administrated groups for file services. Right now it is only 
one server but there will be more.

Setup:
- System 1: Ubuntu 14.04 LTS as Active Directory Controller with Samba 
4.1 (Sernet package)
- System 2: Ubuntu 14.04 LTS as Member server.

What works:
- DNS & NTP
- Kerberos integration via Keytab file. SSSD 1.11.5 uses "id_provider = 
ad" for this.
- getting AD members and groups via getent passwd and getent group
- Authentication with a domain user on "System 2" via SSH
- Authentication on Samba instance "Server 2" via AD-Users.
- getfacl / setfacl setting with domain object names.

My issue:
Authorization is not working. For example:
- Write list / read list / valid users options in smb.conf are not 
honored. Either I have all users being able to access everything or they 
can login to the server but if accessing the share this will fail.
- Skipped the samba authorization and moved this to the filesystem 
level. Set the acl to the appropriate AD groups with the appropriate 
level results in the same issue. I also getting an "access denied" if
I
try to access the folder from within the SSH-session of an AD user. The 
user is in the group though.

My guesses:
Option 1: Somehow groups populated through SSSD are not being used for 
authorization. Neither for Samba share definition nor for the filesystem.
I recognized that the IDs of "objects" coming from the AD are very
high like
User:  guest:*:1994200501:1994200514:Guest:/:
Group: domain admins:*:1994200512:administrator

Option 2: in samba logs I can see, that the user authenticates with a 
"primary" group id but I am missing the "other groups". Is
that expected?
[2015/01/12 22:23:51.235050,  2] 
../source3/smbd/service.c:848(make_connection_snum)
   workstation (ipv4:x.y.z.y:63206) connect to service share1 initially 
as user >myuser< (uid=1994201119, gid=1994200513) (pid 1790)
ID reflects the domain users: domain users:*:1994200513:


My Questions:
Why is it not working? Do I have a conceptual issue?
If it is related to the IDs, how can I "lower" them. ID-Mapping is 
active already.

I also tried an installation with winbind but the situation kept the 
same. After that system has been reinstalled to ensure that everything 
is cleaned up properly.

Any help is greatly appreciated!

Thomas



KRB5 conf:
 >>
[libdefaults]
         default_realm = MYDOMAIN.DE
         dns_lookup_realm = false
         dns_lookup_kdc = true

# The following krb5.conf variables are only for MIT Kerberos.
         krb4_config = /etc/krb.conf
         krb4_realms = /etc/krb.realms
         kdc_timesync = 1
         ccache_type = 4
         forwardable = true
         proxiable = true

# The following libdefaults parameters are only for Heimdal Kerberos.
         v4_instance_resolve = false
         v4_name_convert = {
                 host = {
                         rcmd = host
                         ftp = ftp
                 }
                 plain = {
                         something = something-else
                 }
         }
         fcc-mit-ticketflags = true

[realms]
         MYDOMAIN.DE = {
                 kdc = DC
                 admin_server = DC
         }
[domain_realm]
         .mydomain.de = MYDOMAIN.DE

[login]
         krb4_convert = true
         krb4_get_tickets = false
 >>


sssd.conf
 >>
[sssd]
services = nss, pam
config_file_version = 2
domains = mydomain.de

[nss]

[pam]

[domain/mydomain.de]
id_provider = ad
access_provider = ad
ad_hostname = dc.mydomain.de
ad_server = dc.mydomain.de
ad_domain = mydomain.de
enumerate = true
krb5_keytab=/etc/krb5.sssd.keytab

 >>

smb.conf
 >>
[global]
     #### GLOBAL SETTINGS
     netbios name = SERVER2
     server string = SERVER2
     workgroup = MYDOMAIN
     realm = MYDOMAIN.DE
     server role = MEMBER SERVER

     #### SECURITY SETTINGS
     security = ads
     allow trusted domains = Yes
     map untrusted to domain = Yes
     encrypt passwords = yes
     client use spnego = yes
     client ntlmv2 auth = yes
     restrict anonymous = 2

     #### SERVER SETTINGS
     dns proxy = yes
     domain master = no
     local master = no
     preferred master = no
     os level = 0
     follow symlinks = yes
     veto files = /.DS_Store/Thumbs.db/thumbs.db/
     server min protocol = SMB2
     server max protocol = SMB3

     #### PRINTING
     disable spoolss = yes
     load printers = no
     idmap_ldb:use rfc2307 = yes

     #### LOGGING
     log level = 2
     username level = 3
     log file = /var/log/samba/log.%m
     max log size = 50
     syslog only = no
     syslog = 2
     panic action = /usr/share/samba/panic-action %d

######## SHARES
[share1]
     path = /share/share1
     browsable = yes
     read only = no
     guest ok = no
     # The access control is configured on the file system level.

