samba - Oct 2015 - Make a share owned by a service account available to members of an AD group

I have a requirement where I need to make a directory tree on a Linux system
available to a group of users that authenticate against an AD system.  I have
successfully joined my system to our AD domain and I am able to manage access to
a share with a security group in AD, so long as the group members also have
accounts on the Linux system.  I need to be able to set it up so that the user
accounts do not need to exist on the Linux system, simply adding them to the AD
security group is enough to grant them access to the share (providing that they
properly authenticate).  In addition, I want to map the members of the AD group
to a specific account that is on the Linux server, and this account will be the
owner of the share's directory tree and its contents.
    The goal here is for application management.  The members of the AD group
will be moving documents into and out of the application, and the application
needs to be able to read and write to the share.  So far I have not been able to
get the group members to application account mapping to function.
    One other requirement is that I need to be able to support multiple share on
one server, each with a different owner, so setting guest account to an
application account is not going to work.
    Below is the configuration I have cobbled together from various posts and
from reading the documentation:

[global]
        server string = Samba Server Version %v

        log file = /var/log/samba/log.%m
        max log size = 500

        log level = 3

        workgroup = DEVELOPMENT
        realm = DEVELOPMENT.MYDOMAIN.COM
        security = ADS
        password server = adserv.development.go2uti.com
        passdb backend = tdbsam

        domain master = no
       local master = no
        preferred master = no

        disable netbios = yes
        dns proxy = no

        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab

        idmap config *:backend = tdb
        idmap config *:range = 5000-50000
        idmap config DEVELOPMENT:backend = ad
        idmap config DEVELOPMENT:schema_mode = rfc2307
        idmap config DEVELOPMENT:range = 10000-99999

        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes
        winbind refresh tickets = Yes
        winbind normalize names = Yes

        map untrusted to domain = yes
        map to guest = Bad Uid
        username map = /etc/samba/users.map

        load printers = no
        printcap name = /dev/null
        printing = bsd


[data]
        path = /opt/app/data
        read only = no
        writable = yes
        browseable = no
        hide dot files = yes
        hide special files = yes
        valid users = @DEVELOPMENT\smbgrp
        write list = @DEVELOPMENT\smbgrp

    And the contents of the users.map file:

appacct = @DEVELOPMENT\smbgrp

    I am using Samba  4.0.0 on an OEL 6.5 server (RHEL 6.5 equivalent).
    And help will be greatly appreciated.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland |
Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389

Okay, I went through the smb.conf documentation one more time and noticed the
"force owner" and "force group" options (don't know why
I didn't see those before).  That eliminated the need to map members of the
AD group to the application account.  Now any files uploaded by any user into
the share are owned by the application account.
    But I still have to have the group member accounts on the Linux server.  It
looks like the "map to guest = Bad Uid" option should fix that but it
doesn't seem to be doing so.  Does anyone have any ideas?
    Thanks,
    -Mark
    

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Tovey, Mark
Sent: Thursday, October 8, 2015 3:21 PM
To: samba at lists.samba.org
Subject: [Samba] Make a share owned by a service account available to members of
an AD group


    I have a requirement where I need to make a directory tree on a Linux system
available to a group of users that authenticate against an AD system.  I have
successfully joined my system to our AD domain and I am able to manage access to
a share with a security group in AD, so long as the group members also have
accounts on the Linux system.  I need to be able to set it up so that the user
accounts do not need to exist on the Linux system, simply adding them to the AD
security group is enough to grant them access to the share (providing that they
properly authenticate).  In addition, I want to map the members of the AD group
to a specific account that is on the Linux server, and this account will be the
owner of the share's directory tree and its contents.
    The goal here is for application management.  The members of the AD group
will be moving documents into and out of the application, and the application
needs to be able to read and write to the share.  So far I have not been able to
get the group members to application account mapping to function.
    One other requirement is that I need to be able to support multiple share on
one server, each with a different owner, so setting guest account to an
application account is not going to work.
    Below is the configuration I have cobbled together from various posts and
from reading the documentation:

[global]
        server string = Samba Server Version %v

        log file = /var/log/samba/log.%m
        max log size = 500

        log level = 3

        workgroup = DEVELOPMENT
        realm = DEVELOPMENT.MYDOMAIN.COM
        security = ADS
        password server = adserv.development.go2uti.com
        passdb backend = tdbsam

        domain master = no
       local master = no
        preferred master = no

        disable netbios = yes
        dns proxy = no

        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab

        idmap config *:backend = tdb
        idmap config *:range = 5000-50000
        idmap config DEVELOPMENT:backend = ad
        idmap config DEVELOPMENT:schema_mode = rfc2307
        idmap config DEVELOPMENT:range = 10000-99999

