Rowland Penny
2021-Jun-28 19:33 UTC
[Samba] Guides to AD integration using Win ACL and nested groups
On Mon, 2021-06-28 at 17:56 +0000, Deas, Jim wrote:> Rowland, thank you for the reply, I see where I may need to move the > idmap backend from ad to rid and will setup a second test system to > investigate it. > > Re-reading parts of the doc you reference, I have not created > template entries for items such as home directory, but all domain > users do have uid, uidNumber and gidNumber set to match my legacy > posix system used by PAM. I did not set gidNumbers on the AD groups > because I was attempting to have the system use Windows nested ACLs > exclusively for access control to the shares.If you use idmap_ad, then you must give Domain Users a gidNumber attribute containing a number inside the DOMAIN range you set in smb.conf , or ALL your users will be ignored.> > Does switching from idmap_ad to idmap_rid along with idmap range > allow full Win ACL control of a share based on 'calculated' group and > user access rights stored in the files/folder xattr and alleviate the > need to duplicate uid/gid information from their Unix accounts into > the Win AD accounts?Ah, when you say 'Unix accounts', do you mean accounts and groups stored in /etc/passwd & /etc/group ? If you do, then if there are accounts in AD that are also in /etc/passwd or /etc/group, then delete the ones in /etc/passwd and /etc/group. You should only have Accounts in AD. If you use the winbind 'rid' backend (idmap_rid), then the ID's are calculated from the accounts RID. Any RFC2307 attributes in AD will be ignored. If you use the winbind 'ad' backend (idmap_ad), then the ID's are found from the RFC2307 attributes you have added.> > Is xattr:security used directly by smb to determine access or is it > instead only used to calculate a posix uid/gid number used by ext4 > natively?Not sure you understand AD permissions correctly, ext4 doesn't calculate ID's at all, it just uses them, if it can find them. There are three sets of permissions in play here, the normal Unix 'ugo' permissions, the ACL set with setfacl and the Windows ACL stored in an EA. If you set the shares permissions from Windows (highly recommended), they are stored in the latter. Rowland