[Samba] Make a share owned by a service account available to members of an AD group

Rowland Penny rowlandpenny241155 at gmail.com
Fri Oct 9 18:35:55 UTC 2015 

On 09/10/15 18:54, Tovey, Mark wrote:
>
>     Got it.  I changed that section as follows:
>
>         idmap config *:backend = tdb
>
>         idmap config *:range = 5000-29999
>
>         idmap config DEVELOPMENT:backend = ad
>
>         idmap config DEVELOPMENT:schema_mode = rfc2307
>
>         idmap config DEVELOPMENT:range = 30000-99999
>
>     It did not change the “map to guest = Bad Uid” issue, however.  
> The error I see in the log file is “check_ntlm_password:  
> Authentication for user [testuser] -> [testuser] FAILED with error 
> NT_STATUS_NO_SUCH_USER”. If I add the testuser account to the Linux 
> system’s passwd file, then I see “check_ntlm_password:  authentication 
> for user [testuser] -> [testuser] -> [testuser] succeeded”. The 
> testuser account does not have a password on the Linux system, the 
> password exists only in the AD system.  So, I am able to map the share 
> to my workstation using the testuser account only when the testuser 
> account exists in both the AD system and the Linux system, which is 
> what I am trying to avoid.  I want to have the testuser account be in 
> the AD system only.
>
>     The documentation for “map to guest = Bad Uid” states: “user 
> logins which are successfully authenticated but which have no valid 
> Unix user account should be mapped to the defined guest account.”  The 
> guest account is set to “nobody” and it does exist in the passwd file, 
> but the mapping does not seem to be occurring.  Am I misunderstanding 
> the meaning here?  Or perhaps how the guest account functions?
>
>     -Mark
>
> ________________________________________________________________
>
> Mark Tovey - UNIX Engineer | Service Strategy & Design
>
> UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>
> MTovey at go2uti.com | O / C +1 503 953-1389
>
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of 
> Rowland Penny
> Sent: Friday, October 9, 2015 1:19 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Make a share owned by a service account available 
> to members of an AD group
>
> On 08/10/15 23:20, Tovey, Mark wrote:
>
> >      I have a requirement where I need to make a directory tree on a 
> Linux system available to a group of users that authenticate against 
> an AD system.  I have successfully joined my system to our AD domain 
> and I am able to manage access to  a share with a security group in 
> AD, so long as the group members also have accounts on the Linux 
> system.  I need to be able to set it up so that the user accounts do 
> not need to exist on the Linux system, simply adding them to the AD 
> security group is enough to grant them access to the share (providing 
> that they properly authenticate).  In addition, I want to map the 
> members of the AD group to a specific account that is on the Linux 
> server, and this account will be the owner of the share's directory 
> tree and its contents.
>
> >      The goal here is for application management.  The members of 
> the AD group will be moving documents into and out of the application, 
> and the application needs to be able to read and write to the share. 
> So far I have not been able to get the group members to application 
> account mapping to function.
>
> >      One other requirement is that I need to be able to support 
> multiple share on one server, each with a different owner, so setting 
> guest account to an application account is not going to work.
>
> >      Below is the configuration I have cobbled together from various 
> posts and from reading the documentation:
>
> >
>
> > [global]
>
> >          server string = Samba Server Version %v
>
> >
>
> >          log file = /var/log/samba/log.%m
>
> >          max log size = 500
>
> >
>
> >          log level = 3
>
> >
>
> >          workgroup = DEVELOPMENT
>
> >          realm = DEVELOPMENT.MYDOMAIN.COM
>
> >          security = ADS
>
> >          password server = adserv.development.go2uti.com
>
> >          passdb backend = tdbsam
>
> >
>
> >          domain master = no
>
> >         local master = no
>
> >          preferred master = no
>
> >
>
> >          disable netbios = yes
>
> >          dns proxy = no
>
> >
>
> >          dedicated keytab file = /etc/krb5.keytab
>
> >          kerberos method = secrets and keytab
>
> >
>
> >          idmap config *:backend = tdb
>
> >          idmap config *:range = 5000-50000
>
> >          idmap config DEVELOPMENT:backend = ad
>
> >          idmap config DEVELOPMENT:schema_mode = rfc2307
>
> >          idmap config DEVELOPMENT:range = 10000-99999
>
> Lets deal with this problem first, the first range (*) is for the 
> well-known RIDs, the second (DEVELOPMENT) is for your users & groups.
>
> these ranges must *not* overlap, yours do!
>
> Rowland
>
> >
>
> >          winbind nss info = rfc2307
>
> >          winbind trusted domains only = no
>
> >          winbind use default domain = yes
>
> >          winbind enum users  = yes
>
> >          winbind enum groups = yes
>
> >          winbind refresh tickets = Yes
>
> >          winbind normalize names = Yes
>
> >
>
> >          map untrusted to domain = yes
>
> >          map to guest = Bad Uid
>
> >          username map = /etc/samba/users.map
>
> >
>
> >          load printers = no
>
> >          printcap name = /dev/null
>
> >          printing = bsd
>
> >
>
> >
>
> > [data]
>
> >          path = /opt/app/data
>
> >          read only = no
>
> >          writable = yes
>
> >          browseable = no
>
> >          hide dot files = yes
>
> >          hide special files = yes
>
> >          valid users = @DEVELOPMENT\smbgrp
>
> >          write list = @DEVELOPMENT\smbgrp
>
> >
>
> >      And the contents of the users.map file:
>
> >
>
> > appacct = @DEVELOPMENT\smbgrp
>
> >
>
> >      I am using Samba  4.0.0 on an OEL 6.5 server (RHEL 6.5 equivalent).
>
> >      And help will be greatly appreciated.
>
> >      Thanks,
>
> >      -Mark
>
> >
>
> >
>
> > ________________________________________________________________
>
> > Mark Tovey - UNIX Engineer | Service Strategy & Design
>
> > UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland
>
> > | Oregon | 97204 | USA MTovey at go2uti.com<mailto:MTovey at go2uti.com 
> <mailto:MTovey at go2uti.com%3cmailto:MTovey at go2uti.com>> | O
>
> > / C +1 503 953-1389
>
> >
>
> --
>
> To unsubscribe from this list go to the following URL and read the
>
> instructions: https://lists.samba.org/mailman/options/samba
>

You cannot have a local user and an AD user with the same name, so I 
would suggest removing the local user. I know you have set up the 'ad' 
backend in smb.conf but have you given any of your users a uidNumber 
attribute (and Domain Users a gidNumber) ? these numbers need to be 
inside the range set in your smb.conf. If you haven't done this, then 
either do so, or change this line 'idmap config DEVELOPMENT:backend = 
ad' to 'idmap config DEVELOPMENT:backend = rid'

Rowland

More information about the samba mailing list