        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes
        winbind refresh tickets = Yes
        winbind normalize names = Yes

        map untrusted to domain = yes
        map to guest = Bad Uid
        username map = /etc/samba/users.map

        load printers = no
        printcap name = /dev/null
        printing = bsd


[data]
        path = /opt/app/data
        read only = no
        writable = yes
        browseable = no
        hide dot files = yes
        hide special files = yes
        valid users = @DEVELOPMENT\smbgrp
        write list = @DEVELOPMENT\smbgrp

    And the contents of the users.map file:

appacct = @DEVELOPMENT\smbgrp

    I am using Samba  4.0.0 on an OEL 6.5 server (RHEL 6.5 equivalent).
    And help will be greatly appreciated.
    Thanks,
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland |
Oregon | 97204 | USA MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O
/ C +1 503 953-1389

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 08/10/15 23:20, Tovey, Mark wrote:
>      I have a requirement where I need to make a directory tree on a Linux
system available to a group of users that authenticate against an AD system.  I
have successfully joined my system to our AD domain and I am able to manage
access to  a share with a security group in AD, so long as the group members
also have accounts on the Linux system.  I need to be able to set it up so that
the user accounts do not need to exist on the Linux system, simply adding them
to the AD security group is enough to grant them access to the share (providing
that they properly authenticate).  In addition, I want to map the members of the
AD group to a specific account that is on the Linux server, and this account
will be the owner of the share's directory tree and its contents.
>      The goal here is for application management.  The members of the AD
group will be moving documents into and out of the application, and the
application needs to be able to read and write to the share.  So far I have not
been able to get the group members to application account mapping to function.
>      One other requirement is that I need to be able to support multiple
share on one server, each with a different owner, so setting guest account to an
application account is not going to work.
>      Below is the configuration I have cobbled together from various posts
and from reading the documentation:
>
> [global]
>          server string = Samba Server Version %v
>
>          log file = /var/log/samba/log.%m
>          max log size = 500
>
>          log level = 3
>
>          workgroup = DEVELOPMENT
>          realm = DEVELOPMENT.MYDOMAIN.COM
>          security = ADS
>          password server = adserv.development.go2uti.com
>          passdb backend = tdbsam
>
>          domain master = no
>         local master = no
>          preferred master = no
>
>          disable netbios = yes
>          dns proxy = no
>
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = secrets and keytab
>
>          idmap config *:backend = tdb
>          idmap config *:range = 5000-50000
>          idmap config DEVELOPMENT:backend = ad
>          idmap config DEVELOPMENT:schema_mode = rfc2307
>          idmap config DEVELOPMENT:range = 10000-99999
Lets deal with this problem first, the first range (*) is for the 
well-known RIDs, the second (DEVELOPMENT) is for your users & groups. 
these ranges must *not* overlap, yours do!

Rowland
>
>          winbind nss info = rfc2307
>          winbind trusted domains only = no
>          winbind use default domain = yes
>          winbind enum users  = yes
>          winbind enum groups = yes
>          winbind refresh tickets = Yes
>          winbind normalize names = Yes
>
>          map untrusted to domain = yes
>          map to guest = Bad Uid
>          username map = /etc/samba/users.map
>
>          load printers = no
>          printcap name = /dev/null
>          printing = bsd
>
>
> [data]
>          path = /opt/app/data
>          read only = no
>          writable = yes
>          browseable = no
>          hide dot files = yes
>          hide special files = yes
>          valid users = @DEVELOPMENT\smbgrp
>          write list = @DEVELOPMENT\smbgrp
>
>      And the contents of the users.map file:
>
> appacct = @DEVELOPMENT\smbgrp
>
>      I am using Samba  4.0.0 on an OEL 6.5 server (RHEL 6.5 equivalent).
>      And help will be greatly appreciated.
>      Thanks,
>      -Mark
>
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design
> UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland
| Oregon | 97204 | USA
> MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503
953-1389
>

Got it.  I changed that section as follows:



        idmap config *:backend = tdb

        idmap config *:range = 5000-29999

        idmap config DEVELOPMENT:backend = ad

        idmap config DEVELOPMENT:schema_mode = rfc2307

        idmap config DEVELOPMENT:range = 30000-99999



    It did not change the “map to guest = Bad Uid” issue, however.  The error I
see in the log file is “check_ntlm_password:  Authentication for user [testuser]
-> [testuser] FAILED with error NT_STATUS_NO_SUCH_USER”.  If I add the
testuser account to the Linux system’s passwd file, then I see
“check_ntlm_password:  authentication for user [testuser] -> [testuser] ->
[testuser] succeeded”.  The testuser account does not have a password on the
Linux system, the password exists only in the AD system.  So, I am able to map
the share to my workstation using the testuser account only when the testuser
account exists in both the AD system and the Linux system, which is what I am
trying to avoid.  I want to have the testuser account be in the AD system only.

