Tovey, Mark
2015-Oct-09 21:42 UTC
[Samba] Make a share owned by a service account available to members of an AD group
Here is my configuration:
smb.conf:
[global]
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 500
log level = 3
workgroup = DEVTST-CORP
realm = DEVTST-CORP.GO2UTI.COM
security = ADS
password server = sinmdp04.devtst-corp.go2uti.com
passdb backend = tdbsam
domain master = no
local master = no
preferred master = no
disable netbios = yes
dns proxy = no
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 5000-29999
idmap config DEVTST-CORP:backend = ad
idmap config DEVTST-CORP:schema_mode = rfc2307
idmap config DEVTST-CORP:range = 30000-99999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
winbind normalize names = Yes
map untrusted to domain = yes
map to guest = Bad Uid
guest account = nobody
load printers = no
printcap name = /dev/null
printing = bsd
[data]
path = /opt/app/data
read only = no
writable = yes
browseable = no
guest ok = yes
hide dot files = yes
hide special files = yes
force user = webserv
force group = webserv
create mask = 0644
directory mask = 0755
valid users = @DEVTST-CORP\smbgrp
write list = @DEVTST-CORP\smbgrp
resolv.conf:
domain devtst.go2uti.com
search devtst.go2uti.com devtst-corp.go2uti.com
nameserver 10.240.4.100
nameserver 10.254.4.125
nameserver 10.8.246.38
/krb5.conf:
[logging]
default = FILE:/var/log/samba/krb5libs.log
kdc = FILE:/var/log/samba/krb5kdc.log
admin_server = FILE:/var/log/samba/kadmind.log
[libdefaults]
default_realm = DEVTST-CORP.GO2UTI.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = true
[realms]
DEVTST-CORP.GO2UTI.COM = {
kdc = sinmdp04.devtst-corp.go2uti.com:88
admin_server = sinmdp04.devtst-corp.go2uti.com:749
default_domain = DEVTST-CORP
}
[domain_realm]
.devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM
devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
net ads testjoin:
Join is OK
________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389
Until you can get 'getent passwd username' to return the users info, it
will never work and I can assure it will work if everything is setup correctly.
Can you post:
smb.conf
/etc/resolv.conf
/etc/krb5.conf
The result of 'net ads testjoin'
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Oct-09 21:54 UTC
[Samba] Make a share owned by a service account available to members of an AD group
On 09/10/15 22:42, Tovey, Mark wrote:> Here is my configuration: > > smb.conf: > > [global] > server string = Samba Server Version %v > > log file = /var/log/samba/log.%m > max log size = 500 > > log level = 3 > > workgroup = DEVTST-CORP > realm = DEVTST-CORP.GO2UTI.COM > security = ADSRemove these lines password server = sinmdp04.devtst-corp.go2uti.com passdb backend = tdbsam> > domain master = no > local master = no > preferred master = no > > disable netbios = yes > dns proxy = no > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 5000-29999 > idmap config DEVTST-CORP:backend = ad > idmap config DEVTST-CORP:schema_mode = rfc2307 > idmap config DEVTST-CORP:range = 30000-99999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > winbind normalize names = Yes > > map untrusted to domain = yes > map to guest = Bad Uid > guest account = nobody > > load printers = no > printcap name = /dev/null > printing = bsd > > > [data] > path = /opt/app/data > read only = no > writable = yes > browseable = no > guest ok = yes > hide dot files = yes > hide special files = yes > force user = webserv > force group = webserv > create mask = 0644 > directory mask = 0755 > valid users = @DEVTST-CORP\smbgrp > write list = @DEVTST-CORP\smbgrp > > > resolv.conf: > > domain devtst.go2uti.com > search devtst.go2uti.com devtst-corp.go2uti.com > > nameserver 10.240.4.100 > nameserver 10.254.4.125 > nameserver 10.8.246.38 >Remove the domain line from resolv.conf and any of the nameserver lines that isn't the AD DC> /krb5.conf: > > [logging] > default = FILE:/var/log/samba/krb5libs.log > kdc = FILE:/var/log/samba/krb5kdc.log > admin_server = FILE:/var/log/samba/kadmind.log > > [libdefaults] > default_realm = DEVTST-CORP.GO2UTI.COM > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > forwardable = true > > [realms] > DEVTST-CORP.GO2UTI.COM = { > kdc = sinmdp04.devtst-corp.go2uti.com:88 > admin_server = sinmdp04.devtst-corp.go2uti.com:749 > default_domain = DEVTST-CORP > } > > [domain_realm] > .devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM > devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > > forwardable = true > krb4_convert = false > } >change krb5.conf to just this: [libdefaults] default_realm = DEVTST-CORP.GO2UTI.COM dns_lookup_realm = false dns_lookup_kdc = true> net ads testjoin: > Join is OK >Rowland
Tovey, Mark
2015-Oct-11 04:16 UTC
[Samba] Make a share owned by a service account available to members of an AD group
I made my configuration look identical to what is in the Samba Wiki, and still
the same results: everything works perfectly as long as the user account is in
both AD and the local passwd file. If I remove the account from the local
passwd file, I cannot map the share.
