[Samba] Make a share owned by a service account available to members of an AD group
Rowland Penny
rowlandpenny241155 at gmail.com
Fri Oct 9 18:35:55 UTC 2015
On 09/10/15 18:54, Tovey, Mark wrote:
>
> Got it. I changed that section as follows:
>
> idmap config *:backend = tdb
>
> idmap config *:range = 5000-29999
>
> idmap config DEVELOPMENT:backend = ad
>
> idmap config DEVELOPMENT:schema_mode = rfc2307
>
> idmap config DEVELOPMENT:range = 30000-99999
>
> It did not change the “map to guest = Bad Uid” issue, however.
> The error I see in the log file is “check_ntlm_password:
> Authentication for user [testuser] -> [testuser] FAILED with error
> NT_STATUS_NO_SUCH_USER”. If I add the testuser account to the Linux
> system’s passwd file, then I see “check_ntlm_password: authentication
> for user [testuser] -> [testuser] -> [testuser] succeeded”. The
> testuser account does not have a password on the Linux system, the
> password exists only in the AD system. So, I am able to map the share
> to my workstation using the testuser account only when the testuser
> account exists in both the AD system and the Linux system, which is
> what I am trying to avoid. I want to have the testuser account be in
> the AD system only.
>
> The documentation for “map to guest = Bad Uid” states: “user
> logins which are successfully authenticated but which have no valid
> Unix user account should be mapped to the defined guest account.” The
> guest account is set to “nobody” and it does exist in the passwd file,
> but the mapping does not seem to be occurring. Am I misunderstanding
> the meaning here? Or perhaps how the guest account functions?
>
> -Mark
>
> ________________________________________________________________
>
> Mark Tovey - UNIX Engineer | Service Strategy & Design
>
> UTi | 400 SW Sixth Ave, Suite 1100 | Portland | Oregon | 97204 | USA
>
> MTovey at go2uti.com | O / C +1 503 953-1389
>
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of
> Rowland Penny
> Sent: Friday, October 9, 2015 1:19 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Make a share owned by a service account available
> to members of an AD group
>
> On 08/10/15 23:20, Tovey, Mark wrote:
>
> > I have a requirement where I need to make a directory tree on a
> Linux system available to a group of users that authenticate against
> an AD system. I have successfully joined my system to our AD domain
> and I am able to manage access to a share with a security group in
> AD, so long as the group members also have accounts on the Linux
> system. I need to be able to set it up so that the user accounts do
> not need to exist on the Linux system, simply adding them to the AD
> security group is enough to grant them access to the share (providing
> that they properly authenticate). In addition, I want to map the
> members of the AD group to a specific account that is on the Linux
> server, and this account will be the owner of the share's directory
> tree and its contents.
>
> > The goal here is for application management. The members of
> the AD group will be moving documents into and out of the application,
> and the application needs to be able to read and write to the share.
> So far I have not been able to get the group members to application
> account mapping to function.
>
> > One other requirement is that I need to be able to support
> multiple share on one server, each with a different owner, so setting
> guest account to an application account is not going to work.
>
> > Below is the configuration I have cobbled together from various
> posts and from reading the documentation:
>
> >
>
> > [global]
>
> > server string = Samba Server Version %v
>
> >
>
> > log file = /var/log/samba/log.%m
>
> > max log size = 500
>
> >
>
> > log level = 3
>
> >
>
> > workgroup = DEVELOPMENT
>
> > realm = DEVELOPMENT.MYDOMAIN.COM
>
> > security = ADS
>
> > password server = adserv.development.go2uti.com
>
> > passdb backend = tdbsam
>
> >
>
> > domain master = no
>
> > local master = no
>
> > preferred master = no
>
> >
>
> > disable netbios = yes
>
> > dns proxy = no
>
> >
>
> > dedicated keytab file = /etc/krb5.keytab
>
> > kerberos method = secrets and keytab
>
> >
>
> > idmap config *:backend = tdb
>
> > idmap config *:range = 5000-50000
>
> > idmap config DEVELOPMENT:backend = ad
>
> > idmap config DEVELOPMENT:schema_mode = rfc2307
>
> > idmap config DEVELOPMENT:range = 10000-99999
>
> Lets deal with this problem first, the first range (*) is for the
> well-known RIDs, the second (DEVELOPMENT) is for your users & groups.
>
> these ranges must *not* overlap, yours do!
>
> Rowland
>
> >
>
> > winbind nss info = rfc2307
>
> > winbind trusted domains only = no
>
> > winbind use default domain = yes
>
> > winbind enum users = yes
>
> > winbind enum groups = yes
>
> > winbind refresh tickets = Yes
>
> > winbind normalize names = Yes
>
> >
>
> > map untrusted to domain = yes
>
> > map to guest = Bad Uid
>
> > username map = /etc/samba/users.map
>
> >
>
> > load printers = no
>
> > printcap name = /dev/null
>
> > printing = bsd
>
> >
>
> >
>
> > [data]
>
> > path = /opt/app/data
>
> > read only = no
>
> > writable = yes
>
> > browseable = no
>
> > hide dot files = yes
>
> > hide special files = yes
>
> > valid users = @DEVELOPMENT\smbgrp
>
> > write list = @DEVELOPMENT\smbgrp
>
> >
>
> > And the contents of the users.map file:
>
> >
>
> > appacct = @DEVELOPMENT\smbgrp
>
> >
>
> > I am using Samba 4.0.0 on an OEL 6.5 server (RHEL 6.5 equivalent).
>
> > And help will be greatly appreciated.
>
> > Thanks,
>
> > -Mark
>
> >
>
> >
>
> > ________________________________________________________________
>
> > Mark Tovey - UNIX Engineer | Service Strategy & Design
>
> > UTi<http://www.go2uti.com/> | 400 SW Sixth Ave, Suite 1100 | Portland
>
> > | Oregon | 97204 | USA MTovey at go2uti.com<mailto:MTovey at go2uti.com
> <mailto:MTovey at go2uti.com%3cmailto:MTovey at go2uti.com>> | O
>
> > / C +1 503 953-1389
>
> >
>
> --
>
> To unsubscribe from this list go to the following URL and read the
>
> instructions: https://lists.samba.org/mailman/options/samba
>
You cannot have a local user and an AD user with the same name, so I
would suggest removing the local user. I know you have set up the 'ad'
backend in smb.conf but have you given any of your users a uidNumber
attribute (and Domain Users a gidNumber) ? these numbers need to be
inside the range set in your smb.conf. If you haven't done this, then
either do so, or change this line 'idmap config DEVELOPMENT:backend =
ad' to 'idmap config DEVELOPMENT:backend = rid'
Rowland
More information about the samba
mailing list