Tovey, Mark
2015-Oct-11 04:16 UTC
[Samba] Make a share owned by a service account available to members of an AD group
I made my configuration look identical to what is in the Samba Wiki, and still the same results: everything works perfectly as long as the user account is in both AD and the local passwd file. If I remove the account from the local passwd file, I cannot map the share. While looking around, I encountered this: https://bugzilla.samba.org/show_bug.cgi?id=9862. This bug refers to Samba 4.1 and above, but the description very closely matches what I am encountering. I think this is what I am up against now. So, I guess I just have to put the user accounts into both systems until the patch can be rolled into the vendor released version I am using. -Mark ________________________________________________________________ Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA MTovey at go2uti.com | O / C +1 503 953-1389 -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny Sent: Friday, October 9, 2015 2:55 PM To: samba at lists.samba.org Subject: Re: [Samba] Make a share owned by a service account available to members of an AD group On 09/10/15 22:42, Tovey, Mark wrote:> Here is my configuration: > > smb.conf: > > [global] > server string = Samba Server Version %v > > log file = /var/log/samba/log.%m > max log size = 500 > > log level = 3 > > workgroup = DEVTST-CORP > realm = DEVTST-CORP.GO2UTI.COM > security = ADSRemove these lines password server = sinmdp04.devtst-corp.go2uti.com passdb backend = tdbsam> > domain master = no > local master = no > preferred master = no > > disable netbios = yes > dns proxy = no > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 5000-29999 > idmap config DEVTST-CORP:backend = ad > idmap config DEVTST-CORP:schema_mode = rfc2307 > idmap config DEVTST-CORP:range = 30000-99999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > winbind normalize names = Yes > > map untrusted to domain = yes > map to guest = Bad Uid > guest account = nobody > > load printers = no > printcap name = /dev/null > printing = bsd > > > [data] > path = /opt/app/data > read only = no > writable = yes > browseable = no > guest ok = yes > hide dot files = yes > hide special files = yes > force user = webserv > force group = webserv > create mask = 0644 > directory mask = 0755 > valid users = @DEVTST-CORP\smbgrp > write list = @DEVTST-CORP\smbgrp > > > resolv.conf: > > domain devtst.go2uti.com > search devtst.go2uti.com devtst-corp.go2uti.com > > nameserver 10.240.4.100 > nameserver 10.254.4.125 > nameserver 10.8.246.38 >Remove the domain line from resolv.conf and any of the nameserver lines that isn't the AD DC> /krb5.conf: > > [logging] > default = FILE:/var/log/samba/krb5libs.log > kdc = FILE:/var/log/samba/krb5kdc.log > admin_server = FILE:/var/log/samba/kadmind.log > > [libdefaults] > default_realm = DEVTST-CORP.GO2UTI.COM > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > forwardable = true > > [realms] > DEVTST-CORP.GO2UTI.COM = { > kdc = sinmdp04.devtst-corp.go2uti.com:88 > admin_server = sinmdp04.devtst-corp.go2uti.com:749 > default_domain = DEVTST-CORP > } > > [domain_realm] > .devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM > devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > > forwardable = true > krb4_convert = false > } >change krb5.conf to just this: [libdefaults] default_realm = DEVTST-CORP.GO2UTI.COM dns_lookup_realm = false dns_lookup_kdc = true> net ads testjoin: > Join is OK >Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Tovey, Mark
2015-Oct-13 19:47 UTC
[Samba] Make a share owned by a service account available to members of an AD group
I downloaded the source code for Samba 4.0.0, the same as is distributed with my OS. I applied the patch as described in Bug 9862, compiled and installed the code, and now it works as expected. Having the user account in AD only is sufficient, I no longer have to have the account also in the Linux server's passwd file. So indeed, it appears that I have encountered the "map to guest = Bad Uid" bug as outlined in bug 9862. I will open a ticket with the OS vendor and request that they update their distribution. This will likely ripple upstream through all the rest of the OS vendors and into the Samba base. -Mark ________________________________________________________________ Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA MTovey at go2uti.com | O / C +1 503 953-1389 -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Tovey, Mark Sent: Saturday, October 10, 2015 9:17 PM To: Rowland Penny; samba at lists.samba.org Subject: Re: [Samba] Make