samba - Apr 2016 - Need help

Good morning.

I need help getting Samba to work the way I would like it to work.

Situation:
I have two AD domains (2012R2), DOM-A and DOM-B.  I have elected to not use any
SFU or RFC2307 extensions as MS has depreciated those features.

DOM-A has a group, "sysadmins", which has users in it.
DOM-B trusts DOM-A.  DOM-B also has a group "trusted_sysadmins", the
member of which is DOM-A\\sysadmins.

My host is to be a member of DOM-B.  I can join it to the domain just fine, and
authentication works for both DOM-A and DOM-B accounts.  However winbind is not
producing any group information for DOM-A accounts other than
"DOM-A\\Domain Users".  I do need the host to see DOM-A memberships as
I intend to use sshd AllowGroups to restrict who can log into the host.  If the
host could see that users were (or were not) members of DOM-B\\trusted_sysadmins
that would also work; basically if "id" can tell the userid is a
member of either group, I can shove it in sshd_config AllowGroups and get the
effect I want.

Larger picture:
This is all going into kickstart, with the goal that a newly kickstarted host
will be automatically joined to DOM-B, and the sysadmin team in DOM-A will be
the only group allowed to login (initially).

My current target is RHEL7, although this will also be applied to new RHEL5 and
RHEL6, as well as existing populations of RHEL5 and RHEL6.  Samba major versions
will be 3 and 4.  Minor and patch versions will vary for many reasons.

I've been googling furiously for some time now.  I've found numerous
threads here and there that seem to describe a similar situation, but the
threads always end without an answer.

Current smb.conf globals:
=================================log file = /var/log/samba/%m.log
log level = 10
max log size = 0
workgroup = DOM-B
#password server = dombdc01.domb.dom
realm = DOMB.DOM
security = ads
template shell = /bin/bash
template homedir = /home/%U
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes
winbind use default domain = false
winbind offline logon = false
winbind separator = +
winbind cache time = 15
winbind expand groups = 1
idmap config * : range = 100000-9999999
idmap config * : rangesize = 1000000
idmap config * : backend = autorid
=================================
Thanks in advance for any advice,
Jeremy Collins

Hi Jeremy,

A short reply, I did not played with trust relationship since 4.4.0 left
the RC status...

I thought that Samba was not yet supporting groups with
trusted-domain-objects in it.
In others words I thought Samba can have DOM-A\group filled with DOM-A
objects.

Now if I remind correctly a domain member of DOM-B would "see" all
users,
those from DOM-B but also those from DOM-A. Should be the same for groups.

So DOM-B/member-server should see DOM-A/sysadmins.

So you should be to apply rights using DOM-A/sysadmins rather than using
DOM-B/trusted_sysadmins.

Hoping the fact it's time for lunch didn't turned my mind into gelly,
hoping that was helpful...

Cheers,

mathias

2016-04-29 17:09 GMT+02:00 Collins, Jeremy <jeremy.collins at cgi.com>:
> Good morning.
>
> I need help getting Samba to work the way I would like it to work.
>
> Situation:
> I have two AD domains (2012R2), DOM-A and DOM-B.  I have elected to not
> use any SFU or RFC2307 extensions as MS has depreciated those features.
>
> DOM-A has a group, "sysadmins", which has users in it.
> DOM-B trusts DOM-A.  DOM-B also has a group "trusted_sysadmins",
the
> member of which is DOM-A\\sysadmins.
>
> My host is to be a member of DOM-B.  I can join it to the domain just
> fine, and authentication works for both DOM-A and DOM-B accounts.  However
> winbind is not producing any group information for DOM-A accounts other
> than "DOM-A\\Domain Users".  I do need the host to see DOM-A
memberships as
> I intend to use sshd AllowGroups to restrict who can log into the host.  If
> the host could see that users were (or were not) members of
> DOM-B\\trusted_sysadmins that would also work; basically if "id"
can tell
> the userid is a member of either group, I can shove it in sshd_config
> AllowGroups and get the effect I want.
>
> Larger picture:
> This is all going into kickstart, with the goal that a newly kickstarted
> host will be automatically joined to DOM-B, and the sysadmin team in DOM-A
> will be the only group allowed to login (initially).
>
> My current target is RHEL7, although this will also be applied to new
> RHEL5 and RHEL6, as well as existing populations of RHEL5 and RHEL6.  Samba
> major versions will be 3 and 4.  Minor and patch versions will vary for
> many reasons.
>
> I've been googling furiously for some time now.  I've found
numerous
> threads here and there that seem to describe a similar situation, but the
> threads always end without an answer.
>
> Current smb.conf globals:
> =================================> log file = /var/log/samba/%m.log
> log level = 10
> max log size = 0
> workgroup = DOM-B
> #password server = dombdc01.domb.dom
> realm = DOMB.DOM
> security = ads
> template shell = /bin/bash
> template homedir = /home/%U
> kerberos method = secrets and keytab
> client signing = yes
> client use spnego = yes
> winbind use default domain = false
> winbind offline logon = false
> winbind separator = +
> winbind cache time = 15
> winbind expand groups = 1
> idmap config * : range = 100000-9999999
> idmap config * : rangesize = 1000000
> idmap config * : backend = autorid
> =================================>
> Thanks in advance for any advice,
> Jeremy Collins
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>