thr3ads.net - samba - [Samba] Make a share owned by a service account available to members of an AD group [Oct 2015]

If this information is useful, please help other people find it:
Share via:

Tovey, Mark

2015-Oct-11 04:16 UTC

[Samba] Make a share owned by a service account available to members of an AD group

I made my configuration look identical to what is in the Samba Wiki, and still
the same results: everything works perfectly as long as the user account is in
both AD and the local passwd file.  If I remove the account from the local
passwd file, I cannot map the share.
    While looking around, I encountered this:
https://bugzilla.samba.org/show_bug.cgi?id=9862.  This bug refers to Samba 4.1
and above, but the description very closely matches what I am encountering.  I
think this is what I am up against now.
    So, I guess I just have to put the user accounts into both systems until the
patch can be rolled into the vendor released version I am using.
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
Sent: Friday, October 9, 2015 2:55 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Make a share owned by a service account available to
members of an AD group

On 09/10/15 22:42, Tovey, Mark wrote:> Here is my configuration:
>
> smb.conf:
>
> [global]
>          server string = Samba Server Version %v
>
>          log file = /var/log/samba/log.%m
>          max log size = 500
>
>          log level = 3
>
>          workgroup = DEVTST-CORP
>          realm = DEVTST-CORP.GO2UTI.COM
>          security = ADS
Remove these lines

         password server = sinmdp04.devtst-corp.go2uti.com
         passdb backend = tdbsam

>
>          domain master = no
>          local master = no
>          preferred master = no
>
>          disable netbios = yes
>          dns proxy = no
>
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = secrets and keytab
>
>          idmap config *:backend = tdb
>          idmap config *:range = 5000-29999
>          idmap config DEVTST-CORP:backend = ad
>          idmap config DEVTST-CORP:schema_mode = rfc2307
>          idmap config DEVTST-CORP:range = 30000-99999
>
>          winbind nss info = rfc2307
>          winbind trusted domains only = no
>          winbind use default domain = yes
>          winbind enum users  = yes
>          winbind enum groups = yes
>          winbind refresh tickets = Yes
>          winbind normalize names = Yes
>
>          map untrusted to domain = yes
>          map to guest = Bad Uid
>          guest account = nobody
>
>          load printers = no
>          printcap name = /dev/null
>          printing = bsd
>
>
> [data]
>          path = /opt/app/data
>          read only = no
>          writable = yes
>          browseable = no
>          guest ok = yes
>          hide dot files = yes
>          hide special files = yes
>          force user = webserv
>          force group = webserv
>          create mask = 0644
>          directory mask = 0755
>          valid users = @DEVTST-CORP\smbgrp
>          write list = @DEVTST-CORP\smbgrp
>
>
> resolv.conf:
>
> domain devtst.go2uti.com
> search devtst.go2uti.com devtst-corp.go2uti.com
>
> nameserver 10.240.4.100
> nameserver 10.254.4.125
> nameserver 10.8.246.38
>
Remove the domain line from resolv.conf and any of the nameserver lines that
isn't the AD DC
> /krb5.conf:
>
> [logging]
>    default = FILE:/var/log/samba/krb5libs.log
>    kdc = FILE:/var/log/samba/krb5kdc.log
>    admin_server = FILE:/var/log/samba/kadmind.log
>
> [libdefaults]
>    default_realm = DEVTST-CORP.GO2UTI.COM
>    dns_lookup_realm = false
>    dns_lookup_kdc = false
>    ticket_lifetime = 24h
>    forwardable = true
>
> [realms]
>    DEVTST-CORP.GO2UTI.COM = {
>      kdc = sinmdp04.devtst-corp.go2uti.com:88
>      admin_server = sinmdp04.devtst-corp.go2uti.com:749
>      default_domain = DEVTST-CORP
>    }
>
> [domain_realm]
>    .devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM
>    devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM
>
> [appdefaults]
>    pam = {
>      debug = false
>      ticket_lifetime = 36000
>      renew_lifetime = 36000
>
>      forwardable = true
>      krb4_convert = false
> }
>
change krb5.conf to just this:

[libdefaults]
   default_realm = DEVTST-CORP.GO2UTI.COM
   dns_lookup_realm = false
   dns_lookup_kdc = true

> net ads testjoin:
> Join is OK
>
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Tovey, Mark

2015-Oct-13 19:47 UTC

head link

[Samba] Make a share owned by a service account available to members of an AD group

I downloaded the source code for Samba 4.0.0, the same as is distributed with my
OS.  I applied the patch as described in Bug 9862, compiled and installed the
code, and now it works as expected.  Having the user account in AD only is
sufficient, I no longer have to have the account also in the Linux server's
passwd file.  So indeed, it appears that I have encountered the "map to
guest = Bad Uid" bug as outlined in bug 9862.
    I will open a ticket with the OS vendor and request that they update their
distribution.  This will likely ripple upstream through all the rest of the OS
vendors and into the Samba base.
    -Mark


________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design
UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
MTovey at go2uti.com | O / C +1 503 953-1389

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Tovey, Mark
Sent: Saturday, October 10, 2015 9:17 PM
To: Rowland Penny; samba at lists.samba.org
Subject: Re: [Samba] Make a share owned by a service account available to
members of an AD group