 >>

sssd-ad can't provide proper ID-mapping for internal Samba fileserver
use until sssd 1.12 where the following functionality was introduced:

* SSSD provides an ID-mapping plugin for cifs-utils so that Windows
SIDs can be mapped onto POSIX IDs and/or names without requiring
Winbind and using the same code as the SSSD uses for identity
information.

Hence you have to have winbind installed and setup for samba
fileserver use in sssd < 1.12.X. You should not install libpam-winbind
and libnss-winbind, as you will still use sssd-ad for all
authentication purposes in the system. Winbind is there only to
resolve Windows SIDs for Samba fileserver purposes.

This should be sufficient:
---
apt-get install winbind
---

And something like this added to your samba config (from my own):
---
    # Winbind configuration. Remove winbind when sssd-ad 1.12.1
arrives to jessie
    winbind cache time = 300
    winbind enum users = no
    winbind enum groups = no
    winbind expand groups = 5
    winbind use default domain = yes
    winbind refresh tickets = yes
    winbind offline logon = no
    winbind nss info = rfc2307
    idmap config * : backend = tdb
    idmap config * : range = 100000-299999
    idmap config MYDOMAIN : backend  = ad
    idmap config MYDOMAIN : range = 300000-499999
---

Since you really got to have identical ID-mapping in both sssd-ad and
winbind there is really no good way to do that other than using
centrally stored rfc2307 properties in AD. To use this in sssd-ad you
also have to have this in your sssd.conf in you domain section:
----
ldap_id_mapping = false
----

I made a powershell script to automatically add all the properties to
AD for everything.

Hope this was of some help for you.

