samba - Mar 2022 - smb won't allow users from other ou share access

On Fri, 2022-03-04 at 10:59 -0600, Patrick Goetz via samba
wrote:
> 
> On 3/3/22 17:47, Fuhriman, Nathanael [US] (SP) (Contr) via samba
> wrote:
> > I have samba setup to share files on a system using SSSD hooked to
> > AD for user accounts. Some users are able to access the shares and
> > other are not. I finally narrowed it down to users that are in a
> > specific OU in AD. Those in that OU can access the shares. All
> > others are denied access. For examples users in OU=employees are
> > able to access but users in OU=contractors are not able to access.
> > 
> 
>  From your description my suspicion is that a GPO is responsible for 
> this, not Samba. What OU to suspect depends on how your network is 
> configured; i.e. are all the shares coming from the same file
> server? 
> Does that file server have GPO-based access restrictions to that OU?
Could be a GPO but doubtful
 
> 
> If it's not that, comb through your /etc/sssd/sssd.conf file looking
> for 
> anything that references that OU.
> 
> It could be samba if you have these restrictions embedded in your 
> /etc/samba/smb.conf file, but I'm assuming you've checked for this
> already.
As far as I am aware, Samba has nothing to restrict the search base in
smb.conf, but I seem to remember that sssd has.

Rowland

Sounds like it is an sssd problem. I?ll go talk to them. 

Thanks for the help
Nate
> On Mar 4, 2022, at 10:20 AM, Rowland Penny via samba <samba at
lists.samba.org> wrote:
> 
> ?On Fri, 2022-03-04 at 10:59 -0600, Patrick Goetz via samba wrote:
>> 
>>> On 3/3/22 17:47, Fuhriman, Nathanael [US] (SP) (Contr) via samba
>>> wrote:
>>> I have samba setup to share files on a system using SSSD hooked to
>>> AD for user accounts. Some users are able to access the shares and
>>> other are not. I finally narrowed it down to users that are in a
>>> specific OU in AD. Those in that OU can access the shares. All
>>> others are denied access. For examples users in OU=employees are
>>> able to access but users in OU=contractors are not able to access.
>>> 
>> 
>> From your description my suspicion is that a GPO is responsible for 
>> this, not Samba. What OU to suspect depends on how your network is 
>> configured; i.e. are all the shares coming from the same file
>> server? 
>> Does that file server have GPO-based access restrictions to that OU?
> 
> Could be a GPO but doubtful
> 
>> 
>> If it's not that, comb through your /etc/sssd/sssd.conf file
looking
>> for 
>> anything that references that OU.
>> 
>> It could be samba if you have these restrictions embedded in your 
>> /etc/samba/smb.conf file, but I'm assuming you've checked for
this
>> already.
> 
> As far as I am aware, Samba has nothing to restrict the search base in
> smb.conf, but I seem to remember that sssd has.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 3/4/22 11:18, Rowland Penny via samba wrote:
> On Fri, 2022-03-04 at 10:59 -0600, Patrick Goetz via samba wrote:
>>
>> On 3/3/22 17:47, Fuhriman, Nathanael [US] (SP) (Contr) via samba
>> wrote:
>>> I have samba setup to share files on a system using SSSD hooked to
>>> AD for user accounts. Some users are able to access the shares and
>>> other are not. I finally narrowed it down to users that are in a
>>> specific OU in AD. Those in that OU can access the shares. All
>>> others are denied access. For examples users in OU=employees are
>>> able to access but users in OU=contractors are not able to access.
>>>
>>
>>   From your description my suspicion is that a GPO is responsible for
>> this, not Samba. What OU to suspect depends on how your network is
>> configured; i.e. are all the shares coming from the same file
>> server?
>> Does that file server have GPO-based access restrictions to that OU?
> 
> Could be a GPO but doubtful
> 
I'm unsure on this point because I haven't tried this, but it's
entirely
possible to restrict access to a domain-bound server using a security 
group.  The question is whether or not this can be made to apply to 
shares coming from that server.

>>
>> If it's not that, comb through your /etc/sssd/sssd.conf file
looking
>> for
>> anything that references that OU.
>>
>> It could be samba if you have these restrictions embedded in your
>> /etc/samba/smb.conf file, but I'm assuming you've checked for
this
>> already.
> 
> As far as I am aware, Samba has nothing to restrict the search base in
> smb.conf, but I seem to remember that sssd has.
>
I thought the problem was access to a share, not searching the database 
-- is there a connection here I'm missing?  Samba does allow 
restrictions to groups:

    [share]
    valid users = @my_special_group

Maybe it doesn't make sense to have OU based restrictions in smb.conf 
(this would be handy, of course), but they might have OU based security 
groups.

> Rowland
> 
> 
>