    I made my configuration look identical to what is in the Samba Wiki, and
still the same results: everything works perfectly as long as the user account
is in both AD and the local passwd file.  If I remove the account from the local
passwd file, I cannot map the share.
    While looking around, I encountered this:
https://bugzilla.samba.org/show_bug.cgi?id=9862.  This bug refers to Samba 4.1
and above, but the description very closely matches what I am encountering.  I
think this is what I am up against now.
    So, I guess I just have to put the user accounts into both systems until the
patch can be rolled into the vendor released version I am using.
    -Mark

________________________________________________________________
Mark Tovey - UNIX Engineer | Service Strategy & Design UTi | 400 SW Sixth
Ave, Suite 1100 | Portland | Oregon | 97204 | USA MTovey at go2uti.com | O / C
+1 503 953-1389

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
Sent: Friday, October 9, 2015 2:55 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Make a share owned by a service account available to
members of an AD group

On 09/10/15 22:42, Tovey, Mark wrote:> Here is my configuration:
>
> smb.conf:
>
> [global]
>          server string = Samba Server Version %v
>
>          log file = /var/log/samba/log.%m
>          max log size = 500
>
>          log level = 3
>
>          workgroup = DEVTST-CORP
>          realm = DEVTST-CORP.GO2UTI.COM
>          security = ADS
Remove these lines

         password server = sinmdp04.devtst-corp.go2uti.com
         passdb backend = tdbsam

>
>          domain master = no
>          local master = no
>          preferred master = no
>
>          disable netbios = yes
>          dns proxy = no
>
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = secrets and keytab
>
>          idmap config *:backend = tdb
>          idmap config *:range = 5000-29999
>          idmap config DEVTST-CORP:backend = ad
>          idmap config DEVTST-CORP:schema_mode = rfc2307
>          idmap config DEVTST-CORP:range = 30000-99999
>
>          winbind nss info = rfc2307
>          winbind trusted domains only = no
>          winbind use default domain = yes
>          winbind enum users  = yes
>          winbind enum groups = yes
>          winbind refresh tickets = Yes
>          winbind normalize names = Yes
>
>          map untrusted to domain = yes
>          map to guest = Bad Uid
>          guest account = nobody
>
>          load printers = no
>          printcap name = /dev/null
>          printing = bsd
>
>
> [data]
>          path = /opt/app/data
>          read only = no
>          writable = yes
>          browseable = no
>          guest ok = yes
>          hide dot files = yes
>          hide special files = yes
>          force user = webserv
>          force group = webserv
>          create mask = 0644
>          directory mask = 0755
>          valid users = @DEVTST-CORP\smbgrp
>          write list = @DEVTST-CORP\smbgrp
>
>
> resolv.conf:
>
> domain devtst.go2uti.com
> search devtst.go2uti.com devtst-corp.go2uti.com
>
> nameserver 10.240.4.100
> nameserver 10.254.4.125
> nameserver 10.8.246.38
>
Remove the domain line from resolv.conf and any of the nameserver lines that
isn't the AD DC
> /krb5.conf:
>
> [logging]
>    default = FILE:/var/log/samba/krb5libs.log
>    kdc = FILE:/var/log/samba/krb5kdc.log
>    admin_server = FILE:/var/log/samba/kadmind.log
>
> [libdefaults]
>    default_realm = DEVTST-CORP.GO2UTI.COM
>    dns_lookup_realm = false
>    dns_lookup_kdc = false
>    ticket_lifetime = 24h
>    forwardable = true
>
> [realms]
>    DEVTST-CORP.GO2UTI.COM = {
>      kdc = sinmdp04.devtst-corp.go2uti.com:88
>      admin_server = sinmdp04.devtst-corp.go2uti.com:749
>      default_domain = DEVTST-CORP
>    }
>
> [domain_realm]
>    .devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM
>    devtst-corp.go2uti.com = DEVTST-CORP.GO2UTI.COM
>
> [appdefaults]
>    pam = {
>      debug = false
>      ticket_lifetime = 36000
>      renew_lifetime = 36000
>
>      forwardable = true
>      krb4_convert = false
> }
>
change krb5.conf to just this:

[libdefaults]
   default_realm = DEVTST-CORP.GO2UTI.COM
   dns_lookup_realm = false
   dns_lookup_kdc = true

> net ads testjoin:
> Join is OK
>
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Rowland Penny

2015-Oct-13 19:57 UTC

head link

[Samba] Make a share owned by a service account available to members of an AD group

On 13/10/15 20:47, Tovey, Mark wrote:>      I downloaded the source code for Samba 4.0.0, the same as is
distributed with my OS.  I applied the patch as described in Bug 9862, compiled
and installed the code, and now it works as expected.  Having the user account
in AD only is sufficient, I no longer have to have the account also in the Linux
server's passwd file.  So indeed, it appears that I have encountered the
"map to guest = Bad Uid" bug as outlined in bug 9862.
>      I will open a ticket with the OS vendor and request that they update
their distribution.  This will likely ripple upstream through all the rest of
the OS vendors and into the Samba base.
>      -Mark
>
>
>
You might want to point out to oracle that Samba 4.0 is now EOL, also 
the ripple goes the other way, from Samba down to distros. I also don't 
think that 4.0 will ever get this patch.

Rowland

Maybe Matching Threads

Search for more possibly parallel threads

samba - Oct 2015 - Make a share owned by a service account available to members of an AD group

[Samba] Make a share owned by a service account available to members of an AD group

[Samba] Make a share owned by a service account available to members of an AD group

[Samba] Make a share owned by a service account available to members of an AD group

Maybe Matching Threads