    The documentation for “map to guest = Bad Uid” states: “user logins which
are successfully authenticated but which have no valid Unix user account should
be mapped to the defined guest account.”  The guest account is set to “nobody”
and it does exist in the passwd file, but the mapping does not seem to be
occurring.  Am I misunderstanding the meaning here?  Or perhaps how the guest
account functions?

    -Mark



________________________________________________________________

Mark Tovey - UNIX Engineer | Service Strategy & Design

UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA

MTovey at go2uti.com | O / C +1 503 953-1389



-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
Sent: Friday, October 9, 2015 1:19 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Make a share owned by a service account available to
members of an AD group



On 08/10/15 23:20, Tovey, Mark wrote:
>      I have a requirement where I need to make a directory tree on a Linux
system available to a group of users that authenticate against an AD system.  I
have successfully joined my system to our AD domain and I am able to manage
access to  a share with a security group in AD, so long as the group members
also have accounts on the Linux system.  I need to be able to set it up so that
the user accounts do not need to exist on the Linux system, simply adding them
to the AD security group is enough to grant them access to the share (providing
that they properly authenticate).  In addition, I want to map the members of the
AD group to a specific account that is on the Linux server, and this account
will be the owner of the share's directory tree and its contents.
>      The goal here is for application management.  The members of the AD
group will be moving documents into and out of the application, and the
application needs to be able to read and write to the share.  So far I have not
been able to get the group members to application account mapping to function.
>      One other requirement is that I need to be able to support multiple
share on one server, each with a different owner, so setting guest account to an
application account is not going to work.
>      Below is the configuration I have cobbled together from various posts
and from reading the documentation:
>
> [global]
>          server string = Samba Server Version %v
>
>          log file = /var/log/samba/log.%m
>          max log size = 500
>
>          log level = 3
>
>          workgroup = DEVELOPMENT
>          realm = DEVELOPMENT.MYDOMAIN.COM
>          security = ADS
>          password server = adserv.development.go2uti.com
>          passdb backend = tdbsam
>
>          domain master = no
>         local master = no
>          preferred master = no
>
>          disable netbios = yes
>          dns proxy = no
>
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = secrets and keytab
>
>          idmap config *:backend = tdb
>          idmap config *:range = 5000-50000
>          idmap config DEVELOPMENT:backend = ad
>          idmap config DEVELOPMENT:schema_mode = rfc2307
>          idmap config DEVELOPMENT:range = 10000-99999


Lets deal with this problem first, the first range (*) is for the well-known
RIDs, the second (DEVELOPMENT) is for your users & groups.

these ranges must *not* overlap, yours do!



Rowland


>
>          winbind nss info = rfc2307
>          winbind trusted domains only = no
>          winbind use default domain = yes
>          winbind enum users  = yes
>          winbind enum groups = yes
>          winbind refresh tickets = Yes
>          winbind normalize names = Yes
>
>          map untrusted to domain = yes
>          map to guest = Bad Uid
>          username map = /etc/samba/users.map
>
>          load printers = no
>          printcap name = /dev/null
>          printing = bsd
>
>
> [data]
>          path = /opt/app/data
>          read only = no
>          writable = yes
>          browseable = no
>          hide dot files = yes
>          hide special files = yes
>          valid users = @DEVELOPMENT\smbgrp
>          write list = @DEVELOPMENT\smbgrp
>
>      And the contents of the users.map file:
>
> appacct = @DEVELOPMENT\smbgrp
>
>      I am using Samba  4.0.0 on an OEL 6.5 server (RHEL 6.5 equivalent).
>      And help will be greatly appreciated.
>      Thanks,
>      -Mark
>
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design
> UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland
> | Oregon | 97204 | USA MTovey at go2uti.com<mailto:MTovey at
go2uti.com<mailto:MTovey at go2uti.com%3cmailto:MTovey at go2uti.com>>
| O
> / C +1 503 953-1389
>




--

To unsubscribe from this list go to the following URL and read the

instructions:  https://lists.samba.org/mailman/options/samba

And just to be sure, I added “guest ok = yes” to the share configuration and
testuser still cannot map the share unless it has a valid account on the Linux
server.
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland |
Oregon | 97204 | USA
MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389

From: Tovey, Mark
Sent: Friday, October 9, 2015 10:55 AM
To: 'Rowland Penny'; samba at lists.samba.org
Subject: RE: [Samba] Make a share owned by a service account available to
members of an AD group




    Got it.  I changed that section as follows:



        idmap config *:backend = tdb

        idmap config *:range = 5000-29999

        idmap config DEVELOPMENT:backend = ad

        idmap config DEVELOPMENT:schema_mode = rfc2307

        idmap config DEVELOPMENT:range = 30000-99999



    It did not change the “map to guest = Bad Uid” issue, however.  The error I
see in the log file is “check_ntlm_password:  Authentication for user [testuser]
-> [testuser] FAILED with error NT_STATUS_NO_SUCH_USER”.  If I add the
testuser account to the Linux system’s passwd file, then I see
“check_ntlm_password:  authentication for user [testuser] -> [testuser] ->
[testuser] succeeded”.  The testuser account does not have a password on the
Linux system, the password exists only in the AD system.  So, I am able to map
the share to my workstation using the testuser account only when the testuser
account exists in both the AD system and the Linux system, which is what I am
trying to avoid.  I want to have the testuser account be in the AD system only.