a share owned by a service account available to members of an AD group I made my configuration look identical to what is in the Samba Wiki, and still the same results: everything works perfectly as long as the user account is in both AD and the local passwd file. If I remove the account from the local passwd file, I cannot map the share. While looking around, I encountered this: https://bugzilla.samba.org/show_bug.cgi?id=9862. This bug refers to Samba 4.1 and above, but the description very closely matches what I am encountering. I think this is what I am up against now. So, I guess I just have to put the user accounts into both systems until the patch can be rolled into the vendor released version I am using. -Mark ________________________________________________________________ Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA MTovey at go2uti.com | O / C +1 503 953-1389 -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny Sent: Friday, October 9, 2015 2:55 PM To: samba at lists.samba.org Subject: Re: [Samba] Make a share owned by a service account available to members of an AD group On 09/10/15 22:42, Tovey, Mark wrote:> Here is my configuration: > > smb.conf: > > [global] > server string = Samba Server Version %v > > log file = /var/log/samba/log.%m > max log size = 500 > > log level = 3 > > workgroup = DEVTST-CORP > realm = DEVTST-CORP.GO2UTI.COM > security = ADSRemove these lines password server = sinmdp04.devtst-corp.go2uti.com passdb backend = tdbsam> > domain master = no > local master = no > preferred master = no > > disable netbios = yes > dns proxy = no > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 5000-29999 > idmap config DEVTST-CORP:backend = ad > idmap config DEVTST-CORP:schema_mode = rfc2307 > idmap config DEVTST-CORP:range = 30000-99999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > winbind normalize names = Yes > > map untrusted to domain = yes > map to guest = Bad Uid > guest account = nobody > > load printers = no > printcap name = /dev/null > printing = bsd > > > [data] > path = /opt/app/data > read only = no > writable = yes > browseable = no > guest ok = yes > hide dot files = yes > hide special files = yes > force user = webserv > force group = webserv > create mask = 0644 > directory mask = 0755 > valid users = @DEVTST-CORP\smbgrp > write list = @DEVTST-CORP\smbgrp > > > resolv.conf: > > domain devtst.go2uti.com > search devtst.go2uti.com devtst-corp.go2uti.com > > nameserver 10.240.4.100 > nameserver 10.254.4.125 > nameserver 10.8.246.38 >Remove the domain line from resolv.conf and any of the nameserver lines that isn't the AD DC> /krb5.conf: > > [logging] > default = FILE:/var/log/samba/krb5libs.log > kdc = FILE:/var/log/samba/krb5kdc.log > admin_server = FILE:/var/log/samba/kadmind.log > > [libdefaults] > default_realm = DEVTST-CORP.GO2UTI.COM > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > forwardable = true > > [realms] > DEVTST-CORP.GO2UTI.COM = { > kdc = sinmdp04.devtst-corp.go2uti.com:88 > admin_server = sinmdp04.devtst-corp.go2uti.com:749 > default_domain = DEVTST-CORP > } > > [domain_realm] > .devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM > devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > > forwardable = true > krb4_convert = false > } >change krb5.conf to just this: [libdefaults] default_realm = DEVTST-CORP.GO2UTI.COM dns_lookup_realm = false dns_lookup_kdc = true> net ads testjoin: > Join is OK >Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Oct-13 19:57 UTC
[Samba] Make a share owned by a service account available to members of an AD group
On 13/10/15 20:47, Tovey, Mark wrote:> I downloaded the source code for Samba 4.0.0, the same as is distributed with my OS. I applied the patch as described in Bug 9862, compiled and installed the code, and now it works as expected. Having the user account in AD only is sufficient, I no longer have to have the account also in the Linux server's passwd file. So indeed, it appears that I have encountered the "map to guest = Bad Uid" bug as outlined in bug 9862. > I will open a ticket with the OS vendor and request that they update their distribution. This will likely ripple upstream through all the rest of the OS vendors and into the Samba base. > -Mark > > >You might want to point out to oracle that Samba 4.0 is now EOL, also the ripple goes the other way, from Samba down to distros. I also don't think that 4.0 will ever get this patch. Rowland
Reasonably Related Threads
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group
- Make a share owned by a service account available to members of an AD group