[Samba] Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)

Hans-Kristian Bakke hkbakke at gmail.com
Wed Jan 14 10:03:04 MST 2015 

sssd-ad can't provide proper ID-mapping for internal Samba fileserver
use until sssd 1.12 where the following functionality was introduced:

* SSSD provides an ID-mapping plugin for cifs-utils so that Windows
SIDs can be mapped onto POSIX IDs and/or names without requiring
Winbind and using the same code as the SSSD uses for identity
information.

Hence you have to have winbind installed and setup for samba
fileserver use in sssd < 1.12.X. You should not install libpam-winbind
and libnss-winbind, as you will still use sssd-ad for all
authentication purposes in the system. Winbind is there only to
resolve Windows SIDs for Samba fileserver purposes.

This should be sufficient:
---
apt-get install winbind
---

And something like this added to your samba config (from my own):
---
    # Winbind configuration. Remove winbind when sssd-ad 1.12.1
arrives to jessie
    winbind cache time = 300
    winbind enum users = no
    winbind enum groups = no
    winbind expand groups = 5
    winbind use default domain = yes
    winbind refresh tickets = yes
    winbind offline logon = no
    winbind nss info = rfc2307
    idmap config * : backend = tdb
    idmap config * : range = 100000-299999
    idmap config MYDOMAIN : backend  = ad
    idmap config MYDOMAIN : range = 300000-499999
---

Since you really got to have identical ID-mapping in both sssd-ad and
winbind there is really no good way to do that other than using
centrally stored rfc2307 properties in AD. To use this in sssd-ad you
also have to have this in your sssd.conf in you domain section:
----
ldap_id_mapping = false
----

I made a powershell script to automatically add all the properties to
AD for everything.

Hope this was of some help for you.

Regards,
Hans-Kristian


On 13 January 2015 at 10:02, Thomas Burger <tburger at eritron.de> wrote:
> Hello all,
>
> after spending the last days fighting and researching I hope someone can
> point me to an solution here.
>
> Even if I am using Debian / Ubuntu since years I wouldn´t consider myself as
> a Linux professional. I have some experience though.
>
> What I try to accomplish:
> - Centrally administrated groups for file services. Right now it is only one
> server but there will be more.
>
> Setup:
> - System 1: Ubuntu 14.04 LTS as Active Directory Controller with Samba 4.1
> (Sernet package)
> - System 2: Ubuntu 14.04 LTS as Member server.
>
> What works:
> - DNS & NTP
> - Kerberos integration via Keytab file. SSSD 1.11.5 uses "id_provider = ad"
> for this.
> - getting AD members and groups via getent passwd and getent group
> - Authentication with a domain user on "System 2" via SSH
> - Authentication on Samba instance "Server 2" via AD-Users.
> - getfacl / setfacl setting with domain object names.
>
> My issue:
> Authorization is not working. For example:
> - Write list / read list / valid users options in smb.conf are not honored.
> Either I have all users being able to access everything or they can login to
> the server but if accessing the share this will fail.
> - Skipped the samba authorization and moved this to the filesystem level.
> Set the acl to the appropriate AD groups with the appropriate level results
> in the same issue. I also getting an "access denied" if I try to access the
> folder from within the SSH-session of an AD user. The user is in the group
> though.
>
> My guesses:
> Option 1: Somehow groups populated through SSSD are not being used for
> authorization. Neither for Samba share definition nor for the filesystem.
> I recognized that the IDs of "objects" coming from the AD are very high like
> User:  guest:*:1994200501:1994200514:Guest:/:
> Group: domain admins:*:1994200512:administrator
>
> Option 2: in samba logs I can see, that the user authenticates with a
> "primary" group id but I am missing the "other groups". Is that expected?
> [2015/01/12 22:23:51.235050,  2]
> ../source3/smbd/service.c:848(make_connection_snum)
>   workstation (ipv4:x.y.z.y:63206) connect to service share1 initially as
> user >myuser< (uid=1994201119, gid=1994200513) (pid 1790)
> ID reflects the domain users: domain users:*:1994200513:
>
>
> My Questions:
> Why is it not working? Do I have a conceptual issue?
> If it is related to the IDs, how can I "lower" them. ID-Mapping is active
> already.
>
> I also tried an installation with winbind but the situation kept the same.
> After that system has been reinstalled to ensure that everything is cleaned
> up properly.
>
> Any help is greatly appreciated!
>
> Thomas
>
>
>
> KRB5 conf:
>>>
> [libdefaults]
>         default_realm = MYDOMAIN.DE
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
> # The following krb5.conf variables are only for MIT Kerberos.
>         krb4_config = /etc/krb.conf
>         krb4_realms = /etc/krb.realms
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
>         v4_instance_resolve = false
>         v4_name_convert = {
>                 host = {
>                         rcmd = host
>                         ftp = ftp
>                 }
>                 plain = {
>                         something = something-else
>                 }
>         }
>         fcc-mit-ticketflags = true
>
> [realms]
>         MYDOMAIN.DE = {
>                 kdc = DC
>                 admin_server = DC
>         }
> [domain_realm]
>         .mydomain.de = MYDOMAIN.DE
>
> [login]
>         krb4_convert = true
>         krb4_get_tickets = false
>>>
>
>
> sssd.conf
>>>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = mydomain.de
>
> [nss]
>
> [pam]
>
> [domain/mydomain.de]
> id_provider = ad
> access_provider = ad
> ad_hostname = dc.mydomain.de
> ad_server = dc.mydomain.de
> ad_domain = mydomain.de
> enumerate = true
> krb5_keytab=/etc/krb5.sssd.keytab
>
>>>
>
> smb.conf
>>>
> [global]
>     #### GLOBAL SETTINGS
>     netbios name = SERVER2
>     server string = SERVER2
>     workgroup = MYDOMAIN
>     realm = MYDOMAIN.DE
>     server role = MEMBER SERVER
>
>     #### SECURITY SETTINGS
>     security = ads
>     allow trusted domains = Yes
>     map untrusted to domain = Yes
>     encrypt passwords = yes
>     client use spnego = yes
>     client ntlmv2 auth = yes
>     restrict anonymous = 2
>
>     #### SERVER SETTINGS
>     dns proxy = yes
>     domain master = no
>     local master = no
>     preferred master = no
>     os level = 0
>     follow symlinks = yes
>     veto files = /.DS_Store/Thumbs.db/thumbs.db/
>     server min protocol = SMB2
>     server max protocol = SMB3
>
>     #### PRINTING
>     disable spoolss = yes
>     load printers = no
>     idmap_ldb:use rfc2307 = yes
>
>     #### LOGGING
>     log level = 2
>     username level = 3
>     log file = /var/log/samba/log.%m
>     max log size = 50
>     syslog only = no
>     syslog = 2
>     panic action = /usr/share/samba/panic-action %d
>
> ######## SHARES
> [share1]
>     path = /share/share1
>     browsable = yes
>     read only = no
>     guest ok = no
>     # The access control is configured on the file system level.
>
>>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list