I am running Samba 4.1.12 with SSSD 1.12.2 on RHEL 7.1. I have joined my system to a Win 2008r2 domain. I have added the necessary unix attributes to all relevant users and groups. When I add a domain group to a directory, either as the primary group or as an ACL, I can access the share locally from the server, but cannot access the share from a Windows system via the SMB share. If I change the account primary group on our domain controller, then everything works. Basically, the only domain group that Samba allows is Domain Users since that is the default primary group on our accounts. Kerberos tickets are successfully generated and running test LDAP queries are successful.> getent group netmon_deviceconfigsnetmon_deviceconfigs:*:16784931:nkuser,wkadmin,nkadmin,wkuser> getent passwd nkusernkuser:*:16781645:16777729:K, Nick:/home/USERS/nkuser:/bin/bash> getent group Domain\ Usersdomain users:*:16777729:nkuser,cdscan20,cdscan19,cdscan18,..... Anybody have any recommendations? I've been buried in this for two days! :) Configs are below: #!=============================================================sssd.conf #!=============================================================[sssd] domains = mydomain.com config_file_version = 2 services = nss, pam, pac [domain/mydomain.com] ad_server = dc01.mydomain.com ad_domain = mydomain.com krb5_realm = MYDOMAIN.COM cache_credentials = True id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad ldap_schema = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False fallback_homedir = /home/%d/%u ldap_search_base = dc=mydomain,dc=com?subtree? ldap_group_search_base = dc=mydomain,dc=com?subtree?(objectClass=group) ldap_user_search_base = dc=mydomain,dc=com?subtree?(objectClass=user) ldap_group_member = member #!=============================================================smb.conf #!=============================================================# ----------------------- Network-Related Options ------------------------- workgroup = MYWORKGROUP client signing = yes client use spnego = yes kerberos method = secrets and keytab netbios name = MGMT01 # ----------------------- Domain Members Options ------------------------ security = ads realm = MYDOMAIN.COM # ----------------------- Share Definitions ------------------------- [homes] comment = Home Directories browseable = no writable = yes create mask = 0660 directory mask = 0770 [share] browseable = yes writeable = yes path = /var/shared inherit permissions = no inherit acls = yes inherit owner = no acl group control = yes #!=============================================================krb5.conf #!=============================================================[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYDOMAIN.COM dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_ccache_name = KEYRING:persistent:%{uid} [realms] MYDOMAIN.COM = { kdc = dc01.mydomain.com admin_server = dc01.mydomain.com } [domain_realm] mydomain.com = MYDOMAIN.COM .mydomain.com = MYDOMAIN.COM
On 02/07/15 15:06, Nick K wrote:> I am running Samba 4.1.12 with SSSD 1.12.2 on RHEL 7.1. I have joined my > system to a Win 2008r2 domain. I have added the necessary unix attributes > to all relevant users and groups. When I add a domain group to a > directory, either as the primary group or as an ACL, I can access the share > locally from the server, but cannot access the share from a Windows system > via the SMB share. If I change the account primary group on our domain > controller, then everything works. Basically, the only domain group that > Samba allows is Domain Users since that is the default primary group on our > accounts. > > Kerberos tickets are successfully generated and running test LDAP queries > are successful. > > >> getent group netmon_deviceconfigs > netmon_deviceconfigs:*:16784931:nkuser,wkadmin,nkadmin,wkuser > >> getent passwd nkuser > nkuser:*:16781645:16777729:K, Nick:/home/USERS/nkuser:/bin/bash > >> getent group Domain\ Users > domain users:*:16777729:nkuser,cdscan20,cdscan19,cdscan18,..... > > > Anybody have any recommendations? I've been buried in this for two days! > :) Configs are below: > > > > #!=============================================================> sssd.conf > #!=============================================================> [sssd] > domains = mydomain.com > config_file_version = 2 > services = nss, pam, pac > > [domain/mydomain.com] > ad_server = dc01.mydomain.com > ad_domain = mydomain.com > krb5_realm = MYDOMAIN.COM > cache_credentials = True > id_provider = ad > auth_provider = ad > chpass_provider = ad > access_provider = ad > ldap_schema = ad > krb5_store_password_if_offline = True > default_shell = /bin/bash > ldap_id_mapping = False > fallback_homedir = /home/%d/%u > ldap_search_base = dc=mydomain,dc=com?subtree? > ldap_group_search_base = dc=mydomain,dc=com?subtree?(objectClass=group) > ldap_user_search_base = dc=mydomain,dc=com?subtree?(objectClass=user) > ldap_group_member = member > > > #!=============================================================> smb.conf > #!=============================================================> # ----------------------- Network-Related Options ------------------------- > workgroup = MYWORKGROUP > client signing = yes > client use spnego = yes > kerberos method = secrets and keytab > netbios name = MGMT01 > # ----------------------- Domain Members Options ------------------------ > security = ads > realm = MYDOMAIN.COM > # ----------------------- Share Definitions ------------------------- > [homes] > comment = Home Directories > browseable = no > writable = yes > create mask = 0660 > directory mask = 0770 > [share] > browseable = yes > writeable = yes > path = /var/shared > inherit permissions = no > inherit acls = yes > inherit owner = no > acl group control = yes > #!=============================================================> krb5.conf > #!=============================================================> [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = MYDOMAIN.COM > dns_lookup_realm = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > rdns = false > default_ccache_name = KEYRING:persistent:%{uid} > > [realms] > MYDOMAIN.COM = { > kdc = dc01.mydomain.com > admin_server = dc01.mydomain.com > } > > [domain_realm] > mydomain.com = MYDOMAIN.COM > .mydomain.com = MYDOMAIN.COMHave a look here: https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs Rowland
