similar to: Samba 4 with sssd - primary Windows group membership not honored

Thanks for the reply! I'm confused on a few bits: To change a users primary group is a bit like jumping through hoops, you > have to add the user to the group that you want to be the new primary > group, then change the primaryGroupID attribute to contain the RID of the > new group and then finally add the user to the 'Domain Users' group. If I > were you, I wouldn't

> > OK, you should use the standard 'rwx' permissions *or* ACLs, not both. If > you create a directory on Unix that you want to share, set the owner:group > to root:'Domain Admins' and permissions to 0770. You will then be able to > set the permissions from windows or with setfacl on the Unix machine, you > do not need the 'force group' lines in smb.conf,

See inline comments On 23/03/16 15:32, Joseph Dickson wrote: > Greetings! > > I am working with Samba 4 as a domain member fileserver (not a domain > controller, just a normal ads member fileserver). Operating system is > Centos 7. SSSD is configured and pulling information correctly. > > I had to work around a bug that wasn't fixed in a released version, so I am >

> > Can you check if this file exists: > /usr/local/samba/lib/security/pam_winbind.so For historical reasons, I used a prefix of /opt/samba when I compiled: [root at smbfs1 shares]# ls -al /opt/samba/lib/security/pam_winbind.so -rwxr-xr-x 1 root root 63837 Mar 17 19:54 /opt/samba/lib/security/pam_winbind.so relevant config lines in case they are helpful: [global] lock directory =

On 23/03/16 20:16, Joseph Dickson wrote: >> OK, you should use the standard 'rwx' permissions *or* ACLs, not both. If >> you create a directory on Unix that you want to share, set the owner:group >> to root:'Domain Admins' and permissions to 0770. You will then be able to >> set the permissions from windows or with setfacl on the Unix machine, you >>

On 23/03/16 16:18, Joseph Dickson wrote: > Thanks for the reply! I'm confused on a few bits: > > > To change a users primary group is a bit like jumping through hoops, you >> have to add the user to the group that you want to be the new primary >> group, then change the primaryGroupID attribute to contain the RID of the >> new group and then finally add the user

Hello all, after spending the last days fighting and researching I hope someone can point me to an solution here. Even if I am using Debian / Ubuntu since years I wouldn?t consider myself as a Linux professional. I have some experience though. What I try to accomplish: - Centrally administrated groups for file services. Right now it is only one server but there will be more. Setup: - System

On 15.01.15 09:52, Peter Serbe wrote: > On Tue, Jan 13, 2015 at 2:32 PM, Thomas Burger <tburger at eritron.de> wrote: > >> What works: > ... >> - getfacl / setfacl setting with domain object names. >> >> My issue: >> Authorization is not working. For example: >> - Write list / read list / valid users options in smb.conf are not >>

Rowland Penny schrieb am 15.01.2015 22:00: [RFC2307] > For samba4 active directory, read microsoft AD, so you don't have to > provision anything else, you just need to learn how to properly use what > you already have. > > Rowland Rowland is right, of course. But(!) things might be simpler with the RFC2307 attributes. Without the attributes You need to set the

Hi, On Tue, Jan 13, 2015 at 2:32 PM, Thomas Burger <tburger at eritron.de> wrote: > Hello all, > > after spending the last days fighting and researching I hope someone can > point me to an solution here. > > Even if I am using Debian / Ubuntu since years I wouldn?t consider myself > as a Linux professional. I have some experience though. > > What I try to

On Tue, Jan 13, 2015 at 2:32 PM, Thomas Burger <tburger at eritron.de> wrote: > What works: ... > - getfacl / setfacl setting with domain object names. > > My issue: > Authorization is not working. For example: > - Write list / read list / valid users options in smb.conf are not > honored. ... > - Skipped the samba authorization and moved this to the filesystem

I've got a relatively simple permissions scheme I need to implement, and I'm having issues with group membership. I have a share that I need to grant an active directory group full control to. If I add an AD user to the ACL on the directory that is the root of the share, the user can access it. If I add an AD group to the ACL on that same directory, group members cannot access the

I agree with putting the sssd discussion to bed, but am still interested in clearing up some confusion, as I'm concerned I might be missing something. On 6/12/19 12:44 PM, Rowland penny via samba wrote: > On 12/06/2019 17:43, Goetz, Patrick G via samba wrote: >> On 6/12/19 11:10 AM, Rowland penny via samba wrote: >>> Why are you using sssd on a standalone server ?

On 6/12/19 11:10 AM, Rowland penny via samba wrote: > > Why are you using sssd on a standalone server ? > > your users will be in /etc/passwd and the Samba database, I don't think > sssd can talk to the Samba database. > I'm pretty sure what happens when you set [server role = standalone] is that Samba then defers to /etc/nsswitch.conf for how authorization should

Hello all, Im having the latest centos that should be integrated into win 2012 active directory domain. Im having Authentication running, an AD user can login via ssh, getent and id working But Im not able to get the samba shares running with AD [sfu-erp] comment = Mandant path = /share # ; valid users = @"RZ-DOMAIN\linuxtest" @"RZ-DOMAIN\linuxtest" valid users =

On 6/12/19 7:00 AM, Rowland penny wrote: > How are you actually running samba ? > How are you actually running samba ? I *think* setting security = user server role = auto makes Samba run as a standalone server, which is fine, because authentication is handled via /etc/nsswitch.conf: passwd: compat systemd sss group: compat systemd sss shadow:

Hi, I am trying to implement the *password must change at next logon* in CentOS 6.5 client using sssd 1.11.6 where Samba 4.1.10 is my backend server. Here are the list of things which I have done, 1. I have setup the CentOS to do the Domain login using sssd service. I can able to login into the CentOS client using Domain user's credentials from display and from SSH also, no problem at all.

On Thursday, 13 June 2019 00:41:09 PDT Rowland penny via samba wrote: > On 13/06/2019 07:55, Alexey A Nikitin wrote: > > On Wednesday, 12 June 2019 13:07:56 PDT Rowland penny via samba wrote: > >>>> I think you mean 'RID' instead of 'SID' > >>> Yes, you're right. The Windows people seem to use the terms synonymously. > >> I cannot

On 12/08/2020 13:24, Robert Marcano via samba wrote: > If you are runnning a Samba server as a member of a domain, you need > to start winbind. The following is a not a Samba issue since Samba and > SSSD interactions are not part of Samba. > > You can still run SSSD/realmd/adcli as your domain membership toolkit, > but you need to start winbind if a Samba server is started on

Hello, we're upgrading from Centos 5.8 to Centos 6.3 and have realized few things have changed in the system. We're using LDAP authentication (nss_ldap package) on our Centos 5.8 servers and have different PAM ldap configuration files configured to be used for specific PAM services. Here is the example of our setup: /etc/pam.d/service1: auth sufficient pam_ldap.so