Fuhriman, Nathanael [US] (SP) (Contr)
2022-Mar-03 23:47 UTC
[Samba] smb won't allow users from other ou share access
I have samba setup to share files on a system using SSSD hooked to AD for user accounts. Some users are able to access the shares and other are not. I finally narrowed it down to users that are in a specific OU in AD. Those in that OU can access the shares. All others are denied access. For examples users in OU=employees are able to access but users in OU=contractors are not able to access. I'm pretty sure the problem is with samba because the users are all able to login with ssh so the system in general knows about the user/passwords. I've tried looking through the smb.conf man page and I'm not seeing anything about where it cares about which ou a user is in. This is on RHEL7.9 with samba 4.10.16
Rowland Penny
2022-Mar-04 09:55 UTC
[Samba] smb won't allow users from other ou share access
On Thu, 2022-03-03 at 23:47 +0000, Fuhriman, Nathanael [US] (SP) (Contr) via samba wrote:> I have samba setup to share files on a system using SSSD hooked to AD > for user accounts. Some users are able to access the shares and other > are not. I finally narrowed it down to users that are in a specific > OU in AD. Those in that OU can access the shares. All others are > denied access. For examples users in OU=employees are able to access > but users in OU=contractors are not able to access. > > I'm pretty sure the problem is with samba because the users are all > able to login with ssh so the system in general knows about the > user/passwords. > > I've tried looking through the smb.conf man page and I'm not seeing > anything about where it cares about which ou a user is in. > > This is on RHEL7.9 with samba 4.10.16I suggest you contact RHEL about this, sssd is doing the authentication here and Samba does not produce sssd. Also Samba 4.10.16 is EOL as far as Samba is concerned. Rowland
Patrick Goetz
2022-Mar-04 16:59 UTC
[Samba] smb won't allow users from other ou share access
On 3/3/22 17:47, Fuhriman, Nathanael [US] (SP) (Contr) via samba wrote:> I have samba setup to share files on a system using SSSD hooked to AD for user accounts. Some users are able to access the shares and other are not. I finally narrowed it down to users that are in a specific OU in AD. Those in that OU can access the shares. All others are denied access. For examples users in OU=employees are able to access but users in OU=contractors are not able to access. >From your description my suspicion is that a GPO is responsible for this, not Samba. What OU to suspect depends on how your network is configured; i.e. are all the shares coming from the same file server? Does that file server have GPO-based access restrictions to that OU? If it's not that, comb through your /etc/sssd/sssd.conf file looking for anything that references that OU. It could be samba if you have these restrictions embedded in your /etc/samba/smb.conf file, but I'm assuming you've checked for this already.