On 02/07/15 16:17, Nick K wrote:> Thanks. I did see this article once and have added the config> options to my smb.conf with no difference. This article is centered > around ACLs, but my issue isn't specific to ACLs. Whether I set an > ACL (setfacl) or change the directory's group ownership (chown), it > only works with Domain Users or the whatever group an account has set > as their primary group in Active Directory. This only seems to be > the case from windows systems accessing the SMB share. From the > Linux shell, permissions work perfectly whether they are local or > domain groups. > > Nick > > > > > > On Thu, Jul 2, 2015 at 10:27 AM, Rowland Penny > <rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>> > wrote: > > On 02/07/15 15:06, Nick K wrote: > > I am running Samba 4.1.12 with SSSD 1.12.2 on RHEL 7.1. I have > joined my system to a Win 2008r2 domain. I have added the necessary > unix attributes to all relevant users and groups. When I add a > domain group to a directory, either as the primary group or as an > ACL, I can access the share locally from the server, but cannot > access the share from a Windows system via the SMB share. If I > change the account primary group on our domain controller, then > everything works. Basically, the only domain group that Samba allows > is Domain Users since that is the default primary group on our > accounts. > > Kerberos tickets are successfully generated and running test LDAP > queries are successful. > > > getent group netmon_deviceconfigs > > netmon_deviceconfigs:*:16784931:nkuser,wkadmin,nkadmin,wkuser > > getent passwd nkuser > > nkuser:*:16781645:16777729:K, Nick:/home/USERS/nkuser:/bin/bash > > getent group Domain\ Users > > domain users:*:16777729:nkuser,cdscan20,cdscan19,cdscan18,..... > > > Anybody have any recommendations? I've been buried in this for two > days! :) Configs are below: > > > > #!============================================================= > sssd.conf > #!============================================================= > [sssd] domains = mydomain.com <http://mydomain.com> > config_file_version = 2 services = nss, pam, pac > > [domain/mydomain.com <http://mydomain.com>] ad_server > dc01.mydomain.com <http://dc01.mydomain.com> ad_domain = mydomain.com > <http://mydomain.com> krb5_realm = MYDOMAIN.COM > <http://MYDOMAIN.COM> cache_credentials = True id_provider = ad > auth_provider = ad chpass_provider = ad access_provider = ad > ldap_schema = ad krb5_store_password_if_offline = True default_shell > = /bin/bash ldap_id_mapping = False fallback_homedir = /home/%d/%u > ldap_search_base = dc=mydomain,dc=com?subtree? ldap_group_search_base > = dc=mydomain,dc=com?subtree?(objectClass=group) > ldap_user_search_base > dc=mydomain,dc=com?subtree?(objectClass=user) ldap_group_member > member > > > #!============================================================= > smb.conf > #!============================================================== # > ----------------------- Network-Related Options > ------------------------- workgroup = MYWORKGROUP client signing > yes client use spnego = yes kerberos method = secrets and keytab > netbios name = MGMT01 # ----------------------- Domain Members > Options ------------------------ security = ads realm = MYDOMAIN.COM > <http://MYDOMAIN.COM> # ----------------------- Share Definitions > ------------------------- [homes] comment = Home Directories > browseable = no writable = yes create mask = 0660 directory mask > 0770 [share] browseable = yes writeable = yes path = /var/shared > inherit permissions = no inherit acls = yes inherit owner = no acl > group control = yes > #!============================================================= > krb5.conf > #!============================================================= > [logging] default = FILE:/var/log/krb5libs.log kdc > FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log > > [libdefaults] default_realm = MYDOMAIN.COM <http://MYDOMAIN.COM> > dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d > forwardable = true rdns = false default_ccache_name > KEYRING:persistent:%{uid} > > [realms] MYDOMAIN.COM <http://MYDOMAIN.COM> = { kdc > dc01.mydomain.com <http://dc01.mydomain.com> admin_server > dc01.mydomain.com <http://dc01.mydomain.com> } > > [domain_realm] mydomain.com <http://mydomain.com> = MYDOMAIN.COM > <http://MYDOMAIN.COM> .mydomain.com <http://mydomain.com> > MYDOMAIN.COM <http://MYDOMAIN.COM> > > > Have a look here: > https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs > > > Rowland>> -- To unsubscribe from this list go to the following URL and read > the instructions: https://lists.samba.org/mailman/options/samba > > You should either use Unix permissions or windows ACLs, don't try and use both. If you only have windows users, set 'acl_xattr:ignore system acl = yes' and only set the permissions from windows. Rowland