samba - Dec 2016 - valid users with AD group

Hello all, hope all is well/happy holidays

Issues with an old thread out there, valid users containing an AD group

Have tried this on systems running cent7u2 and ubuntu trusty. These systems
are running sssd. I can login with AD users and chown/chgrp file with AD
groups. However, I can't get AD groups to work with valid users for
restricting share access. If I just set individual AD users, works just
fine.
I did troll thru googles and this mailing list, but many posts were
leveraging winbind or winbind and older versions of samba. Faqs and docs
led me to try several variants for vaild users 
@"MC\MC-Services"
@"MC\\MC-Services"
@MC-Services
MC-Services

Any thoughts/help would be greatly appreciated.
thanks and regards


some samba vers on the centos host
samba-common-4.2.3-12.el7_2.noarch
samba-common-tools-4.2.3-12.el7_2.x86_64
samba-common-libs-4.2.3-12.el7_2.x86_64
samba-4.2.3-12.el7_2.x86_64
samba-libs-4.2.3-12.el7_2.x86_64
samba-client-libs-4.2.3-12.el7_2.x86_64

[root at Xsamba]# smbd -V
Version 4.2.3

>>>Here is the config
[global]
        workgroup = mc
        server string = Samba Server Version %v
        log file = /var/log/samba/log.%m
        max log size = 50
        security = ads
        bind interfaces only = yes
        interfaces=192.168.99.0/24
        dedicated keytab file=/etc/krb5.keytab
        password server = 192.168.1.2 192.168.1.3
        realm = MC.FOO.COM
        passdb backend = tdbsam
        map to guest = Bad Uid


[homes]
        comment = Home Directories
        browseable = no
        writable = yes

[logs]
        comment = Server Logs
        path = /logs
        writable = no
        #valid users = jsmith
        valid users = @"MC\MC-Services"
        printable = no
~

On Thu, 15 Dec 2016 13:50:09 -0600
jsl6uy js16uy via samba <samba at lists.samba.org> wrote:
> Hello all, hope all is well/happy holidays
> 
> Issues with an old thread out there, valid users containing an AD
> group
> 
> Have tried this on systems running cent7u2 and ubuntu trusty. These
> systems are running sssd. I can login with AD users and chown/chgrp
> file with AD groups. However, I can't get AD groups to work with
> valid users for restricting share access. If I just set individual AD
> users, works just fine.
> I did troll thru googles and this mailing list, but many posts were
> leveraging winbind or winbind and older versions of samba. Faqs and
> docs led me to try several variants for vaild users > 
> @"MC\MC-Services"
> @"MC\\MC-Services"
> @MC-Services
> MC-Services
> 
> Any thoughts/help would be greatly appreciated.
> thanks and regards
> 
> 
> some samba vers on the centos host
> samba-common-4.2.3-12.el7_2.noarch
> samba-common-tools-4.2.3-12.el7_2.x86_64
> samba-common-libs-4.2.3-12.el7_2.x86_64
> samba-4.2.3-12.el7_2.x86_64
> samba-libs-4.2.3-12.el7_2.x86_64
> samba-client-libs-4.2.3-12.el7_2.x86_64
> 
> [root at Xsamba]# smbd -V
> Version 4.2.3
> 
> 
> >>>Here is the config
> 
> [global]
>         workgroup = mc
>         server string = Samba Server Version %v
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         security = ads
>         bind interfaces only = yes
>         interfaces=192.168.99.0/24
>         dedicated keytab file=/etc/krb5.keytab
>         password server = 192.168.1.2 192.168.1.3
>         realm = MC.FOO.COM
>         passdb backend = tdbsam
>         map to guest = Bad Uid
> 
> 
> [homes]
>         comment = Home Directories
>         browseable = no
>         writable = yes
> 
> [logs]
>         comment = Server Logs
>         path = /logs
>         writable = no
>         #valid users = jsmith
>         valid users = @"MC\MC-Services"
>         printable = no
> ~
Is the Samba machine joined to the domain ?
If so, then stop trying to get 'valid users' to work and use windows
ACLs instead :

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

Other than that, as you are using sssd, I suggest you try the
sssd-users mailing list. sssd has nothing to do with Samba.

Rowland

Thanks very much for the quick response/info sir
Server is joined to the domain, which, I think, the info I listed
demonstrates, apologies if not

sssd has nothing to do with Samba.
>>I somewhat understand that sir. I listed mainly to provide info on auth
methods and services on the host. In case not listing affected diagnosis,
and just in case samba did something different interacting on system with
sss as a source for user/group accounting info

If so, then stop trying to get 'valid users' to work and use windows
ACLs instead :
>>I will check that out. thanks much again

On Thu, Dec 15, 2016 at 2:09 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 15 Dec 2016 13:50:09 -0600
> jsl6uy js16uy via samba <samba at lists.samba.org> wrote:
>
> > Hello all, hope all is well/happy holidays
> >
> > Issues with an old thread out there, valid users containing an AD
> > group
> >
> > Have tried this on systems running cent7u2 and ubuntu trusty. These
> > systems are running sssd. I can login with AD users and chown/chgrp
> > file with AD groups. However, I can't get AD groups to work with
> > valid users for restricting share access. If I just set individual AD
> > users, works just fine.
> > I did troll thru googles and this mailing list, but many posts were
> > leveraging winbind or winbind and older versions of samba. Faqs and
> > docs led me to try several variants for vaild users > >
> > @"MC\MC-Services"
> > @"MC\\MC-Services"
> > @MC-Services
> > MC-Services
> >
> > Any thoughts/help would be greatly appreciated.
> > thanks and regards
> >
> >
> > some samba vers on the centos host
> > samba-common-4.2.3-12.el7_2.noarch
> > samba-common-tools-4.2.3-12.el7_2.x86_64
> > samba-common-libs-4.2.3-12.el7_2.x86_64
> > samba-4.2.3-12.el7_2.x86_64
> > samba-libs-4.2.3-12.el7_2.x86_64
> > samba-client-libs-4.2.3-12.el7_2.x86_64
> >
> > [root at Xsamba]# smbd -V
> > Version 4.2.3
> >
> >
> > >>>Here is the config
> >
> > [global]
> >         workgroup = mc
> >         server string = Samba Server Version %v
> >         log file = /var/log/samba/log.%m
> >         max log size = 50
> >         security = ads
> >         bind interfaces only = yes
> >         interfaces=192.168.99.0/24
> >         dedicated keytab file=/etc/krb5.keytab
> >         password server = 192.168.1.2 192.168.1.3
> >         realm = MC.FOO.COM
> >         passdb backend = tdbsam
> >         map to guest = Bad Uid
> >
> >
> > [homes]
> >         comment = Home Directories
> >         browseable = no
> >         writable = yes
> >
> > [logs]
> >         comment = Server Logs
> >         path = /logs
> >         writable = no
> >         #valid users = jsmith
> >         valid users = @"MC\MC-Services"
> >         printable = no
> > ~
>
> Is the Samba machine joined to the domain ?
> If so, then stop trying to get 'valid users' to work and use
windows
> ACLs instead :
>
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
>
> Other than that, as you are using sssd, I suggest you try the
> sssd-users mailing list. sssd has nothing to do with Samba.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba