samba - Feb 2018 - using AD groups in "username map"

Am 2018-02-19 um 17:39 schrieb Rowland Penny via samba:
> On Mon, 19 Feb 2018 17:03:31 +0100
> Matthias Leopold via samba <samba at lists.samba.org> wrote:
> 
>> Hi,
>>
>> i'm trying to setup Samba 4.6 on CentOS 7.4 as a Domain Member of a
>> Windows 2012R2 Domain Controller with AD. To administer share
>> security i have to use the "username map" feature. This works
when i
>> enumerate individual AD users there. When i want to use AD groups it
>> only works with "primary" groups. This way i can't use
the "Domain
>> Admins" group from AD there, since "primary" group (unix
style) of
>> all AD users is "Domain Users".
>>
>> I'm using the "rid" idmap backend, where i can't
change linux primary
>> group membership of AD users (to my experience). I know i can change
>> linux primary group membership with the "ad" idmap backend,
but also
>> only when using the Unix extensions in AD (changing Windows primary
>> group has no effect and is deprecated anyway). I want to avoid this
>> and don't want to believe this is necessary in the first place.
>>
>> Some configuration details:
>>
>> smb.conf:
>> security = ADS
>> passdb backend = tdbsam
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>> idmap config MYDOMAIN : backend = rid
>> idmap config MYDOMAIN : range = 10000-999999
>> winbind enum users  = yes
>> winbind enum groups = yes
>> username map = /etc/samba/user.map
> 
> Is that your entire smb.conf ?
> 
>>
>> /etc/samba/user.map:
>> !root = "@MYDOMAIN\Domain Admins" "@MYDOMAIN\domain
admins"
> 
> I have never tried to map a group to a User, but in any case you don't
> need to ;-)
> 
> You are using the 'rid' backend, so 'Domain Admins' gets a
group ID, or
> to put it another way, the underlying Unix OS knows who 'Domain
Admins'
> is.
> Have you read this:
> 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
This is the documentation i have been following. I was trying to use 
"acl_xattr:ignore system acls = yes" for the first time. This
doesn't
seem to work (as i expected). When i use the default "acl_xattr:ignore 
system acls = no" everything is fine and i don't have to use a
"username
map".

thx
matthias

On Tue, 20 Feb 2018 17:06:32 +0100
Matthias Leopold <matthias.leopold at meduniwien.ac.at> wrote:
> 
> 
> Am 2018-02-19 um 17:39 schrieb Rowland Penny via samba:
> > On Mon, 19 Feb 2018 17:03:31 +0100
> > Matthias Leopold via samba <samba at lists.samba.org> wrote:
> > 
> >> Hi,
> >>
> >> i'm trying to setup Samba 4.6 on CentOS 7.4 as a Domain Member
of a
> >> Windows 2012R2 Domain Controller with AD. To administer share
> >> security i have to use the "username map" feature. This
works when
> >> i enumerate individual AD users there. When i want to use AD
> >> groups it only works with "primary" groups. This way i
can't use
> >> the "Domain Admins" group from AD there, since
"primary" group
> >> (unix style) of all AD users is "Domain Users".
> >>
> >> I'm using the "rid" idmap backend, where i can't
change linux
> >> primary group membership of AD users (to my experience). I know i
> >> can change linux primary group membership with the "ad"
idmap
> >> backend, but also only when using the Unix extensions in AD
> >> (changing Windows primary group has no effect and is deprecated
> >> anyway). I want to avoid this and don't want to believe this
is
> >> necessary in the first place.
> >>
> >> Some configuration details:
> >>
> >> smb.conf:
> >> security = ADS
> >> passdb backend = tdbsam
> >> idmap config * : backend = tdb
> >> idmap config * : range = 3000-7999
> >> idmap config MYDOMAIN : backend = rid
> >> idmap config MYDOMAIN : range = 10000-999999
> >> winbind enum users  = yes
> >> winbind enum groups = yes
> >> username map = /etc/samba/user.map
> > 
> > Is that your entire smb.conf ?
> > 
> >>
> >> /etc/samba/user.map:
> >> !root = "@MYDOMAIN\Domain Admins" "@MYDOMAIN\domain
admins"
> > 
> > I have never tried to map a group to a User, but in any case you
> > don't need to ;-)
> > 
> > You are using the 'rid' backend, so 'Domain Admins'
gets a group
> > ID, or to put it another way, the underlying Unix OS knows who
> > 'Domain Admins' is.
> > Have you read this:
> > 
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> This is the documentation i have been following. I was trying to use 
> "acl_xattr:ignore system acls = yes" for the first time. This
doesn't
> seem to work (as i expected). When i use the default
> "acl_xattr:ignore system acls = no" everything is fine and i
don't
> have to use a "username map".
> 
> thx
> matthias
> 
Hmm, bit of a catch 22 situation here, to use members of 'Domain
Admins' to set the ACLs on a share directory, the group for the share
directory must be 'Domain Admins', but if you tell Samba to ignore the
system acls, then 'Domain Admins' will not have permission on the
share.

I have never used 'acl_xattr:ignore system acls = yes' myself, so I
don't know of a workaround, I have ideas, so I will go and test them.

