Peter Serbe
2015-Jan-15 08:52 UTC
[Samba] Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)
On Tue, Jan 13, 2015 at 2:32 PM, Thomas Burger <tburger at eritron.de> wrote:> What works:...> - getfacl / setfacl setting with domain object names. > > My issue: > Authorization is not working. For example: > - Write list / read list / valid users options in smb.conf are not > honored....> - Skipped the samba authorization and moved this to the filesystem level. > Set the acl to the appropriate AD groups with the appropriate level results > in the same issue.This is not normal. Have You declared the RFC2307 unix attributes? I do this (on my home network, but anyway, I have different users with different privileges) and it works great. If You absolutely don't want to use RFC2307, then You have to check, that all the users and groups got the same IDs on all Your servers (even though there are only two at the moment). This might work with Winbind, too, but You have to do some configuration, too (to complicated for me, I am also not an expert). If You start using RFC2307*) you should add the Unix ID during the creation of the user when You use samba-tool. You could also add the Unix ID from windows, but then You have to do it for every single user by hand. I guess doing it by hand for the groups would be OK, but not for the users - at least if You got hundreds of them. ;-) Best regards Peter *) do a new provisioning if possible, You can also fiddle the attributes into an existing domain, but You have to manipulate the LDB database, and this is not exactly fun
Thomas Burger
2015-Jan-15 20:52 UTC
[Samba] Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)
On 15.01.15 09:52, Peter Serbe wrote:> On Tue, Jan 13, 2015 at 2:32 PM, Thomas Burger <tburger at eritron.de> wrote: > >> What works: > ... >> - getfacl / setfacl setting with domain object names. >> >> My issue: >> Authorization is not working. For example: >> - Write list / read list / valid users options in smb.conf are not >> honored. > ... >> - Skipped the samba authorization and moved this to the filesystem level. >> Set the acl to the appropriate AD groups with the appropriate level results >> in the same issue. > This is not normal. Have You declared the RFC2307 unix attributes? > I do this (on my home network, but anyway, I have different users > with different privileges) and it works great. > > If You absolutely don't want to use RFC2307, then You have to check, > that all the users and groups got the same IDs on all Your servers > (even though there are only two at the moment). This might work with > Winbind, too, but You have to do some configuration, too (to complicated > for me, I am also not an expert). > > If You start using RFC2307*) you should add the Unix ID during the > creation of the user when You use samba-tool. You could also add > the Unix ID from windows, but then You have to do it for every single > user by hand. I guess doing it by hand for the groups would be OK, > but not for the users - at least if You got hundreds of them. ;-) > > Best regards > Peter > > > > *) do a new provisioning if possible, You can also fiddle the attributes > into an existing domain, but You have to manipulate the LDB database, > and this is not exactly fun >First thank you Peter, Ashishkumar and Hans-Kristian for your hints. I will test them on weekend and report results. Peter, could you please explain how I can accomplish this: >>This is not normal. Have You declared the RFC2307 unix attributes? Is it working like described in the following article? https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC I was not aware that I need to do this since I am not using a Microsoft AD. Provisioning a new AD forest is not comfortable but anything else than a big issue because my environment is anything but large yet. Everybody have a good one Thomas
Rowland Penny
2015-Jan-15 21:00 UTC
[Samba] Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)
On 15/01/15 20:52, Thomas Burger wrote:> On 15.01.15 09:52, Peter Serbe wrote: >> On Tue, Jan 13, 2015 at 2:32 PM, Thomas Burger <tburger at eritron.de> >> wrote: >>> What works: >> ... >>> - getfacl / setfacl setting with domain object names. >>> >>> My issue: >>> Authorization is not working. For example: >>> - Write list / read list / valid users options in smb.conf are not >>> honored. >> ... >>> - Skipped the samba authorization and moved this to the filesystem >>> level. >>> Set the acl to the appropriate AD groups with the appropriate level >>> results >>> in the same issue. >> This is not normal. Have You declared the RFC2307 unix attributes? >> I do this (on my home network, but anyway, I have different users >> with different privileges) and it works great. >> >> If You absolutely don't want to use RFC2307, then You have to check, >> that all the users and groups got the same IDs on all Your servers >> (even though there are only two at the moment). This might work with >> Winbind, too, but You have to do some configuration, too (to complicated >> for me, I am also not an expert). >> >> If You start using RFC2307*) you should add the Unix ID during the >> creation of the user when You use samba-tool. You could also add >> the Unix ID from windows, but then You have to do it for every single >> user by hand. I guess doing it by hand for the groups would be OK, >> but not for the users - at least if You got hundreds of them. ;-) >> >> Best regards >> Peter >> >> >> >> *) do a new provisioning if possible, You can also fiddle the attributes >> into an existing domain, but You have to manipulate the LDB database, >> and this is not exactly fun >> > First thank you Peter, Ashishkumar and Hans-Kristian for your hints. I > will test them on weekend and report results. > > Peter, could you please explain how I can accomplish this: > >>This is not normal. Have You declared the RFC2307 unix attributes? > Is it working like described in the following article? > https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC > > I was not aware that I need to do this since I am not using a > Microsoft AD.For samba4 active directory, read microsoft AD, so you don't have to provision anything else, you just need to learn how to properly use what you already have. Rowland> Provisioning a new AD forest is not comfortable but anything else than > a big issue because my environment is anything but large yet. > > Everybody have a good one > Thomas > >
Reasonably Related Threads
- Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)
- Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)
- Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)
- After some time 4.3.9 Member Server in different Subnet than ADS controller loses trust
- After some time 4.3.9 Member Server in different Subnet than ADS controller loses trust