Tovey, Mark
2015-Oct-09 21:22 UTC
[Samba] Make a share owned by a service account available to members of an AD group
So I made the primary group for the testuser account be smbgrp, and it's gidNumber is 30124. Still nothing. "getent passwd testuser" returns nothing unless testuser is in the local passwd file, and then it returns the attributes that are in the passwd file, not the AD system. Some time ago I put together a configuration that uses Linux SSSD to communicate with AD. That allows us to store user account information in AD and authenticate against that. No local account information is necessary. It works and does it quite well, but it is a bear to manage, so I try to avoid it (I am planning on switching to an IPA based system instead of my roll-your-own system). I was trying to build this Samba system independent of my SSSD system, but I am wondering if I need to put that between Samba and AD. That way Samba won't know that it is using AD in the background and will just be using local authentication mechanisms. Does anyone have any experience using Samba in conjunction with SSSD and can offer any advice there? -Mark ________________________________________________________________ Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA MTovey at go2uti.com | O / C +1 503 953-1389 -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny Sent: Friday, October 9, 2015 12:57 PM To: samba at lists.samba.org Subject: Re: [Samba] Make a share owned by a service account available to members of an AD group On 09/10/15 20:31, Tovey, Mark wrote:> The only way it seems to work is if I do have both the local and AD user with the same name. But my goal here is to not require that, to have the AD account only.To do what you want you need to use winbind (other ways if doing it are available, but this is the samba mailing list) and then use either the 'ad' or 'rid' backend, this way your AD users become Unix users.> I have applied Unix attributes to the users. testuser uidNumber = 30089 and gidNumber = 100. However, when I try to query with wbinfo, I was unable to look that up: > > wbinfo -i "DEVELOPMENT\testuser" > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUNDTwo things, have you added a gidNumber to Domain Users ? (do not use 100, this is the Unix users group and is outside the range set in smb.conf) and you should be using getent not wbinfo. wbinfo works directly on winbind, getent doesn't, try 'getent passwd testuser'> > I get the same result regardless of if the account is in the local passwd file or not. > I switched to “rid” and now I can successfully query for the testuser account: > > wbinfo -i "DEVELOPMENT\testuser" > testuser:*:36385:30513::/home/testuser:/bin/bash > > but the uidNumber and gidNumber do not match what is in AD.Using the 'rid' backend it never will, this is the beauty behind the 'ad' backend, you set the users uidNumber in AD and you will get that number everywhere, but you also need to give Domain Users a gidNumber or winbind will not work. whatever numbers you use *must* be inside the range you set in smb.conf i.e. if you have 'idmap config EXAMPLE:range = 10000-99999' , your numbers must be above 9999 but below 100000.> And it still will not allow the testuser account to map the share unless the account exists in the local passwd file. It is getting the password from AD, but only if the account exists in the local system too.You need to remove any local users that you want to be in AD (oh and don't try and get creative and put Unix system users in AD, they belong in /etc/passwd) , run 'net cache flush' , run 'getent passwd <ADuser>' (replace <ADuser> with an AD username that has a uidNumber), if this returns the users details, you should then be able to chown the share to belong to the user. Once you have got this far, I would suggest reading more on the samba wiki, especially about creating shares and setting the ACLs Rowland> -Mark > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Oct-09 21:47 UTC
[Samba] Make a share owned by a service account available to members of an AD group
On 09/10/15 22:22, Tovey, Mark wrote:> So I made the primary group for the testuser account be smbgrp, and it's gidNumber is 30124. Still nothing. "getent passwd testuser" returns nothing unless testuser is in the local passwd file, and then it returns the attributes that are in the passwd file, not the AD system.It always will if you have a local user with the same name as an AD user, remove the local user. On the Unix workstation: Use the smb.conf from the member server page on the wiki (obviously change the realm etc to match yours) On the DC: create a new user (one that doesn't exist on the workstation), give that user the uidNumber '10000' Give Domain Users the gidNumber '10000' Back to the workstation: flush the winbind cache with 'net flush cache' run 'net ads testjoin' it should return 'Join is OK' run 'getent passwd <theNewADuser>' This should return something like 'thenewaduser:*:10000:10000::/home/YOURDOMAIN/thenewaduser:/bin/false' If it doesn't, then you have something else set incorrectly. Rowland> Some time ago I put together a configuration that uses Linux SSSD to communicate with AD. That allows us to store user account information in AD and authenticate against that. No local account information is necessary. It works and does it quite well, but it is a bear to manage, so I try to avoid it (I am planning on switching to an IPA based system instead of my roll-your-own system). > I was trying to build this Samba system independent of my SSSD system, but I am wondering if I need to put that between Samba and AD. That way Samba won't know that it is using AD in the background and will just be using local authentication mechanisms. > Does anyone have any experience using Samba in conjunction with SSSD and can offer any advice there? > -Mark > > >
Tovey, Mark
2015-Oct-11 04:26 UTC
[Samba] Make a share owned by a service account available to members of an AD group
I looked into using SSSD in between Samba and AD, and it turns out that this is very much an option and is recommended ... as long as I am using EL7. I am using EL6. There is a new library, sssd-libwbclient, that creates the interface between Samba and SSSD, but that appears in the SSSD release included with EL7. The same SSSD release is available for EL6, but for some reason it does not include sssd-libwbclient. We want to maintain support from our OS vendor, so I need to stick with the version that comes bundled with the OS. So I guess I will need to see if I can get them to push it out. -Mark ________________________________________________________________ Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA MTovey at go2uti.com | O / C +1 503 953-1389 -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny Sent: Friday, October 9, 2015 2:47 PM To: samba at lists.samba.org Subject: Re: [Samba] Make a share owned by a service account available to members of an AD group On 09/10/15 22:22, Tovey, Mark wrote:> So I made the primary group for the testuser account be smbgrp, and it's gidNumber is 30124. Still nothing. "getent passwd testuser" returns nothing unless testuser is in the local passwd file, and then it returns the attributes that are in the passwd file, not the AD system.It always will if you have a local user with the same name as an AD user, remove the local user. On the Unix workstation: Use the smb.conf from the member server page on the wiki (obviously change the realm etc to match yours) On the DC: create a new user (one that doesn't exist on the workstation), give that user the uidNumber '10000' Give Domain Users the gidNumber '10000' Back to the workstation: flush the winbind cache with 'net flush cache' run 'net ads testjoin' it should return 'Join is OK' run 'getent passwd <theNewADuser>' This should return something like 'thenewaduser:*:10000:10000::/home/YOURDOMAIN/thenewaduser:/bin/false' If it doesn't, then you have something else set incorrectly. Rowland> Some time ago I put together a configuration that uses Linux SSSD to communicate with AD. That allows us to store user account information in AD and authenticate against that. No local account information is necessary. It works and does it quite well, but it is a bear to manage, so I try to avoid it (I am planning on switching to an IPA based system instead of my roll-your-own system). > I was trying to build this Samba system independent of my SSSD system, but I am wondering if I need to put that between Samba and AD. That way Samba won't know that it is using AD in the background and will just be using local authentication mechanisms. > Does anyone have any experience using Samba in conjunction with SSSD and can offer any advice there? > -Mark > > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Apparently Analagous Threads
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group