Regards,
Hans-Kristian


On 13 January 2015 at 10:02, Thomas Burger <tburger at eritron.de>
wrote:
> Hello all,
>
> after spending the last days fighting and researching I hope someone can
> point me to an solution here.
>
> Even if I am using Debian / Ubuntu since years I wouldn?t consider myself
as
> a Linux professional. I have some experience though.
>
> What I try to accomplish:
> - Centrally administrated groups for file services. Right now it is only
one
> server but there will be more.
>
> Setup:
> - System 1: Ubuntu 14.04 LTS as Active Directory Controller with Samba 4.1
> (Sernet package)
> - System 2: Ubuntu 14.04 LTS as Member server.
>
> What works:
> - DNS & NTP
> - Kerberos integration via Keytab file. SSSD 1.11.5 uses "id_provider
= ad"
> for this.
> - getting AD members and groups via getent passwd and getent group
> - Authentication with a domain user on "System 2" via SSH
> - Authentication on Samba instance "Server 2" via AD-Users.
> - getfacl / setfacl setting with domain object names.
>
> My issue:
> Authorization is not working. For example:
> - Write list / read list / valid users options in smb.conf are not honored.
> Either I have all users being able to access everything or they can login
to
> the server but if accessing the share this will fail.
> - Skipped the samba authorization and moved this to the filesystem level.
> Set the acl to the appropriate AD groups with the appropriate level results
> in the same issue. I also getting an "access denied" if I try to
access the
> folder from within the SSH-session of an AD user. The user is in the group
> though.
>
> My guesses:
> Option 1: Somehow groups populated through SSSD are not being used for
> authorization. Neither for Samba share definition nor for the filesystem.
> I recognized that the IDs of "objects" coming from the AD are
very high like
> User:  guest:*:1994200501:1994200514:Guest:/:
> Group: domain admins:*:1994200512:administrator
>
> Option 2: in samba logs I can see, that the user authenticates with a
> "primary" group id but I am missing the "other groups".
Is that expected?
> [2015/01/12 22:23:51.235050,  2]
> ../source3/smbd/service.c:848(make_connection_snum)
>   workstation (ipv4:x.y.z.y:63206) connect to service share1 initially as
> user >myuser< (uid=1994201119, gid=1994200513) (pid 1790)
> ID reflects the domain users: domain users:*:1994200513:
>
>
> My Questions:
> Why is it not working? Do I have a conceptual issue?
> If it is related to the IDs, how can I "lower" them. ID-Mapping
is active
> already.
>
> I also tried an installation with winbind but the situation kept the same.
> After that system has been reinstalled to ensure that everything is cleaned
> up properly.
>
> Any help is greatly appreciated!
>
> Thomas
>
>
>
> KRB5 conf:
>>>
> [libdefaults]
>         default_realm = MYDOMAIN.DE
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
> # The following krb5.conf variables are only for MIT Kerberos.
>         krb4_config = /etc/krb.conf
>         krb4_realms = /etc/krb.realms
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
>         v4_instance_resolve = false
>         v4_name_convert = {
>                 host = {
>                         rcmd = host
>                         ftp = ftp
>                 }
>                 plain = {
>                         something = something-else
>                 }
>         }
>         fcc-mit-ticketflags = true
>
> [realms]
>         MYDOMAIN.DE = {
>                 kdc = DC
>                 admin_server = DC
>         }
> [domain_realm]
>         .mydomain.de = MYDOMAIN.DE
>
> [login]
>         krb4_convert = true
>         krb4_get_tickets = false
>>>
>
>
> sssd.conf
>>>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = mydomain.de
>
> [nss]
>
> [pam]
>
> [domain/mydomain.de]
> id_provider = ad
> access_provider = ad
> ad_hostname = dc.mydomain.de
> ad_server = dc.mydomain.de
> ad_domain = mydomain.de
> enumerate = true
> krb5_keytab=/etc/krb5.sssd.keytab
>
>>>
>
> smb.conf
>>>
> [global]
>     #### GLOBAL SETTINGS
>     netbios name = SERVER2
>     server string = SERVER2
>     workgroup = MYDOMAIN
>     realm = MYDOMAIN.DE
>     server role = MEMBER SERVER
>
>     #### SECURITY SETTINGS
>     security = ads
>     allow trusted domains = Yes
>     map untrusted to domain = Yes
>     encrypt passwords = yes
>     client use spnego = yes
>     client ntlmv2 auth = yes
>     restrict anonymous = 2
>
>     #### SERVER SETTINGS
>     dns proxy = yes
>     domain master = no
>     local master = no
>     preferred master = no
>     os level = 0
>     follow symlinks = yes
>     veto files = /.DS_Store/Thumbs.db/thumbs.db/
>     server min protocol = SMB2
>     server max protocol = SMB3
>
>     #### PRINTING
>     disable spoolss = yes
>     load printers = no
>     idmap_ldb:use rfc2307 = yes
>
>     #### LOGGING
>     log level = 2
>     username level = 3
>     log file = /var/log/samba/log.%m
>     max log size = 50
>     syslog only = no
>     syslog = 2
>     panic action = /usr/share/samba/panic-action %d
>
> ######## SHARES
> [share1]
>     path = /share/share1
>     browsable = yes
>     read only = no
>     guest ok = no
>     # The access control is configured on the file system level.
>
>>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Hi,



