[Samba] Grant only one AD group to samba share ?

Dale Schroeder dale at BriannasSaladDressing.com
Tue May 22 14:53:08 MDT 2012 

On 05/22/2012 3:17 PM, Newman, John W wrote:
>> Which version of Samba are you using?
> Samba version 3.5.11
>
>> What does the idmap backend configuration for winbind look like?
> Well.. I'm not really sure what that is (I inherited this project).  In smb.conf all he has here is:  idmap uid = 10000-20000     idmap gid=10000-20000 .... I don't see idmap backend = set at all in here.  That is probably a big part of the problem isn't it?

It would be using the default tdb backend.  You could do a testparm -sv 
and grep for idmap and winbind to see all the parameters that are 
available.  Better still, if you have SWAT and samba-doc installed, you 
can easily see the options available for each parameter.
>
>
>> Does testparm yield any errors?
> ERROR: the 'winbind separator' parameter must be a single character.    Hmm.. I just changed that to a single \ , and our existing authentication service still works fine, but the share behaves no differently.  The extra \ was probably in error from this file being edited with sed.
>
>> Do getent group and wbinfo -g return the expected results?
> getent group shows all of the local linux groups on this machine - no AD groups.  Is that expected?

If you have winbind enum groups = Yes, then they should show, otherwise 
not.  Domains with large numbers of users usually leave this as No (also 
winbind enum users).
> wbinfo -g shows the windows groups fine, the only thing that's odd is is all of the groups on this domain show in lower case.
That's normal for winbind.
>    They may or may not be that way in their AD, I can't see for sure.   (We are forcing a linux machine into someones windows network.... )
>
>> Are nsswitch.conf and PAM configured for authentication?
> For what kind of authentication?   /etc/nsswitch and /etc/pam/* are untouched from the defaults.
In nsswitch.conf, you will need to add winbind to the passwd and group 
entries.  The article I previously linked (below) has an example PAM 
config (/etc/pam.d/login) for winbind.
For completeness, you might also want to look at this:
http://www.enterprisenetworkingplanet.com/netos/article.php/3487081/Join-Samba-3-to-Your--Active-Directory-Domain.htm
>
>
> All that has really been setup so far is an apache service that uses mod_auth_ntlm_winbind to authenticate users of a webpage to their DC.  We are now trying to expand that samba/winbind stack over into sharing a folder.  So, we probably do need to look at modifying those files, and id mapping, to have a samba share authenticate against the DC.  Right?  For some reason I figured this part would just work since the join already happened.

A domain can be joined without winbind, but there are steps to take to 
actually use it.
>
> Thanks again!
>
>
> -----Original Message-----
> From: Dale Schroeder [mailto:dale at BriannasSaladDressing.com]
> Sent: Tuesday, May 22, 2012 14:51
> To: Newman, John W
> Cc: samba at lists.samba.org
> Subject: Re:[Samba] Grant only one AD group to samba share ?
>
> A few questions that might narrow things -
>
> Which version of Samba are you using?
> What does the idmap backend configuration for winbind look like?
> Does testparm yield any errors?
> Do getent group and wbinfo -g return the expected results?
> Are nsswitch.conf and PAM configured for authentication?
> http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm
>
> On 05/22/2012 1:01 PM, Newman, John W wrote:
>> Thanks..
>>
>> Unfortunately neither suggestion worked
>>
>> chgrp still just says "invalid group"
>>
>> valid users  = @"DOMAIN\\My Group" behaves the same as I described in the OP.  Valid credentials = access denied ; invalid credentials = invalid name or bad password.    I already tried all sorts of things in valid users, but nothing is the magic string I need.
>>
>> Any other ideas?
>>
>> Thanks for the help so far, much appreciated!!
>>
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
>> Sent: Tuesday, May 22, 2012 04:59
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Grant only one AD group to samba share ?
>>
>> On 21/05/12 23:36, Dale Schroeder wrote:
>>> On 05/21/2012 3:42 PM, Newman, John W wrote:
>>>> Thanks for the suggestion, but .. that doesn't work ...
>>>>
>>>>
>>>> chgrp My\ Group /media/share
>>>> chgrp: invalid group: `My Group'
>>>>
>>>>
>>>> "My Group" is a windows AD group, not a local linux group. The
>>>> machine is "joined" to the windows domain through "net ads join",
>>>> but I don't think the security is that tightly integrated. I don't
>>>> have windows groups mapped to linux groups I've created or anything like that.
>>>> chgrp is expecting a linux group. Right?
>>>>
>>>> Probably I am missing something, or you guys need more information.
>>>> Any thoughts?
>> Hi
>> Sorry. I forgot about winbind (we use nss-pam-ldapd). With winbind running that should read:
>>
>> chgrp MYDAOMAIN\\My\ Group /media/share
>>
>> Cheers,
>> Steve
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

More information about the samba mailing list