samba - Mar 2016 - Samba 4 with sssd - primary Windows group membership not honored

>
> OK, you should use the standard 'rwx' permissions *or* ACLs, not
both. If
> you create a directory on Unix that you want to share, set the owner:group
> to root:'Domain Admins' and permissions to 0770. You will then be
able to
> set the permissions from windows or with setfacl on the Unix machine, you
> do not need the 'force group' lines in smb.conf, there is a wiki
page for
> this, see here:
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

I've tried following this page, and have not managed to have any luck.  I
even figured out the new syntax to add SeDiskOperatorPrivilege (net sam as
opposed to net rpc.. at least that's the command that ended up working..
net rpc always returned permission denied)

As soon as I try to set the Windows ACLs, I lose access to the folder
unless I'm defined as an admin user.  The first step that I try to do is to
set the root share permissions, and I remove everything except a full
control entry for Domain Admins (the domain group, not the Unix
Group\Domain Admins that it shows up with by default -- I remove that
one).  As soon as I hit OK, I lose access to the share.

On a Domain member you do not need sssd, winbind will do everything
that
> sssd does, but on an AD DC it is a bit different, winbind there ignores all
> the RFC2307 attributes except for uidNumber & gidNumber.

I will try setting up a test server that uses winbind for nss instead of
sssd, but it doesn't seem like that's the problem as wbinfo and sssd
(via
getent) are returning the same UID/GID numbers.  I don't have uid/gid
attributes added to my active directory schema, so it's using the
algorithmic method of computing them based on SID..

Samba only recommends using winbind, sssd is not supplied or supported
by
> Samba.
> I don't know if you have read the Samba wiki pages, there is a lot of
info
> about using Samba, it starts here:
> https://wiki.samba.org/index.php/Main_Page

Yes I've definitely spent quite a bit of time looking through the wiki
pages and other documentation sources.. unfortunately many times they
haven't been updated for new command syntaxes, and there is very little
information that digs into what's going on behind the scenes so it's
pretty
tough to connect the dots yourself.

What I'm trying to achieve is as close to a drop in replacement for an MS
fileserver as possible -- all access managed by NT ACLs rather than posix.
I'm unclear how I can get this functionality without being forced to allow
world writeable at the posix level...

I'll work on creating a setup without sssd and see if the results vary, but
it doesn't feel like that's the issue..

--
*Joseph Dickson*
Director of IT Systems, Evolve Tele-Services, Inc.

On 23/03/16 20:16, Joseph Dickson wrote:
>> OK, you should use the standard 'rwx' permissions *or* ACLs,
not both. If
>> you create a directory on Unix that you want to share, set the
owner:group
>> to root:'Domain Admins' and permissions to 0770. You will then
be able to
>> set the permissions from windows or with setfacl on the Unix machine,
you
>> do not need the 'force group' lines in smb.conf, there is a
wiki page for
>> this, see here:
>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
>
> I've tried following this page, and have not managed to have any luck. 
I
> even figured out the new syntax to add SeDiskOperatorPrivilege (net sam as
> opposed to net rpc.. at least that's the command that ended up
working..
> net rpc always returned permission denied)
>
> As soon as I try to set the Windows ACLs, I lose access to the folder
> unless I'm defined as an admin user.  The first step that I try to do
is to
> set the root share permissions, and I remove everything except a full
> control entry for Domain Admins (the domain group, not the Unix
> Group\Domain Admins that it shows up with by default -- I remove that
> one).  As soon as I hit OK, I lose access to the share.
>
> On a Domain member you do not need sssd, winbind will do everything that
>> sssd does, but on an AD DC it is a bit different, winbind there ignores
all
>> the RFC2307 attributes except for uidNumber & gidNumber.
>
> I will try setting up a test server that uses winbind for nss instead of
> sssd, but it doesn't seem like that's the problem as wbinfo and
sssd (via
> getent) are returning the same UID/GID numbers.  I don't have uid/gid
> attributes added to my active directory schema, so it's using the
> algorithmic method of computing them based on SID..
>
> Samba only recommends using winbind, sssd is not supplied or supported by
>> Samba.
>> I don't know if you have read the Samba wiki pages, there is a lot
of info
>> about using Samba, it starts here:
>> https://wiki.samba.org/index.php/Main_Page
>
> Yes I've definitely spent quite a bit of time looking through the wiki
> pages and other documentation sources.. unfortunately many times they
> haven't been updated for new command syntaxes, and there is very little
> information that digs into what's going on behind the scenes so
it's pretty
> tough to connect the dots yourself.
>
> What I'm trying to achieve is as close to a drop in replacement for an
MS
> fileserver as possible -- all access managed by NT ACLs rather than posix.
> I'm unclear how I can get this functionality without being forced to
allow
> world writeable at the posix level...
>
> I'll work on creating a setup without sssd and see if the results vary,
but
> it doesn't feel like that's the issue..
>
> --
> *Joseph Dickson*
> Director of IT Systems, Evolve Tele-Services, Inc.
Can you check if this file exists:

/usr/local/samba/lib/security/pam_winbind.so

Rowland

>
> Can you check if this file exists:
> /usr/local/samba/lib/security/pam_winbind.so

For historical reasons, I used a prefix of /opt/samba when I compiled:

[root at smbfs1 shares]# ls -al /opt/samba/lib/security/pam_winbind.so
-rwxr-xr-x 1 root root 63837 Mar 17 19:54
/opt/samba/lib/security/pam_winbind.so

relevant config lines in case they are helpful:
[global]
lock directory = /srv/fs_main/var/lock
state directory = /srv/fs_main/var/state
cache directory = /var/lib/samba/cache
private dir = /srv/fs_main/var/priv
vfs objects = acl_xattr
inherit acls = yes
map acl inherit = yes
hide dot files = no
winbind enum users = yes
winbind enum groups = yes

workgroup = EVOLVETSI
server string = smbfs cluster
netbios name = SMBFS

map archive = no
map hidden = no
map read only = no
map system = no
store dos attributes = yes

[test]
        path = /srv/fs_main/shares/test
        read only = no


and outputs from the test dir:

[root at smbfs1 shares]# ls -ald test
drwxrwx---+ 2 root domain admins at Evolvetsi.local 6 Mar 23 16:48 test

[root at smbfs1 shares]# getfacl test
# file: test
# owner: root
# group: domain\040admins at Evolvetsi.local
user::rwx
group::rwx
other::---
default:user::rwx
default:group::r-x
default:group:domain\040admins at Evolvetsi.local:rwx
default:mask::rwx
default:other::r-x

Thanks!

--
*Joseph Dickson*
Director of IT Systems, Evolve Tele-Services, Inc.