    The documentation for “map to guest = Bad Uid” states: “user logins which
are successfully authenticated but which have no valid Unix user account should
be mapped to the defined guest account.”  The guest account is set to “nobody”
and it does exist in the passwd file, but the mapping does not seem to be
occurring.  Am I misunderstanding the meaning here?  Or perhaps how the guest
account functions?

    -Mark



________________________________________________________________

Mark Tovey - UNIX Engineer | Service Strategy & Design

UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA

MTovey at go2uti.com<mailto:MTovey at go2uti.com> | O / C +1 503 953-1389



-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
Sent: Friday, October 9, 2015 1:19 AM
To: samba at lists.samba.org<mailto:samba at lists.samba.org>
Subject: Re: [Samba] Make a share owned by a service account available to
members of an AD group



On 08/10/15 23:20, Tovey, Mark wrote:
>      I have a requirement where I need to make a directory tree on a Linux
system available to a group of users that authenticate against an AD system.  I
have successfully joined my system to our AD domain and I am able to manage
access to  a share with a security group in AD, so long as the group members
also have accounts on the Linux system.  I need to be able to set it up so that
the user accounts do not need to exist on the Linux system, simply adding them
to the AD security group is enough to grant them access to the share (providing
that they properly authenticate).  In addition, I want to map the members of the
AD group to a specific account that is on the Linux server, and this account
will be the owner of the share's directory tree and its contents.
>      The goal here is for application management.  The members of the AD
group will be moving documents into and out of the application, and the
application needs to be able to read and write to the share.  So far I have not
been able to get the group members to application account mapping to function.
>      One other requirement is that I need to be able to support multiple
share on one server, each with a different owner, so setting guest account to an
application account is not going to work.
>      Below is the configuration I have cobbled together from various posts
and from reading the documentation:
>
> [global]
>          server string = Samba Server Version %v
>
>          log file = /var/log/samba/log.%m
>          max log size = 500
>
>          log level = 3
>
>          workgroup = DEVELOPMENT
>          realm = DEVELOPMENT.MYDOMAIN.COM
>          security = ADS
>          password server = adserv.development.go2uti.com
>          passdb backend = tdbsam
>
>          domain master = no
>         local master = no
>          preferred master = no
>
>          disable netbios = yes
>          dns proxy = no
>
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = secrets and keytab
>
>          idmap config *:backend = tdb
>          idmap config *:range = 5000-50000
>          idmap config DEVELOPMENT:backend = ad
>          idmap config DEVELOPMENT:schema_mode = rfc2307
>          idmap config DEVELOPMENT:range = 10000-99999


Lets deal with this problem first, the first range (*) is for the well-known
RIDs, the second (DEVELOPMENT) is for your users & groups.

these ranges must *not* overlap, yours do!



Rowland


>
>          winbind nss info = rfc2307
>          winbind trusted domains only = no
>          winbind use default domain = yes
>          winbind enum users  = yes
>          winbind enum groups = yes
>          winbind refresh tickets = Yes
>          winbind normalize names = Yes
>
>          map untrusted to domain = yes
>          map to guest = Bad Uid
>          username map = /etc/samba/users.map
>
>          load printers = no
>          printcap name = /dev/null
>          printing = bsd
>
>
> [data]
>          path = /opt/app/data
>          read only = no
>          writable = yes
>          browseable = no
>          hide dot files = yes
>          hide special files = yes
>          valid users = @DEVELOPMENT\smbgrp
>          write list = @DEVELOPMENT\smbgrp
>
>      And the contents of the users.map file:
>
> appacct = @DEVELOPMENT\smbgrp
>
>      I am using Samba  4.0.0 on an OEL 6.5 server (RHEL 6.5 equivalent).
>      And help will be greatly appreciated.
>      Thanks,
>      -Mark
>
>
> ________________________________________________________________
> Mark Tovey - UNIX Engineer | Service Strategy & Design
> UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland
> | Oregon | 97204 | USA MTovey at go2uti.com<mailto:MTovey at
go2uti.com<mailto:MTovey at go2uti.com%3cmailto:MTovey at go2uti.com>>
| O
> / C +1 503 953-1389
>




--

To unsubscribe from this list go to the following URL and read the

instructions:  https://lists.samba.org/mailman/options/samba