Watch this space ;-)

Rowland

On Tue, 20 Feb 2018 16:47:25 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:

> 
> Hmm, bit of a catch 22 situation here, to use members of 'Domain
> Admins' to set the ACLs on a share directory, the group for the share
> directory must be 'Domain Admins', but if you tell Samba to ignore
the
> system acls, then 'Domain Admins' will not have permission on the
> share.
> 
> I have never used 'acl_xattr:ignore system acls = yes' myself, so I
> don't know of a workaround, I have ideas, so I will go and test them.
> 
> Watch this space ;-)
> 
> Rowland
>  
> 
OK, fired up a Win7 VM and tried to add users to a share.
First the good news, it doesn't matter if 'acl_xattr:ignore system acls
= yes' is set or not.

Now the bad news, it didn't work on a share that didn't have
'acl_xattr:ignore system acls = yes' at first. I traced this down to a
permissions problem.

I ran: ls -lad /home/testdata

Which returned this:

drwxrwx---+ 2 root unix admins 4096 Jan 26 14:27 /home/testdata

So, on the face of it, members of 'unix admins' should be able to write
to the share. NOTE: I use Unix Admins instead of Domain Admins

Well they couldn't ;-)

I traced this to:

getfacl /home/testdata

Which produced this:

getfacl: Removing leading '/' from absolute path names
# file: home/testdata
# owner: root
# group: unix\040admins
user::rwx
user:root:rwx
user:rowland:r-x
group::---
group:root:---
group:2004:r-x
group:2005:rwx
group:unix\040admins:---
........

According to getfacl 'unix admins' has NO permissions

To fix this, I ran:

setfacl -m g:'unix admins':rwx /home/testdata

Refreshed the computer in windows 'Computer Management' and I could
then manage the share from windows.
Added 'acl_xattr:ignore system acls = yes' to the share in smb.conf,
reloaded the Samba config and it still worked.

Rowland

Am 2018-02-20 um 17:47 schrieb Rowland Penny via samba:
> On Tue, 20 Feb 2018 17:06:32 +0100
> Matthias Leopold <matthias.leopold at meduniwien.ac.at> wrote:
> 
>>
>>
>> Am 2018-02-19 um 17:39 schrieb Rowland Penny via samba:
>>> On Mon, 19 Feb 2018 17:03:31 +0100
>>> Matthias Leopold via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> i'm trying to setup Samba 4.6 on CentOS 7.4 as a Domain
Member of a
>>>> Windows 2012R2 Domain Controller with AD. To administer share
>>>> security i have to use the "username map" feature.
This works when
>>>> i enumerate individual AD users there. When i want to use AD
>>>> groups it only works with "primary" groups. This way
i can't use
>>>> the "Domain Admins" group from AD there, since
"primary" group
>>>> (unix style) of all AD users is "Domain Users".
>>>>
>>>> I'm using the "rid" idmap backend, where i
can't change linux
>>>> primary group membership of AD users (to my experience). I know
i
>>>> can change linux primary group membership with the
"ad" idmap
>>>> backend, but also only when using the Unix extensions in AD
>>>> (changing Windows primary group has no effect and is deprecated
>>>> anyway). I want to avoid this and don't want to believe
this is
>>>> necessary in the first place.
>>>>
>>>> Some configuration details:
>>>>
>>>> smb.conf:
>>>> security = ADS
>>>> passdb backend = tdbsam
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 3000-7999
>>>> idmap config MYDOMAIN : backend = rid
>>>> idmap config MYDOMAIN : range = 10000-999999
>>>> winbind enum users  = yes
>>>> winbind enum groups = yes
>>>> username map = /etc/samba/user.map
>>>
>>> Is that your entire smb.conf ?
>>>
>>>>
>>>> /etc/samba/user.map:
>>>> !root = "@MYDOMAIN\Domain Admins"
"@MYDOMAIN\domain admins"
>>>
>>> I have never tried to map a group to a User, but in any case you
>>> don't need to ;-)
>>>
>>> You are using the 'rid' backend, so 'Domain Admins'
gets a group
>>> ID, or to put it another way, the underlying Unix OS knows who
>>> 'Domain Admins' is.
>>> Have you read this:
>>>
>>>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>
>> This is the documentation i have been following. I was trying to use
>> "acl_xattr:ignore system acls = yes" for the first time. This
doesn't
>> seem to work (as i expected). When i use the default
>> "acl_xattr:ignore system acls = no" everything is fine and i
don't
>> have to use a "username map".
>>
>> thx
>> matthias
>>
> 
> Hmm, bit of a catch 22 situation here, to use members of 'Domain
> Admins' to set the ACLs on a share directory, the group for the share
> directory must be 'Domain Admins', but if you tell Samba to ignore
the
> system acls, then 'Domain Admins' will not have permission on the
> share.
I initially intuitively thought so too, but stubbornly (and stupidly) 
kept wondering why it "didn't work". Thanks for demonstrating a
way how
to use "acl_xattr:ignore system acls = yes", but i'll stick to the
default now, i don't have a real reason to change it

Regards
Matthias