Tovey, Mark
2015-Oct-09 19:57 UTC
[Samba] Make a share owned by a service account available to members of an AD group
No joy. I added winbind to the passwd, shadow, and group lines and it is still not working. I also switched back to ad instead of rid (I deleted the Samba database files in /var/lib/samba and rejoined the domain when I switched), and still the same. If the account exists locally I can authenticate against AD and map the share. No local account and it fails. -Mark ________________________________________________________________ Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA MTovey at go2uti.com | O / C +1 503 953-1389 -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of John Yocum Sent: Friday, October 9, 2015 12:37 PM To: samba at lists.samba.org Subject: Re: [Samba] Make a share owned by a service account available to members of an AD group On 10/09/2015 12:31 PM, Tovey, Mark wrote:> The only way it seems to work is if I do have both the local and AD user with the same name. But my goal here is to not require that, to have the AD account only. > I have applied Unix attributes to the users. testuser uidNumber = 30089 and gidNumber = 100. However, when I try to query with wbinfo, I was unable to look that up: > > wbinfo -i "DEVELOPMENT\testuser" > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > > I get the same result regardless of if the account is in the local passwd file or not. > I switched to “rid” and now I can successfully query for the testuser account: > > wbinfo -i "DEVELOPMENT\testuser" > testuser:*:36385:30513::/home/testuser:/bin/bash > > but the uidNumber and gidNumber do not match what is in AD. And it still will not allow the testuser account to map the share unless the account exists in the local passwd file. It is getting the password from AD, but only if the account exists in the local system too. > -Mark > > ________________________________________________________________ > Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW > Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA > MTovey at go2uti.com | O / C +1 503 953-1389 >Do you have winbind listed in your nsswitch.conf? If not, you'll need that so the OS itself will see the AD users. -- John Yocum, Systems Administrator, DEOHS -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Oct-09 20:15 UTC
[Samba] Make a share owned by a service account available to members of an AD group
On 09/10/15 20:57, Tovey, Mark wrote:> No joy. I added winbind to the passwd, shadow, and group lines and it is still not working. I also switched back to ad instead of rid (I deleted the Samba database files in /var/lib/samba and rejoined the domain when I switched), and still the same. If the account exists locally I can authenticate against AD and map the share. No local account and it fails. > -Mark > > ________________________________________________________________ > Mark Tovey - UNIX Engineer | Service Strategy & Design > UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA > MTovey at go2uti.com | O / C +1 503 953-1389 > > -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of John Yocum > Sent: Friday, October 9, 2015 12:37 PM > To: samba at lists.samba.org > Subject: Re: [Samba] Make a share owned by a service account available to members of an AD group > > On 10/09/2015 12:31 PM, Tovey, Mark wrote: >> The only way it seems to work is if I do have both the local and AD user with the same name. But my goal here is to not require that, to have the AD account only. >> I have applied Unix attributes to the users. testuser uidNumber = 30089 and gidNumber = 100. However, when I try to query with wbinfo, I was unable to look that up: >> >> wbinfo -i "DEVELOPMENT\testuser" >> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND >> >> I get the same result regardless of if the account is in the local passwd file or not. >> I switched to “rid” and now I can successfully query for the testuser account: >> >> wbinfo -i "DEVELOPMENT\testuser" >> testuser:*:36385:30513::/home/testuser:/bin/bash >> >> but the uidNumber and gidNumber do not match what is in AD. And it still will not allow the testuser account to map the share unless the account exists in the local passwd file. It is getting the password from AD, but only if the account exists in the local system too. >> -Mark >> >> ________________________________________________________________ >> Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW >> Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA >> MTovey at go2uti.com | O / C +1 503 953-1389 >> > > Do you have winbind listed in your nsswitch.conf? If not, you'll need that so the OS itself will see the AD users. > > -- > John Yocum, Systems Administrator, DEOHS > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaUntil you can get 'getent passwd username' to return the users info, it will never work and I can assure it will work if everything is setup correctly. Can you post: smb.conf /etc/resolv.conf /etc/krb5.conf The result of 'net ads testjoin' Rowland
Tovey, Mark
2015-Oct-09 21:42 UTC
[Samba] Make a share owned by a service account available to members of an AD group
Here is my configuration: smb.conf: [global] server string = Samba Server Version %v log file = /var/log/samba/log.%m max log size = 500 log level = 3 workgroup = DEVTST-CORP realm = DEVTST-CORP.GO2UTI.COM security = ADS password server = sinmdp04.devtst-corp.go2uti.com passdb backend = tdbsam domain master = no local master = no preferred master = no disable netbios = yes dns proxy = no dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 5000-29999 idmap config DEVTST-CORP:backend = ad idmap config DEVTST-CORP:schema_mode = rfc2307 idmap config DEVTST-CORP:range = 30000-99999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes winbind normalize names = Yes map untrusted to domain = yes map to guest = Bad Uid guest account = nobody load printers = no printcap name = /dev/null printing = bsd [data] path = /opt/app/data read only = no writable = yes browseable = no guest ok = yes hide dot files = yes hide special files = yes force user = webserv force group = webserv create mask = 0644 directory mask = 0755 valid users = @DEVTST-CORP\smbgrp write list = @DEVTST-CORP\smbgrp resolv.conf: domain devtst.go2uti.com search devtst.go2uti.com devtst-corp.go2uti.com nameserver 10.240.4.100 nameserver 10.254.4.125 nameserver 10.8.246.38 /krb5.conf: [logging] default = FILE:/var/log/samba/krb5libs.log kdc = FILE:/var/log/samba/krb5kdc.log admin_server = FILE:/var/log/samba/kadmind.log [libdefaults] default_realm = DEVTST-CORP.GO2UTI.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = true [realms] DEVTST-CORP.GO2UTI.COM = { kdc = sinmdp04.devtst-corp.go2uti.com:88 admin_server = sinmdp04.devtst-corp.go2uti.com:749 default_domain = DEVTST-CORP } [domain_realm] .devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } net ads testjoin: Join is OK ________________________________________________________________ Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA MTovey at go2uti.com | O / C +1 503 953-1389 Until you can get 'getent passwd username' to return the users info, it will never work and I can assure it will work if everything is setup correctly. Can you post: smb.conf /etc/resolv.conf /etc/krb5.conf The result of 'net ads testjoin' Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Possibly Parallel Threads
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group