Ian Collier
2016-Apr-15 17:18 UTC
[Samba] Cannot browse mode 0700 directories from Windows with security=ads
rpenny at samba.org writes:> OK, you have a Samba domain member that is joined to an AD domain and you > also say you are running winbindd, but there doesn't seem to be any winbind > or 'idmap config' lines in your smb.conf, are you also running sssd ?The server has "passwd: files ldap" in nsswitch.conf and sssd is not running, but "getent passwd randomuser" does the right thing. I'm not 100% sure how this works if I'm honest, because it was set up by someone else and we do run sssd on our *ix machines as a general rule.> If you are not running sssd, can I suggest having a look here: > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > You will probably want to use the 'rid' backendOK I will look at that in detail later, but it mentions putting winbind in nsswitch.conf which I don't think we want to do. I'm not entirely sure what the idmap backend thing does although my impression is that it's for when you are using winbind to provide services to NSS, which we're not doing here. I have previously tried adding "backend = nss" but it didn't seem to have any effect. Ian Collier.
Rowland penny
2016-Apr-15 18:00 UTC
[Samba] Cannot browse mode 0700 directories from Windows with security=ads
On 15/04/16 18:18, Ian Collier wrote:> rpenny at samba.org writes: >> OK, you have a Samba domain member that is joined to an AD domain and you >> also say you are running winbindd, but there doesn't seem to be any winbind >> or 'idmap config' lines in your smb.conf, are you also running sssd ? > The server has "passwd: files ldap" in nsswitch.conf and sssd is not > running, but "getent passwd randomuser" does the right thing. I'm not > 100% sure how this works if I'm honest, because it was set up by someone > else and we do run sssd on our *ix machines as a general rule.If your computer is joined to an AD domain, is running Samba with 'security = ADS' and winbindd is running, the line in /etc/nsswitch should be 'passwd: files winbind' (the group line should be 'group: files winbind') Your users should not be in /etc/passwd, they should only be in AD (as should your groups)> >> If you are not running sssd, can I suggest having a look here: >> >> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member >> >> You will probably want to use the 'rid' backend > OK I will look at that in detail later, but it mentions putting winbind > in nsswitch.conf which I don't think we want to do.Oh you do, you really do, If not, either run 'sssd' (which will do what running winbind does) and replace 'ldap' in /etc/nsswitch.conf with 'sss', or turn Samba off.> > I'm not entirely sure what the idmap backend thing does although my > impression is that it's for when you are using winbind to provide > services to NSS, which we're not doing here.No, if you use winbind with the 'rid' backend, this will allocate UIDs & GIDs as required, this makes your windows users Unix users i.e. they only need to exist in one place, AD> > I have previously tried adding "backend = nss" but it didn't seem to > have any effect.Use 'backend = rid' Rowland> Ian Collier. >
Ian Collier
2016-Apr-15 21:09 UTC
[Samba] Cannot browse mode 0700 directories from Windows with security=ads
rpenny at samba.org writes:> If your computer is joined to an AD domain, is running Samba with 'security > = ADS' and winbindd is running, the line in /etc/nsswitch should be 'passwd: > files winbind' (the group line should be 'group: files winbind')> Your users should not be in /etc/passwd, they should only be in AD (as > should your groups)Sorry but we certainly won't be doing this. The group memberships we want to obey are Unix groups, not AD groups. We have whole labs full of machines running sssd and we're not about to make Winbind the primary authentication system on those machines. We're sharing Unix files owned by Unix users, *but* the people accessing these files are generally on Windows so we want the AD authentication they already have on their client Windows system to allow them into the Samba server. This was all working until earlier this week.> >OK I will look at that in detail later, but it mentions putting winbind > >in nsswitch.conf which I don't think we want to do.> Oh you do, you really do, If not, either run 'sssd' (which will do what > running winbind does) and replace 'ldap' in /etc/nsswitch.conf with 'sss', > or turn Samba off."Turn Samba off" is not helpful, and the only reason why we started Winbind on this server this week is that the Badlock patches broke our previous Winbind-less configuration and the answer from Samba to this appears to be that running Winbind is the only way to fix this in the short term. [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820981] I am certainly willing to consider starting up sssd if you think it will help - but it's done this way because we have a conflict between the Kerberos realm that sssd wants and the one that Windows AD wants. But as I say, "getent" works perfectly well to retrieve the password and group files, so I'm not sure what benefit sssd would bring. What we need is a translation between the Unix usernames on the server and the (identical) usernames in the Windows AD domain, which works so that your Unix group memberships will allow you to access files that have group permissions. Certain online resources gave me the impression that "username map script = /bin/echo" does this; but that fixes one problem and introduces another. Ian Collier.
Maybe Matching Threads
- Cannot browse mode 0700 directories from Windows with security=ads
- Cannot browse mode 0700 directories from Windows with security=ads
- Cannot browse mode 0700 directories from Windows with security=ads
- Cannot browse mode 0700 directories from Windows with security=ads
- Cannot browse mode 0700 directories from Windows with security=ads