While looking around, I encountered this:
https://bugzilla.samba.org/show_bug.cgi?id=9862. This bug refers to Samba 4.1
and above, but the description very closely matches what I am encountering. I
think this is what I am up against now.
So, I guess I just have to put the user accounts into both systems until the
patch can be rolled into the vendor released version I am using.
-Mark
________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
Sent: Friday, October 9, 2015 2:55 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Make a share owned by a service account available to
members of an AD group
On 09/10/15 22:42, Tovey, Mark wrote:> Here is my configuration:
>
> smb.conf:
>
> [global]
> server string = Samba Server Version %v
>
> log file = /var/log/samba/log.%m
> max log size = 500
>
> log level = 3
>
> workgroup = DEVTST-CORP
> realm = DEVTST-CORP.GO2UTI.COM
> security = ADS
Remove these lines
password server = sinmdp04.devtst-corp.go2uti.com
passdb backend = tdbsam
>
> domain master = no
> local master = no
> preferred master = no
>
> disable netbios = yes
> dns proxy = no
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 5000-29999
> idmap config DEVTST-CORP:backend = ad
> idmap config DEVTST-CORP:schema_mode = rfc2307
> idmap config DEVTST-CORP:range = 30000-99999
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
> winbind normalize names = Yes
>
> map untrusted to domain = yes
> map to guest = Bad Uid
> guest account = nobody
>
> load printers = no
> printcap name = /dev/null
> printing = bsd
>
>
> [data]
> path = /opt/app/data
> read only = no
> writable = yes
> browseable = no
> guest ok = yes
> hide dot files = yes
> hide special files = yes
> force user = webserv
> force group = webserv
> create mask = 0644
> directory mask = 0755
> valid users = @DEVTST-CORP\smbgrp
> write list = @DEVTST-CORP\smbgrp
>
>
> resolv.conf:
>
> domain devtst.go2uti.com
> search devtst.go2uti.com devtst-corp.go2uti.com
>
> nameserver 10.240.4.100
> nameserver 10.254.4.125
> nameserver 10.8.246.38
>
Remove the domain line from resolv.conf and any of the nameserver lines that
isn't the AD DC
> /krb5.conf:
>
> [logging]
> default = FILE:/var/log/samba/krb5libs.log
> kdc = FILE:/var/log/samba/krb5kdc.log
> admin_server = FILE:/var/log/samba/kadmind.log
>
> [libdefaults]
> default_realm = DEVTST-CORP.GO2UTI.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = true
>
> [realms]
> DEVTST-CORP.GO2UTI.COM = {
> kdc = sinmdp04.devtst-corp.go2uti.com:88
> admin_server = sinmdp04.devtst-corp.go2uti.com:749
> default_domain = DEVTST-CORP
> }
>
> [domain_realm]
> .devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM
> devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
>
> forwardable = true
> krb4_convert = false
> }
>
change krb5.conf to just this:
[libdefaults]
default_realm = DEVTST-CORP.GO2UTI.COM
dns_lookup_realm = false
dns_lookup_kdc = true
> net ads testjoin:
> Join is OK
>
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Reasonably Related Threads
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group