On Tue, Jan 13, 2015 at 2:32 PM, Thomas Burger <tburger at eritron.de>
wrote:
> Hello all,
>
> after spending the last days fighting and researching I hope someone can
> point me to an solution here.
>
> Even if I am using Debian / Ubuntu since years I wouldn?t consider myself
> as a Linux professional. I have some experience though.
>
> What I try to accomplish:
> - Centrally administrated groups for file services. Right now it is only
> one server but there will be more.
>
> Setup:
> - System 1: Ubuntu 14.04 LTS as Active Directory Controller with Samba 4.1
> (Sernet package)
> - System 2: Ubuntu 14.04 LTS as Member server.
>
> What works:
> - DNS & NTP
> - Kerberos integration via Keytab file. SSSD 1.11.5 uses "id_provider
> ad" for this.
> - getting AD members and groups via getent passwd and getent group
> - Authentication with a domain user on "System 2" via SSH
> - Authentication on Samba instance "Server 2" via AD-Users.
> - getfacl / setfacl setting with domain object names.
>
> My issue:
> Authorization is not working. For example:
> - Write list / read list / valid users options in smb.conf are not
> honored. Either I have all users being able to access everything or they
> can login to the server but if accessing the share this will fail.
> - Skipped the samba authorization and moved this to the filesystem level.
> Set the acl to the appropriate AD groups with the appropriate level results
> in the same issue. I also getting an "access denied" if I try to
access the
> folder from within the SSH-session of an AD user. The user is in the group
> though.
>
> My guesses:
> Option 1: Somehow groups populated through SSSD are not being used for
> authorization. Neither for Samba share definition nor for the filesystem.
> I recognized that the IDs of "objects" coming from the AD are
very high
> like
> User:  guest:*:1994200501:1994200514:Guest:/:
> Group: domain admins:*:1994200512:administrator
>
> Option 2: in samba logs I can see, that the user authenticates with a
> "primary" group id but I am missing the "other groups".
Is that expected?
> [2015/01/12 22:23:51.235050,  2] ../source3/smbd/service.c:848(
> make_connection_snum)
>   workstation (ipv4:x.y.z.y:63206) connect to service share1 initially as
> user >myuser< (uid=1994201119, gid=1994200513) (pid 1790)
> ID reflects the domain users: domain users:*:1994200513:
>
>
> My Questions:
> Why is it not working? Do I have a conceptual issue?
> If it is related to the IDs, how can I "lower" them. ID-Mapping
is active
> already.
>
> I also tried an installation with winbind but the situation kept the same.
> After that system has been reinstalled to ensure that everything is cleaned
> up properly.

I have done the setting up the Ubuntu 12.04.5 client using Winbind and
lowering the uid and gid mapping so that it is easy to handle,

My smb.conf is like this,

   workgroup = INTRA
   security = ADS
   realm = INTRA.EXAMPLE.COM
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   server string = Samba 4 Client %h
   template homedir = /home/%U
   template shell = /bin/bash
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   winbind expand groups = 4
   winbind nss info = rfc2307
   winbind refresh tickets = Yes
   winbind normalize names = Yes
   idmap config * : backend = rid
   idmap uid = 5000-4000000000
   idmap gid = 5000-4000000000

After that join the Domain using "net ads join -U <Domain
Admin>".

Then restart "Samaba and winbind services".

After that make changes into nsswitch.conf so that it should look like,

passwd:         compat winbind
group:          compat winbind

After that "id <Domain User>" should work and uid/gid should be
showing
lower number.


--Regards
Ashishkumar S. Yadav

On Tue, Jan 13, 2015 at 2:32 PM, Thomas Burger <tburger at eritron.de>
wrote:
 
> What works:
...
> - getfacl / setfacl setting with domain object names.
>
> My issue:
> Authorization is not working. For example:
> - Write list / read list / valid users options in smb.conf are not
> honored. 
...
> - Skipped the samba authorization and moved this to the filesystem level.
> Set the acl to the appropriate AD groups with the appropriate level results
> in the same issue. 
This is not normal. Have You declared the RFC2307 unix attributes? 
I do this (on my home network, but anyway, I have different users 
with different privileges) and it works great. 

If You absolutely don't want to use RFC2307, then You have to check, 
that all the users and groups got the same IDs on all Your servers 
(even though there are only two at the moment). This might work with 
Winbind, too, but You have to do some configuration, too (to complicated 
for me, I am also not an expert). 

If You start using RFC2307*) you should add the Unix ID during the 
creation of the user when You use samba-tool. You could also add 
the Unix ID from windows, but then You have to do it for every single 
user by hand. I guess doing it by hand for the groups would be OK, 
but not for the users - at least if You got hundreds of them. ;-) 

Best regards
Peter



*) do a new provisioning if possible, You can also fiddle the attributes 
into an existing domain, but You have to manipulate the LDB database, 
and this is not exactly fun