[Samba] Using AD groups for samba access

Ewan Roche e.roche at ed.ac.uk
Mon May 12 14:49:42 GMT 2008 

Hi,
I'm trying to use AD groups to control access to samba exported disk 
space. The model is as follows:

A unix group "ad_samba_group" owns the space to be exported. This group has 
no members. There is an AD group "test-ad-group" that has as members the 
people who are to be able to access the space. All users who access the 
space have local (nis) unix accounts. The machine serving the space is a 
member of the active directory

I was hoping that by setting up a group mapping between the AD and unix 
group that any member of the AD group would be able to access the space 
owned by the (mapped) unix group. Alas this does not seem to be the case.


My questions are:

Is this model actually possible?

How does the group mapping work and is winbind required for it?

Are there any magic ingredients required for smb.conf ?

Is there a saner way to achieve this?

I'm really trying to avoid using the winbind group/user mapping 
functionality as it maps every group in the AD to a unix group and would 
involve manually editing the winbindd_idmap.tdb to get the correct GID and 
UID assignment which is critical.


The details are

[Samba 3.0.28-35]
[RHEL 5 2.6.18-53.1.14.el5 #1 SMP x86_64]

The following SID was put in with net groupmap and is obtained from the 
AD.

[root at nas-test samba]# net groupmap list verbose
test-ad-group
         SID       : S-1-5-21-861567501-1417001333-682003330-319925
         Unix gid  : 273021
         Unix group: ad_samba_group
         Group type: Domain Group
         Comment   : Domain Unix group

[root at nas-test samba]# cat /etc/samba/smb.conf
[global]

         workgroup = ED
         realm = ED.AC.UK
         netbios name = NAS-TEST
         log file = /var/log/samba/%m.log
         max log size = 1000
         log level = 3
         security = ADS
         encrypt passwords = yes
         password server = aviemore.ucs.ed.ac.uk
         wins server = 129.215.13.14
         dns proxy = yes

#=========== Share Definitions =======

[test2]
   comment = AD permissions test
   path = /data/test2
   valid users = @ad_samba_group
   msdfs root = yes
   public = no
   writable = yes


If I try and connect to the share I get the following error

ristretto > smbclient //nas-test.ecdf.ed.ac.uk/test2 -W ED
Password:
Domain=[ED] OS=[Unix] Server=[Samba 3.0.28-SerNet-RedHat]
tree connect failed: NT_STATUS_ACCESS_DENIED

The interesting bits of the logfile seem to be:

[2008/05/12 12:14:50, 3] auth/auth.c:check_ntlm_password(221)
   check_ntlm_password:  Checking password for unmapped user 
[ED]\[eroche]@[RISTRETTO] with the new password interface
[2008/05/12 12:14:50, 3] auth/auth.c:check_ntlm_password(224)
   check_ntlm_password:  mapped user is: [ED]\[eroche]@[RISTRETTO]
..
..
[2008/05/12 12:14:50, 3] lib/util_sid.c:string_to_sid(223)
   string_to_sid: Sid @ad_samba_group does not start with 'S-'.
..
..
[2008/05/12 12:14:50, 2] smbd/service.c:make_connection_snum(616)
   user 'eroche' (from session setup) not permitted to access this share 
(test2)
[2008/05/12 12:14:50, 3] smbd/error.c:error_packet_set(106)
   error packet at smbd/reply.c(514) cmd=117 (SMBtconX) 
NT_STATUS_ACCESS_DENIED


Thanks

Ewan

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

More information about the samba mailing list