samba - Oct 2015 - Make a share owned by a service account available to members of an AD group

So I made the primary group for the testuser account be smbgrp, and it's
gidNumber is 30124.  Still nothing.  "getent passwd testuser" returns
nothing unless testuser is in the local passwd file, and then it returns the
attributes that are in the passwd file, not the AD system.
    Some time ago I put together a configuration that uses Linux SSSD to
communicate with AD.  That allows us to store user account information in AD and
authenticate against that.  No local account information is necessary.  It works
and does it quite well, but it is a bear to manage, so I try to avoid it (I am
planning on switching to an IPA based system instead of my roll-your-own
system).
    I was trying to build this Samba system independent of my SSSD system, but I
am wondering if I need to put that between Samba and AD.  That way Samba
won't know that it is using AD in the background and will just be using
local authentication mechanisms.
    Does anyone have any experience using Samba in conjunction with SSSD and can
offer any advice there?
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
Sent: Friday, October 9, 2015 12:57 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Make a share owned by a service account available to
members of an AD group

On 09/10/15 20:31, Tovey, Mark wrote:
>      The only way it seems to work is if I do have both the local and AD
user with the same name.  But my goal here is to not require that, to have the
AD account only.
To do what you want you need to use winbind (other ways if doing it are
available, but this is the samba mailing list) and then use either the
'ad' or 'rid' backend, this way your AD users become Unix users.
>      I have applied Unix attributes to the users.  testuser uidNumber =
30089 and gidNumber = 100.  However, when I try to query with wbinfo, I was
unable to look that up:
>
> wbinfo -i "DEVELOPMENT\testuser"
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Two things, have you added a gidNumber to Domain Users ? (do not use 100, this
is the Unix users group and is outside the range set in
smb.conf) and you should be using getent not wbinfo. wbinfo works directly on
winbind, getent doesn't, try 'getent passwd testuser'
>
>      I get the same result regardless of if the account is in the local
passwd file or not.
>      I switched to “rid” and now I can successfully query for the testuser
account:
>
> wbinfo -i "DEVELOPMENT\testuser"
> testuser:*:36385:30513::/home/testuser:/bin/bash
>
>      but the uidNumber and gidNumber do not match what is in AD.
Using the 'rid' backend it never will, this is the beauty behind the
'ad' backend, you set the users uidNumber in AD and you will get that
number everywhere, but you also need to give Domain Users a gidNumber or winbind
will not work. whatever numbers you use *must* be inside the range you set in
smb.conf i.e. if you have 'idmap config EXAMPLE:range = 10000-99999' ,
your numbers must be above 9999 but below 100000.
>   And it still will not allow the testuser account to map the share unless
the account exists in the local passwd file.  It is getting the password from
AD, but only if the account exists in the local system too.
You need to remove any local users that you want to be in AD (oh and don't
try and get creative and put Unix system users in AD, they belong in
/etc/passwd) , run 'net cache flush' , run 'getent passwd
<ADuser>'
(replace <ADuser> with an AD username that has a uidNumber), if this
returns the users details, you should then be able to chown the share to belong
to the user.

Once you have got this far, I would suggest reading more on the samba wiki,
especially about creating shares and setting the ACLs

Rowland
>      -Mark
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 09/10/15 22:22, Tovey, Mark wrote:
>      So I made the primary group for the testuser account be smbgrp, and
it's gidNumber is 30124.  Still nothing.  "getent passwd testuser"
returns nothing unless testuser is in the local passwd file, and then it returns
the attributes that are in the passwd file, not the AD system.
It always will if you have a local user with the same name as an AD 
user, remove the local user.

On the Unix workstation:
Use the smb.conf from the member server page on the wiki (obviously 
change the realm etc to match yours)

On the DC:
create a new user (one that doesn't exist on the workstation), give that 
user the uidNumber '10000'
Give Domain Users the gidNumber '10000'

Back to the workstation:
flush the winbind cache with 'net flush cache'
run 'net ads testjoin' it should return 'Join is OK'

run 'getent passwd <theNewADuser>'

This should return something like 
'thenewaduser:*:10000:10000::/home/YOURDOMAIN/thenewaduser:/bin/false'

If it doesn't, then you have something else set incorrectly.

Rowland

>      Some time ago I put together a configuration that uses Linux SSSD to
communicate with AD.  That allows us to store user account information in AD and
authenticate against that.  No local account information is necessary.  It works
and does it quite well, but it is a bear to manage, so I try to avoid it (I am
planning on switching to an IPA based system instead of my roll-your-own
system).
>      I was trying to build this Samba system independent of my SSSD system,
but I am wondering if I need to put that between Samba and AD.  That way Samba
won't know that it is using AD in the background and will just be using
local authentication mechanisms.
>      Does anyone have any experience using Samba in conjunction with SSSD
and can offer any advice there?
>      -Mark
>
>
>

I looked into using SSSD in between Samba and AD, and it turns out that this is
very much an option and is recommended ... as long as I am using EL7.  I am
using EL6.  There is a new library, sssd-libwbclient, that creates the interface
between Samba and SSSD, but that appears in the SSSD release included with EL7. 
The same SSSD release is available for EL6, but for some reason it does not
include sssd-libwbclient.  We want to maintain support from our OS vendor, so I
need to stick with the version that comes bundled with the OS.  So I guess I
will need to see if I can get them to push it out.
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
Sent: Friday, October 9, 2015 2:47 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Make a share owned by a service account available to
members of an AD group

On 09/10/15 22:22, Tovey, Mark wrote:
>      So I made the primary group for the testuser account be smbgrp, and
it's gidNumber is 30124.  Still nothing.  "getent passwd testuser"
returns nothing unless testuser is in the local passwd file, and then it returns
the attributes that are in the passwd file, not the AD system.
It always will if you have a local user with the same name as an AD user, remove
the local user.

On the Unix workstation:
Use the smb.conf from the member server page on the wiki (obviously change the
realm etc to match yours)

On the DC:
create a new user (one that doesn't exist on the workstation), give that
user the uidNumber '10000'
Give Domain Users the gidNumber '10000'

Back to the workstation:
flush the winbind cache with 'net flush cache'
run 'net ads testjoin' it should return 'Join is OK'

run 'getent passwd <theNewADuser>'

This should return something like
'thenewaduser:*:10000:10000::/home/YOURDOMAIN/thenewaduser:/bin/false'

If it doesn't, then you have something else set incorrectly.

Rowland

>      Some time ago I put together a configuration that uses Linux SSSD to
communicate with AD.  That allows us to store user account information in AD and
authenticate against that.  No local account information is necessary.  It works
and does it quite well, but it is a bear to manage, so I try to avoid it (I am
planning on switching to an IPA based system instead of my roll-your-own
system).
>      I was trying to build this Samba system independent of my SSSD system,
but I am wondering if I need to put that between Samba and AD.  That way Samba
won't know that it is using AD in the background and will just be using
local authentication mechanisms.
>      Does anyone have any experience using Samba in conjunction with SSSD
and can offer any advice there?
>      -Mark
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba