Thanks very much for the quick response/info sir Server is joined to the domain, which, I think, the info I listed demonstrates, apologies if not sssd has nothing to do with Samba.>>I somewhat understand that sir. I listed mainly to provide info on authmethods and services on the host. In case not listing affected diagnosis, and just in case samba did something different interacting on system with sss as a source for user/group accounting info If so, then stop trying to get 'valid users' to work and use windows ACLs instead :>>I will check that out. thanks much againOn Thu, Dec 15, 2016 at 2:09 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Thu, 15 Dec 2016 13:50:09 -0600 > jsl6uy js16uy via samba <samba at lists.samba.org> wrote: > > > Hello all, hope all is well/happy holidays > > > > Issues with an old thread out there, valid users containing an AD > > group > > > > Have tried this on systems running cent7u2 and ubuntu trusty. These > > systems are running sssd. I can login with AD users and chown/chgrp > > file with AD groups. However, I can't get AD groups to work with > > valid users for restricting share access. If I just set individual AD > > users, works just fine. > > I did troll thru googles and this mailing list, but many posts were > > leveraging winbind or winbind and older versions of samba. Faqs and > > docs led me to try several variants for vaild users > > > > @"MC\MC-Services" > > @"MC\\MC-Services" > > @MC-Services > > MC-Services > > > > Any thoughts/help would be greatly appreciated. > > thanks and regards > > > > > > some samba vers on the centos host > > samba-common-4.2.3-12.el7_2.noarch > > samba-common-tools-4.2.3-12.el7_2.x86_64 > > samba-common-libs-4.2.3-12.el7_2.x86_64 > > samba-4.2.3-12.el7_2.x86_64 > > samba-libs-4.2.3-12.el7_2.x86_64 > > samba-client-libs-4.2.3-12.el7_2.x86_64 > > > > [root at Xsamba]# smbd -V > > Version 4.2.3 > > > > > > >>>Here is the config > > > > [global] > > workgroup = mc > > server string = Samba Server Version %v > > log file = /var/log/samba/log.%m > > max log size = 50 > > security = ads > > bind interfaces only = yes > > interfaces=192.168.99.0/24 > > dedicated keytab file=/etc/krb5.keytab > > password server = 192.168.1.2 192.168.1.3 > > realm = MC.FOO.COM > > passdb backend = tdbsam > > map to guest = Bad Uid > > > > > > [homes] > > comment = Home Directories > > browseable = no > > writable = yes > > > > [logs] > > comment = Server Logs > > path = /logs > > writable = no > > #valid users = jsmith > > valid users = @"MC\MC-Services" > > printable = no > > ~ > > Is the Samba machine joined to the domain ? > If so, then stop trying to get 'valid users' to work and use windows > ACLs instead : > > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs > > Other than that, as you are using sssd, I suggest you try the > sssd-users mailing list. sssd has nothing to do with Samba. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Thu, 15 Dec 2016 14:31:25 -0600 jsl6uy js16uy <js16uy at gmail.com> wrote:> Thanks very much for the quick response/info sir > Server is joined to the domain, which, I think, the info I listed > demonstrates, apologies if not > > sssd has nothing to do with Samba. > >>I somewhat understand that sir. I listed mainly to provide info on > >>auth > methods and services on the host. In case not listing affected > diagnosis, and just in case samba did something different interacting > on system with sss as a source for user/group accounting info >What I was trying to get across is, because you are using sssd, Samba isn't doing the authentication and this could be a large part of your problem. This is the Samba mailing list and we do not have the information and expertise to deal with sssd problems. Rowland
understood sir
I will hit them up. Locally everything works. For example I can chown a
folder to be owned by an AD group with 2770. I can't access that share,
when setup similarly to the way it is setup in the link you directed me to.
However I can login into the host via passwd/kerberos ticket and chdir into
that directly without issue, below the user is part of MC-Services,
apologies not trying to be overly obvious.
drwxrwsr-x 3 appadmin MC-Services 4096 Dec 15 14:47 logs
The other prep work/pre reqs in that link all work/comply on the testing
system. the system knows about AD users and groups and the MACHINE ACCOUNT
works/trusted in AD. I can leverage auto.smb to "walk" to cifs shares
like
HOSTNAME\C$
It seems like I need to get that info to samba, however, I know you stated
to move away from valid users, but singly listed AD users work with valid
users. This kind of abstraction is nice so I don't have to tweak FS perms
to "match" shared out access. Right now with the local FS perms above
I can
get into the share If I have the share setup as below
[logs]
comment = Server Logs
path = /logs
writable = no
valid users = jsmith
printable = no
So seems samba can handle the users, but not info or can't get the info for
the AD groups and/or the members of those AD groups. If I change the owner
of the dir to be completely owned by appadmin, the testing user can no
longer get into the share, make sense.
So with samba on this host I can connect to an shared out directory that
does not other/o access if a group the user is part of can access the
directory if I list out that user singly as shown above.
So its just this AD group mapping that is the issue
I know long, just trying to better state where I'm at, further confusions
on my end
thanks again sir
On Thu, Dec 15, 2016 at 2:40 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 15 Dec 2016 14:31:25 -0600
> jsl6uy js16uy <js16uy at gmail.com> wrote:
>
> > Thanks very much for the quick response/info sir
> > Server is joined to the domain, which, I think, the info I listed
> > demonstrates, apologies if not
> >
> > sssd has nothing to do with Samba.
> > >>I somewhat understand that sir. I listed mainly to provide
info on
> > >>auth
> > methods and services on the host. In case not listing affected
> > diagnosis, and just in case samba did something different interacting
> > on system with sss as a source for user/group accounting info
> >
>
> What I was trying to get across is, because you are using sssd, Samba
> isn't doing the authentication and this could be a large part of your
> problem. This is the Samba mailing list and we do not have the
> information and expertise to deal with sssd problems.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>