Deas, Jim
2021-Jun-28 14:23 UTC
[Samba] Guides to AD integration using Win ACL and nested groups
I am having issues understanding the options required to make Samba use native
Windows ACLs. If I remove WinACL 'everybody' from a share's folder,
it becomes unavailable even though AD group membership should allow it.
Currently I can use wbinfo to obtain all users and groups from Win AD which I
believe confirms winbind is working correctly (using ad backend , should I be
using rid?)
Currently running 'net rpc group list' I only see Guest, Administrators
and Users. (Do I need to create local AD groups?)
Share is stored on an ext4fs with xattr and I see the security information being
written to the folder and file xattr when changed from Windows's AD manager.
I'm sure I am crossing the streams here a bit, is there a good guide showing
the use of Windows ACLs exclusively outside of sssd (including nested groups so
I believe sssd is out)
I have downloaded 'Setting up a Share Using Windows ACLs" from the
SambaWiki but I must be misinterpreting the contents.
Here is the config:
[global]
workgroup = MYGROUP
security = ADS
realm = MYREALM.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server signing = no
strict sync = no
min protocol = SMB2
ea support = yes
log level = 1 auth:5 winbind:5
log file = /var/log/samba.log
idmap config * : backend = tdb
idmap config * : range = 500 - 9999
idmap config MYGROUP: backend = ad
idmap config MYGROUP: range = 10000 - 999999
username map = /etc/samba/user.map
vfs objects = acl_xattr
map acl inherit = yes
fruit:aapl = yes
winbind use default domain = yes
winbind refresh tickets = yes
winbind enum users = yes
winbind enum groups = yes
[Test]
comment = test raid
path= /raid/Media/Test
writeable = yes
fruit:resource = stream
fruit:metadata = stream
fruit:zero_file_id = yes
vfs fruit streams_xattr acl_xattr
acl_xattr:ignore system acl = yes
veto files = /lost+found
hide files = /lost+found
Regards,
JD
Rowland Penny
2021-Jun-28 14:59 UTC
[Samba] Guides to AD integration using Win ACL and nested groups
On Mon, 2021-06-28 at 14:23 +0000, Deas, Jim via samba wrote:> I am having issues understanding the options required to make Samba > use native Windows ACLs. If I remove WinACL 'everybody' from a > share's folder, it becomes unavailable even though AD group > membership should allow it. > > Currently I can use wbinfo to obtain all users and groups from Win AD > which I believe confirms winbind is working correctlyYes that confirms that winbind can contact AD, it doesn't confirm that your OS knows who your AD users are.> (using ad backend , should I be using rid?)Very probably.> Currently running 'net rpc group list' I only see Guest, > Administrators and Users. (Do I need to create local AD groups?)Ah, that sort of confirms it, I do not think you have added any uidNUmber or gidNumber attributes to AD. No, do not create any local users or groups.> Share is stored on an ext4fs with xattr and I see the security > information being written to the folder and file xattr when changed > from Windows's AD manager. > > I'm sure I am crossing the streams here a bit, is there a good guide > showing the use of Windows ACLs exclusively outside of sssd > (including nested groups so I believe sssd is out)If you want shares, then sssd is definitely out.> I have downloaded 'Setting up a Share Using Windows ACLs" from the > SambaWiki but I must be misinterpreting the contents.Have you read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member> > Here is the config: > > [global] > workgroup = MYGROUP > security = ADS > realm = MYREALM.COM > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > server signing = no > strict sync = no > min protocol = SMB2 > ea support = yes > > log level = 1 auth:5 winbind:5 > log file = /var/log/samba.log > idmap config * : backend = tdb > idmap config * : range = 500 - 9999Don't use that range, it means that you cannot have any local users. Rowland